port question

Printable View

January 6th, 2004, 06:09 AM
lpaulgib

port question

I just nmaped my localhost, and found these open.

Port State Service
22/tcp open ssh
25/tcp open smtp
111/tcp open sunrpc
139/tcp open netbios-ssn
631/tcp open ipp
708/tcp open unknown
6000/tcp open X11
10000/tcp open snet-sensor-mgmt

What is netbios-ssn, and some of those. Are any of those something I should worry about. I heard things about netbios, and that unknown one has me.
January 6th, 2004, 06:19 AM
D0pp139an93r

576869746568617 provided these in another thread:

http://<a rel="nofollow" href="http:...table.html</a>
http://<a rel="nofollow" href="http:...other.html</a> - Internet Ports, Services, & Trojans
http://<a rel="nofollow" href="http:...table.html</a> -Trojan TCP Ports
http://<a rel="nofollow" href="http:...rt-numbers</a> - The Official TCP Port Database

Here's the thread:
http://www.antionline.com/showthrea...threadid=253054

I don't know for sure, but the only odd one seems to be the unknown one. Correct me if I'm wrong people.

Edit: Sorry bout the bad link....
January 6th, 2004, 08:07 AM
SSJVegeta-Sei

I suppose it could be a trojan port or something...

Do you run any strange online services on your comp?
I'd recommend closing that one down (at least!) and checking to see if everything still runs normally - no point in keeping a port open you don't need, that's like a signed invitation :P

Regards,

SSJVegeta-Sei
January 6th, 2004, 01:48 PM
SirDice

If I'm not mistaken this is some sort of un*x (Linux?) box.
(22, 25, 111 and 6000 are usually not open on a windows box).

You probably installed Samba. If you're worried about it, deinstall it.
January 6th, 2004, 06:10 PM
lpaulgib

Yeah. Mandrake 9.2 . So the unknown is Samba? I'll shut off the unknown. Don't really know how to do that, but I'll figure it out.
January 6th, 2004, 09:59 PM
slick8790

Random thought:

Are you running a firewall? If so, check to see if it has any trusted network settings. If it does, disable them and scan again. You could also just scan from another computer outside your home/work network. I scanned myself recently and noticed 4 or 5 ports open. No matter what i did, they wouldnt close. When i tryed to see what could be done to my computer with the open ports by scanning from a friends computer, it showed no ports open. Trusted IP's get more privaleges then any old IP.

slick
January 7th, 2004, 03:22 AM
ShagDevil

I also noticed, some services like Norton Antivirus keep my POP3 and SMTP ports open. I found out by turning off the automatic e-mail scanning and then rechecking my open ports.
*poof* they were closed. I don't like the idea of those ports remaining open but I don't know of any other way to scan incoming/outgoing e-mail. I suppose putting the e-mail scan on before checking e-mail and then turning it off afterwards would work....but I'm entirely too lazy :D You would think Norton would have a default where it automatically turns off after you finish reading your mail. Maybe they do, maybe I'm just missing it. dunno.
That's my input anyways.
January 7th, 2004, 04:30 AM
ric-o

Quote:

Originally posted here by ShagDevil
I also noticed, some services like Norton Antivirus keep my POP3 and SMTP ports open. I found out by turning off the automatic e-mail scanning and then rechecking my open ports.
*poof* they were closed. I don't like the idea of those ports remaining open but I don't know of any other way to scan incoming/outgoing e-mail. I suppose putting the e-mail scan on before checking e-mail and then turning it off afterwards would work....but I'm entirely too lazy :D You would think Norton would have a default where it automatically turns off after you finish reading your mail. Maybe they do, maybe I'm just missing it. dunno.
That's my input anyways.

Shag: NAV proxy's those ports when you have those options on. I found that when attempting port scans of my internal network using a machine with NAV on...every host I scanned appeared to have those ports open. Very annoying. I found that McAfee doesn't use this type of mechanism for scanning.

Sorry for the off-topic.
January 7th, 2004, 05:59 AM
576869746568617

139 open on a *nix box? I agree with SirDice...must have installed samba. If you're not sharing files with a windows box, ditch samba.

If you're not sharing with windows, stop here and disregard the remainder of this post, if you are continue reading

If you are sharing files using samba, disable port 139 on your *nix box, or filter it using ipchains or whatever else you use as a firewall. Also do the same on the Windows box(es) for ports 135-139 and 445.

I don't know what kind of authentication info samba sends via NetBIOS, but on NT/2000/XP, ports 135-139 (the NetBIOS ports) are a major point of concern. On Windows, fingerprinting and enumeration of user accounts is childs play if these ports are open (you can even get the SIDs, even if RestrictAnonymous is enabled and you can't establish a null session...That's scary!).

Win2K and XP use TCP/IP and DNS for almost all network services by default, and those that don't can be forced to. If you have an internal DNS on your *nix box, you can safely ditch NetBIOS altogether. Just note that you'll have to use the FQDN or IP for any computer or resource you want to access, as NetBIOS names won't work.

I don't know of any vulnerability on *nix pertaining to NetBIOS, but you never can be too safe.
January 8th, 2004, 05:43 PM
SirDice

Quote:

Originally posted here by 576869746568617
Win2K and XP use TCP/IP and DNS for almost all network services by default, and those that don't can be forced to. If you have an internal DNS on your *nix box, you can safely ditch NetBIOS altogether. Just note that you'll have to use the FQDN or IP for any computer or resource you want to access, as NetBIOS names won't work.

If you set the correct DNS domain, you can use the short names.

Richt click on My Computer->Properties->Computer name->Change..->More..
Fill in your DNS domain here.