Is this safe or not ?

hello i have a question about my box(computer) ports i have widnows 2000 sever and i scaned my ports useing NmapWin v1.3.1 and i have me this.

Starting nmap V. 3.00 ( www.insecure.org/nmap )
Insufficient responses for TCP sequencing (2), OS detection may be less accurate
Interesting ports on ??? (???.???.?.???):
(The 1578 ports scanned but not shown below are in state: closed)
Port State Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
21/tcp open ftp
25/tcp open smtp
42/tcp open nameserver
53/tcp open domain
80/tcp open http
135/tcp open loc-srv
139/tcp open netbios-ssn
443/tcp open https
515/tcp open printer
548/tcp open afpovertcp
1025/tcp open NFS-or-IIS
1029/tcp open
ms-lsa
1030/tcp open iad1
1033/tcp open netinfo
3372/tcp open msdtc
3389/tcp open ms-term-serv
6666/tcp open irc-serv
7007/tcp open afs3-bos
Remote OS guesses: Windows NT 5 Beta2 or Beta3, Windows Millennium Edition (Me), Win 2000, or WinXP, MS Windows2000 Professional RC1/W2K Advance Server Beta3
Nmap run completed -- 1 IP address (1 host up) scanned in 20 seconds

is my ports on this box safe or not what should i do to keep them close ?

is all that stuff neccesary? Are you using each of those services? Have you run windows updates? Are you using any kind of firewall?

if by safe you mean having multiple (possibly un-needed) ports open, then sure. ;)


just messing with you. look at what each thing does. do you use things like term serv? if not, close the port. Id get a firewall though.

Was that scan from within a perimeter firewall or outside it.... More to the point, does a perimeter firewall exist?

'Cos if that box isn't firewalled it's probably already owned.....

Yes my windows is up to date, most of those services oh there i not use but the FTP port i'm useing.and i scaned it in side the box i dont have a firewall i dont know to get for the window sever 2000 i had norton but i didnt want to install on this OS.

Is it being used as a server? If so, forget the firewall and just kill any uneeded services, and lock down the ones you need. Of course make sure all patches are up to date.

If you go the firewall route, Kerio has some nice firewalls, both enterprise level, and home level that are worth checking out. The nice thing about Kerio is that their firewalls combine IDS for bidirectional protection.

Quote:

---

Originally posted here by Logicalsifter
Starting nmap V. 3.00 ( www.insecure.org/nmap )

---

Kind of old...

Quote:

---

7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen

---

These are part of the "Simple TCP/IP services". You don't need them. Remove it.

Quote:

---

21/tcp open ftp
25/tcp open smtp
80/tcp open http
443/tcp open https

---

These are part of IIS. If you don't need the smtp and http services, stop them using the IIS management console.

Quote:

---

42/tcp open nameserver
53/tcp open domain

---

DNS Server. Not sure. You may need it if you're running AD.

Quote:

---

515/tcp open printer

---

Unix printing services. Probably don't need it. Remove it.

Quote:

---

548/tcp open afpovertcp

---

AppleTalk. If you don't have any Apple computers on your network remove it.

Quote:

---

6666/tcp open irc-serv

---

Not sure about these. Could be some kind of IRC backdoor.

Quote:

---

7007/tcp open afs3-bos

---

Microsoft Streaming Media Services. If you don't need it, remove it.

Quote:

---

is my ports on this box safe or not what should i do to keep them close ?

---

No, your box is not safe. It looks like you enabled every single service possible on a W2K.
How to keep them closed? Only enable services you actually need/use.

ok how can i close then what setps to do i need to take to that them close ?i dont know to much about closeing my ports on my box.

If you stop or remove the service the ports will automaticly be closed.

hmm i think i might of fond out how to stop those ports i looking at my box management thing and i when to Services and is showing me all those ports things that are running and not running

ok ports 6666 and 7007 i cant find them on my box management were can i find them ?

Have a look through Add/Remove Programs -> Windows components..
There's probably a whole lot you can remove from there..
(including those "simple tcp/ip services" I believe; not sure don't have a w2k handy ;) )

Well thanks so much man i'v learned alot from your guys help and everthing and i'll try to do the best i can to close up those ports.

eh i i dont know how to close those bad ports. this is what i got back form Nmap

Port State Service
135/tcp open loc-srv
139/tcp open netbios-ssn
1029/tcp open ms-lsa
1445/tcp filtered proxima-lm
3389/tcp open ms-term-serv
6346/tcp open gnutella
6666/tcp open irc-serv
7007/tcp open afs3-bos

Ports 6666/7007 are the ones i want to close really bad can any one help?

