How do you close ports?

[networm]

Hi all,

Somebody remotely in another part of the world sent me email complaining I
have a "backdoor-g-1" trojan connecting to his computer. using port 1243...
I've also run Norton Security check from their website and found the
following port open along with the 1243 port...

Since Norton Antivirus and Norton Security Check did not find any virus...
or anything else. Perhaps there is nothing I can do and I can just close the
ports...

Suspciously, these ports should not open...

Now what shall I do? And how can I close the ports on XP sp2?

Thanks a lot!

 

[David H. Lipman]

From: "networm" <[email protected]>

| Hi all,
|
| Somebody remotely in another part of the world sent me email complaining I
| have a "backdoor-g-1" trojan connecting to his computer. using port 1243...
| I've also run Norton Security check from their website and found the
| following port open along with the 1243 port...
||
| Since Norton Antivirus and Norton Security Check did not find any virus...
| or anything else. Perhaps there is nothing I can do and I can just close the
| ports...
|
| Suspciously, these ports should not open...
|
| Now what shall I do? And how can I close the ports on XP sp2?
|
| Thanks a lot!
|


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon
http://www.definitivesolutions.com/bhodemon.htm

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[Jack]

Ports by defaults are not open or closed they just sit there being ready to
be used by an application that needs them.

One of the roll of a Firewall is to keep ports closed for traffic unless one
of the application that you are using requesting a port for its own use,
therefore it is a very good idea to use Firewall.

The email that you received is a little odd, unless a Trojan is capable to
transmit your email address it is unlikely that he can infer you email
address from an IP number. In otherworld, it might be a “prank” email.

Basic Protection for Broadband Internet connection should consist of.

1. Router's NAT Firewall (even if you have only one computer).

2. Software Firewall (Why? See here, http://www.ezlan.net/firewall.html ).

3. Antivirus Program.

4. AntiSpy Program.

A good security suit can be assembled by using very good Free programs,
http://www.ezlan.net/security.html

Microsoft is currently Beta testing a comprehensive One Care program that
might be a good substitute to the software that is mentioned above.

http://beta.windowsonecare.com/Betaentry.aspx

If you are already infected this might help,

Internet Infestation: http://www.ezlan.net/infestation.html

Basic Steps in cleaning Internet "Junk" - http://www.ezlan.net/clean.html

Jack (MVP-Networking).

 

[Steven L Umbach]

You need to either disable or remove the application/process that is using
the port or use a firewall that can block outbound traffic. In your case you
really want to find the offending application/process and remove it using
additional malware and spyware detection and removal programs since your
initial attempt seems to have failed. You can use programs such as the free
one called TCPView that will show what process/executable is using the
offending port that may help you determine what is going on. Autoruns from
will show you your various startup programs and you might be able to disable
it there or see if it is installed as a service and stop and disable the
service. Though that may help you really want to try additional programs to
try and find and remove the rouge program. Also be sure to scan in Safe Mode
and check that any malware/spyware program you use is using the latest up to
date definitions that you can download from the vendors website. --- Steve

http://www.sysinternals.com/Utilities/TcpView.html --- TCPView
http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns
http://www.microsoft.com/athome/security/viruses/default.mspx --- MS info
on viruses and worms.

 

[AmericanTechie]

Hi all,

Somebody remotely in another part of the world sent me email complaining I
have a "backdoor-g-1" trojan connecting to his computer. using port 1243...
I've also run Norton Security check from their website and found the
following port open along with the 1243 port...


Since Norton Antivirus and Norton Security Check did not find any virus...
or anything else. Perhaps there is nothing I can do and I can just close the
ports...

Suspciously, these ports should not open...

Now what shall I do? And how can I close the ports on XP sp2?

Thanks a lot!

Port 80 is webserver just as the list tells you. Are you running apache
or another webserver?

 

[networm]

Ports by defaults are not open or closed they just sit there being ready
to
be used by an application that needs them.

