A few ports open.... best way to resolve this issue?

M

masshole

[H]ard|Gawd
Joined
Feb 10, 2003
Messages
1,493
OK, I used LPS (Local Port Scanner) and it advised the following ports were open:

Warning! Trojan port 110 open (Promail trojan)
Warning! Trojan port 135 open (netbios remote procedure call)
Warning! Trojan port 1025 open (mavericks matrix)

Any suggestions?
Thanks.
 
masshole said:
OK, I used LPS (Local Port Scanner) and it advised the following ports were open:

Warning! Trojan port 110 open (Promail trojan)
Warning! Trojan port 135 open (netbios remote procedure call)
Warning! Trojan port 1025 open (mavericks matrix)

Any suggestions?
Thanks.
Click to expand...

Port 110: disable any SMTP/pop3 server
Port 135: Disable all the RPC crap
Port 1025: NFC. that's a non-priveleged port so you will have to see what is using this port.
 
Thanks for the tips, however disabling the pop3 server, would more then likely disable my outlook e-mail accounts?

Disabling RPC "crap"?

As for port 1025, is there an easy way to determine what program is accessing that port?
 
masshole said:
Thanks for the tips, however disabling the pop3 server, would more then likely disable my outlook e-mail accounts?
Click to expand...
Nope, unless you're running a server. Port 80 isn't open and that doesn't stop you from surfing.

Disabling RPC "crap"?
Click to expand...
Unless you can name why you need remote procedure calls, shut it down.

As for port 1025, is there an easy way to determine what program is accessing that port?
Click to expand...
Various firewalls will tell you, but I don't see why it matters. Ports open are not the same as ports in use.

Which brings me to the real point -- you don't need to actually disable RPC, for instance. You need to close these ports on your firewall. You do have a firewall, don't you?
 
Like linux, windows can show what process is on what port (but at least linux will give the name of the process, not just pid)
command for windows: netstat -ao
command for linux: netstat -ap
Whatever port you are looking at, turn on showing of pids in task manager, and find it.
 
Thanks guys, Im going to look into it now.

if this helps:

[System Process]:0 TCP 192.168.1.2:3463 66.193.254.46:80 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:3487 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:3486 127.0.0.1:1027 TIME_WAIT
[System Process]:0 TCP 192.168.1.2:3488 66.163.171.139:110 TIME_WAIT
[System Process]:0 TCP 192.168.1.2:3489 64.203.254.40:110 TIME_WAIT
aim.exe:2168 TCP 0.0.0.0:3305 0.0.0.0:0 LISTENING
aim.exe:2168 TCP 0.0.0.0:3311 0.0.0.0:0 LISTENING
aim.exe:2168 TCP 127.0.0.1:5180 0.0.0.0:0 LISTENING
aim.exe:2168 TCP 192.168.1.2:3305 205.188.11.184:5190 ESTABLISHED
aim.exe:2168 TCP 192.168.1.2:3311 205.188.4.237:5190 ESTABLISHED
aim.exe:2168 UDP 127.0.0.1:3306 *:*
ccApp.exe:1652 TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING
ccApp.exe:1652 TCP 127.0.0.1:1027 0.0.0.0:0 LISTENING
ccApp.exe:1652 TCP 192.168.1.2:1028 12.158.80.10:80 ESTABLISHED
firefox.exe:2536 TCP 0.0.0.0:3431 0.0.0.0:0 LISTENING
firefox.exe:2536 TCP 127.0.0.1:3430 127.0.0.1:3431 ESTABLISHED
firefox.exe:2536 TCP 127.0.0.1:3431 127.0.0.1:3430 ESTABLISHED
lsass.exe:648 UDP 0.0.0.0:500 *:*
svchost.exe:1000 UDP 0.0.0.0:1026 *:*
svchost.exe:1000 UDP 0.0.0.0:1033 *:*
svchost.exe:1000 UDP 0.0.0.0:1940 *:*
svchost.exe:1000 UDP 0.0.0.0:3480 *:*
svchost.exe:832 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
svchost.exe:872 TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
svchost.exe:872 UDP 127.0.0.1:123 *:*
svchost.exe:872 UDP 192.168.1.2:123 *:*
System:4 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
System:4 TCP 192.168.1.2:139 0.0.0.0:0 LISTENING
System:4 UDP 0.0.0.0:445 *:*
System:4 UDP 192.168.1.2:137 *:*
System:4 UDP 192.168.1.2:138 *:*
 
To find out what program has a certain port OPEN on a windows box this is how. (with using only what is installed with windows ;) )

from command line run: netstat -b

then look at the long list find the port in question, then find the PID with that port. This gives you the Process ID of the program in question. Then I open up task manager and look for the exe associated with that PID.
 
You must log in or register to reply here.
Back
Top