Is it safe?
http://www.thebigpicturedvd.com/DVD%...athon_man6.jpg

--

Quote:

---

Originally posted here by Logicalsifter
hello i have a question about my box(computer) ports i have widnows 2000 sever and i scaned my ports useing NmapWin v1.3.1 and i have me this.

Starting nmap V. 3.00 ( www.insecure.org/nmap )
Insufficient responses for TCP sequencing (2), OS detection may be less accurate
Interesting ports on ??? (???.???.?.???):
(The 1578 ports scanned but not shown below are in state: closed)
Port State Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
21/tcp open ftp
25/tcp open smtp
42/tcp open nameserver
53/tcp open domain
80/tcp open http
135/tcp open loc-srv
139/tcp open netbios-ssn
443/tcp open https
515/tcp open printer
548/tcp open afpovertcp
1025/tcp open NFS-or-IIS
1029/tcp open
ms-lsa
1030/tcp open iad1
1033/tcp open netinfo
3372/tcp open msdtc
3389/tcp open ms-term-serv
6666/tcp open irc-serv
7007/tcp open afs3-bos
Remote OS guesses: Windows NT 5 Beta2 or Beta3, Windows Millennium Edition (Me), Win 2000, or WinXP, MS Windows2000 Professional RC1/W2K Advance Server Beta3
Nmap run completed -- 1 IP address (1 host up) scanned in 20 seconds

is my ports on this box safe or not what should i do to keep them close ?

---

Quote:

---

Originally posted here by Tiger Shark
Was that scan from within a perimeter firewall or outside it.... More to the point, does a perimeter firewall exist?

'Cos if that box isn't firewalled it's probably already owned.....

---

Tiger one question, How would you guarantee that?

Quote:

---

Tiger one question, How would you guarantee that?

---

It's pretty much given away by Nmap's OS guess.

Quote:

---

Remote OS guesses: Windows NT 5 Beta2 or Beta3, Windows Millennium Edition (Me), Win 2000, or WinXP, MS Windows2000 Professional RC1/W2K Advance Server Beta3

---

On properly patched boxes NMap is much more explicit about the Operating System and will usually indicate a service pack level. This scan indicates no service pack whatsoever, it includes WinME which is rarely if ever confused with patched Win2k/XP boxes and finally it guesses at a Release Candidate, (RC1), or Beta versions. This implies a very old version of Win2k or possibly an early version of WinXP. In both cases it implies no patches whatsoever. Without patches and having all these services unfirewalled you could pretty much guarantee that the box were owned.

The only information that would refute that is the fact that the box is so insecure. Crackers often secure a box they exploit simply to keep other crackers off "their" box. The insecurity of this box would imply that it was uncracked and probably therefore it resides behind a firewall.

That's my read on it.....

Hi

I am aware that the thread was started a while ago,
but I was too busy :(

We here have a classical situation where one tries
to relate listening ports with "services or applications".
SirDice did a decent job. I'll continue a bit :)
I will present a simple way to do this, however,
the results cannot be trusted if a (ring-0-)rootkit
has been installed. In general, the whole setup looks
very suspicious - and you are running gnutella on a server?


The main tool we will use is fport[1]. This tool will
relate a listening port to an executable, which might be started
as "service or application", but in any case the information
can be found in the registry. We are using an external
tool, and not the native netstat, since the installed
version of netstat might not be trustworthy.


e.g. terminal service

For example, ms-term-serv is related to Microsoft's
terminal services termsrv.exe. You can either stop the
service (services.msc) or deinstall the software (Windows Components
Wizard). Information about its display name "Terminal Services"
and others can be found in the registry:

Code:

---

HKLM\SYSTEM\CurrentControlSet\Services\TermService

---

e.g. 6666 (or maybe irc-serv)

You will find with fport, that irc-serv might be related to
ircserv.exe. Hopefully, you have actually installed that thing...
It probably is not a service, but an "application", visible in the
task manager. Kill it there, then track down how it gets started.
This can be done in many ways, search the registry for the executable
given by fport. Most likely in

Code:

---

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

---

but it also might be a service. Check the previous registry-key for
its entry. Remove it there.

e.g. 7007 (or maybe afs3-bos)

The port-assignment list[2] relates port 7007 to afs3-bos, but
without having in use other Andrew File System servers and services,
this seems unlikely. Hence, it might be some backdoor. Check the
executable given by fport and track it down (first step: registry).


conclusion

This system should be reinstalled, properly configured and patched :)


Cheers



[1] http://www.foundstone.com/index.htm?...desc/fport.htm
[2] http://www.iana.org/assignments/port-numbers