One of the roll of a Firewall is to keep ports closed for traffic unless
one
of the application that you are using requesting a port for its own use,
therefore it is a very good idea to use Firewall.

The email that you received is a little odd, unless a Trojan is capable to
transmit your email address it is unlikely that he can infer you email
address from an IP number. In otherworld, it might be a “prank?email.

Basic Protection for Broadband Internet connection should consist of.

1. Router's NAT Firewall (even if you have only one computer).

2. Software Firewall (Why? See here, http://www.ezlan.net/firewall.html ).

3. Antivirus Program.

4. AntiSpy Program.

A good security suit can be assembled by using very good Free programs,
http://www.ezlan.net/security.html

Microsoft is currently Beta testing a comprehensive One Care program that
might be a good substitute to the software that is mentioned above.

http://beta.windowsonecare.com/Betaentry.aspx

If you are already infected this might help,

Internet Infestation: http://www.ezlan.net/infestation.html

Basic Steps in cleaning Internet "Junk" - http://www.ezlan.net/clean.html

Jack (MVP-Networking).

The email was forwarded by our security office. The sender found out our
organization and sent it to our security office...

Anyway, I am using Windows Fire Wall... How can i shut down these ports?

Using those sophiscated techniques to find which processes are using the
ports is too much for me...

I just want to close the ports...

Thanks a lot!

 

[networm]

You need to either disable or remove the application/process that is using
the port or use a firewall that can block outbound traffic. In your case
you really want to find the offending application/process and remove it
using additional malware and spyware detection and removal programs since
your initial attempt seems to have failed. You can use programs such as
the free one called TCPView that will show what process/executable is
using the offending port that may help you determine what is going on.
Autoruns from will show you your various startup programs and you might be
able to disable it there or see if it is installed as a service and stop
and disable the service. Though that may help you really want to try
additional programs to try and find and remove the rouge program. Also be
sure to scan in Safe Mode and check that any malware/spyware program you
use is using the latest up to date definitions that you can download from
the vendors website. --- Steve

http://www.sysinternals.com/Utilities/TcpView.html --- TCPView
http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns
http://www.microsoft.com/athome/security/viruses/default.mspx --- MS
info on viruses and worms.

I am using Windows Fire Wall... How can i shut down these ports?

Using those sophiscated techniques to find which processes are using the
ports is too much for me...

I just want to close the ports...

Thanks a lot!

 

[networm]

Port 80 is webserver just as the list tells you. Are you running apache
or another webserver?

I am using Windows Fire Wall... How can i shut down these ports?

Using those sophiscated techniques to find which processes are using the
ports is too much for me...

I just want to close the ports...

Thanks a lot!

 

[Lionel Fourquaux]

I am using Windows Fire Wall... How can i shut down these ports?

Control panel -> Windows firewall, Exceptions, uncheck the exceptions you do
not want.

I just want to close the ports...

Closing everything blindly is bound to cause problems sooner or later.

 

[Lanwench [MVP - Exchange]]

In

The email was forwarded by our security office. The sender found out
our organization and sent it to our security office...

Anyway, I am using Windows Fire Wall... How can i shut down these
ports?
Using those sophiscated techniques to find which processes are using
the ports is too much for me...

I just want to close the ports...

Thanks a lot!

Without knowing anything about your setup/network it's hard to tell you much
here. The windows firewall cannot block outbound traffic. You'd need
something else - either hardware (firewall appliance) or software. This is
not as simple a task as you clearly wish it to be, unfortunately - and I
also question whether it's actually necessary as you haven't provided enough
info for us to know whether your PC is actually compromised. You'd need to
have the recipient of the offending message copy/paste the Internet mail
headers and send this to you, so you could investigate it.

If you're on a company network, someone should be managing your network
security and you ought to ask them for help. If this is a home computer, you
need to provide a lot more info in order to get help.

