November 19th, 2005 08:33 PM
I run the port scanner from hackerwatch.org and the result were very surprising to me with it telling me that I have port 139 (Net Bois) closed but not secured, unlike the rest of the ports. I know I have the port closed but shouldn't my firewall (Norton firewall 2005) be hiding and securing the port automatically like the rest of my ports. Thanks for any help that is anyone is able to provide.
November 19th, 2005 09:21 PM
I take this to mean that the port is closed but traffic was able to hit your machine, i.e. there is no device (such as a firewall) infront of the machine. Then again, this could be a false positive which I would lean more towards.
Without knowing precisely how the scan was conducted, you'll never know the answer. If you'd like to see, throw a sniffer up on your host and record the session.
If the port is closed, you're not going to have any problems. Don't let the evil hackerwatch scanner scare you.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
November 19th, 2005 10:45 PM
I get similar results from the shieldsup test at grc.com. it correctly reports the ports of services I have running as open, and all but one of the other ports it scans are showed as stealthed. I'm thinking that my ISP might respond to the port which is reported closed with a forged reset packet. All the other probes are dropped by my router I believe (except the ones to open ports). This could be what is happening with you. I'm not connected directly to the internet so I can't really sniff to see what's going on, but I think that'd be a good idea for you as TH13 suggested.
p.s. I didn't see a portscanning service or download at hackerwatch.org.
November 21st, 2005 04:53 AM
i found a similar issue when using shieldsup on port 113. It turned out my router was blocking it (Netgear wireless) instead of dropping it. My solution was to forward the port to a nonexistent ip on my network. Also, i researched grc newsgroup info and found that some ISP's block port 139, which is what h3r3tic said. another reason norton might not be stealthing the port might be found in this grc exerpt - 'Different firewalls may choose differently to leaving Windows NetBIOS file and printer sharing open or closed with their default settings. So, just installing a firewall doesn't instantly protect you. The firewall may need some help from you to determine what you want to be protected from! Therefore, you may need to examine the software's configuration settings to determine how to close external access to the dangerous NetBIOS ports 137, 138, and 139.'
hope that helps