 

[networm]

"Lanwench [MVP - Exchange]"

In

Without knowing anything about your setup/network it's hard to tell you
much here. The windows firewall cannot block outbound traffic. You'd need
something else - either hardware (firewall appliance) or software. This is
not as simple a task as you clearly wish it to be, unfortunately - and I
also question whether it's actually necessary as you haven't provided
enough info for us to know whether your PC is actually compromised. You'd
need to have the recipient of the offending message copy/paste the
Internet mail headers and send this to you, so you could investigate it.

If you're on a company network, someone should be managing your network
security and you ought to ask them for help. If this is a home computer,
you need to provide a lot more info in order to get help.

Yes, I am an organization network.

But our administrator only knows about asking me to reinstall the OS system
everytime they suspect some compromise happens. They know no better than
using Norton Antivirus to check security.

I don't want to complain more. I don't want to reinstall OS either.

So tell me how to shutdown those 3 ports.

My computer is not a server so it should not use ports such as 80, etc.

 

[networm]

Control panel -> Windows firewall, Exceptions, uncheck the exceptions you
do not want.


Closing everything blindly is bound to cause problems sooner or later.

But our administrator only knows about asking me to reinstall the OS system
everytime they suspect some compromise happens. They know no better than
using Norton Antivirus to check security.

I don't want to complain more. I don't want to reinstall OS either.

So tell me how to shutdown those 3 ports.

My computer is not a server so it should not use ports such as 80, etc.

I have checked, they are not in the exceptions tab in Windows Firewall.

 

[Lionel Fourquaux]

But our administrator only knows about asking me to reinstall the OS
system everytime they suspect some compromise happens.

If your OS has been compromised, that's usually the safest solution.

I have checked, they are not in the exceptions tab in Windows Firewall.

Can you post the output of these commands?

tasklist /svc
netstat -a -n -o
netsh firewall show config

 

[Lanwench [MVP - Exchange]]

In

"Lanwench [MVP - Exchange]"

In

Without knowing anything about your setup/network it's hard to tell
you much here. The windows firewall cannot block outbound traffic.
You'd need something else - either hardware (firewall appliance) or
software. This is not as simple a task as you clearly wish it to be,
unfortunately - and I also question whether it's actually necessary
as you haven't provided enough info for us to know whether your PC
is actually compromised. You'd need to have the recipient of the
offending message copy/paste the Internet mail headers and send this
to you, so you could investigate it. If you're on a company network,
someone should be managing your
network security and you ought to ask them for help. If this is a
home computer, you need to provide a lot more info in order to get
help.

Yes, I am an organization network.

But our administrator only knows about asking me to reinstall the OS
system everytime they suspect some compromise happens. They know no
better than using Norton Antivirus to check security.

Talk to management, then. That isn't IT support.

I don't want to complain more.

Well, you should.

I don't want to reinstall OS either.

Nor would I.

So tell me how to shutdown those 3 ports.

As I wrote, and as nearly everyone has written, you can't do this with the
Windows firewall, and it is not as simple an issue as you wish it to be.

My computer is not a server so it should not use ports such as 80,
etc.

And it probably doesn't have an internal web server on it unless you
installed one, but that isn't the issue anyway.

Bottom line:
You need to have whomever sent you the message that your computer is doing
something bad, give you more evidence that it's doing so. And it's your IT
staff's responsibility to ensure that a) bad stuff isn't likely to happen
and b) fix bad stuff when it's proven it *did* happen.

 

[Lionel Fourquaux]

"Lanwench [MVP - Exchange]"

As I wrote, and as nearly everyone has written, you can't do this with the
Windows firewall, and it is not as simple an issue as you wish it to be.

I may have missed something in this thread, but it looks to me like the OP
want to block incoming connections, and I think the Windows firewall can do
this.

Bottom line:
You need to have whomever sent you the message that your computer is doing
something bad, give you more evidence that it's doing so. And it's your IT
staff's responsibility to ensure that a) bad stuff isn't likely to happen
and b) fix bad stuff when it's proven it *did* happen.

Quite true.

 

[Lanwench [MVP - Exchange]]

In

"Lanwench [MVP - Exchange]"

As I wrote, and as nearly everyone has written, you can't do this
with the Windows firewall, and it is not as simple an issue as you
wish it to be.

I may have missed something in this thread, but it looks to me like
the OP want to block incoming connections, and I think the Windows
firewall can do this.

Yes, it can (and does block *all* inbound traffic by default), but since
he's saying he has been accused of *sending* something unauthorized, that's
not the direction I was going in.

"Somebody remotely in another part of the world sent me email complaining I
have a "backdoor-g-1" trojan connecting to his computer"

I question the accuracy of that report anyway, but we're going around in
circles here and I don't think the OP fully understands that what he's
asking, with the information he's provided, is impossible to help with.

 

[Guest]

You know, I have just encountered a similar problem, by different means. I
accidentally opened my telnet port in cmd and http port somehow. I found this
out by doing the symantec security scan. As with networm, I have no clue how
to get these ports closed and stealthed or whatever! I have done scans with
norton and spyware s&d, and I have taken a passive look for processes running
that would have these ports open. So far, I managed to close the telnet port
in cmd again, but i did the scan with symantec and it still says its open...

Do i understand this correctly in that these ports are only open because
some process or program is using them?

These conisistently open ports has brought on an onslaught of hack attemps,
the ones I know about being blocked by norton. Should I try and find these
programs keeping my ports open?

- telnet open
- http open
- ping open

Thanks

 

[Phillip Windell]

Ports don't exist all by themselves. They exist and "listen" in response to
running Applications that use them.

If the Telnet Service is running,...the Telnet port will be open
If IIS is running,...the http port (80, 443, and possibly SMTP, FTP, and
NNTP) would be open.

Shutdown and disable the Telnet Service and IIS's Services (more than one)
then those ports will "go away". It is a universal principle,...don't run
anything you don't want people to connect to.

These conisistently open ports has brought on an onslaught of hack

attemps,

That depends,...if you live in the world of paranoia,...everything will look
like a "hack attempt" and you will see "hack attempts" under every rock and
around every corner, and most of them won't be real but will just be
misinterpretations of what is really happening.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

 

[Guest]

Alright, that helps. I don't completely understand how ports and services and
stuff like that work, especially when I don't even recall starting those
programs. And I only call them "hack attempts" because they never used to
occur prior to these ports suddenly being open. Either way, I think I can fix
my problem with the confirmed knowledge in my mind that the ports are in use
by running applications, not that they are just little open stomata in my
firewall, as I previously thought.

Thanks

Ports don't exist all by themselves. They exist and "listen" in response to
running Applications that use them.

If the Telnet Service is running,...the Telnet port will be open
If IIS is running,...the http port (80, 443, and possibly SMTP, FTP, and
NNTP) would be open.

Shutdown and disable the Telnet Service and IIS's Services (more than one)
then those ports will "go away". It is a universal principle,...don't run
anything you don't want people to connect to.

These conisistently open ports has brought on an onslaught of hack

attemps,

That depends,...if you live in the world of paranoia,...everything will look
like a "hack attempt" and you will see "hack attempts" under every rock and
around every corner, and most of them won't be real but will just be
misinterpretations of what is really happening.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx

 

[Phillip Windell]

Alright, that helps. I don't completely understand how ports and services and
stuff like that work,

"Ports" are *imaginary* anyway. They are not some tangible object that
exists. "Ports" are nothing but Layer4 Addresses,..just like IP#s are
Layer3 Addresses. The OS's Networking subsystem simply opens the packet and
examines the Layer4 Address and then askes the question, "Is there a running
application associated with this address?", if the answer is yes it passes
the packet up through the OSI Layers to the Application assuming there are
no contrary ACLs ,...if the answer is no, or if contrary ACLs exist, the
packet is dropped.

Layer3 Addresses (IP#s) in the Network Portion find the Subnet
Layer3 Addresses (IP#s) in the Host Portion find the MAC Address via ARP
Layer2 Addresses (MAC Address) finds the individual Host
Layer4 Addresses (Ports) find the Application running on the Host

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------