help

[Hannibal]

Sorry if this is OT, but how do I block port 135? It is associated with
a malicious script that I may have had until recently.

I'm on Win XP Pro SP1 (I think it's SP1).

Hannibal

 

[Jeffrey A. Setaro]

Sorry if this is OT, but how do I block port 135? It is associated with
a malicious script that I may have had until recently.

I'm on Win XP Pro SP1 (I think it's SP1).

See Microsoft Knowledge Base Article - 283673 "HOW TO: Enable or Disable
Internet Connection Firewall in Windows XP"

<http://support.microsoft.com/default.aspx?scid=kb;en-us;283673>

HTH.

--
Cheers-

Jeff Setaro
(e-mail address removed)
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[Hannibal]

See Microsoft Knowledge Base Article - 283673 "HOW TO: Enable or Disable
Internet Connection Firewall in Windows XP"

<http://support.microsoft.com/default.aspx?scid=kb;en-us;283673>

Thanks. I already have the XP software firewall enabled. How do I
block the port manually?

HTH.

Hannibal

 

[Jeffrey A. Setaro]

Thanks. I already have the XP software firewall enabled. How do I
block the port manually?

If you have the XP's firewall enabled port 445 should be blocked. Have
tried Scanning your system for open open port? You can visit
<http://scan.sygate.com> for a free port scan.

--
Cheers-

Jeff Setaro
(e-mail address removed)
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[Jeffrey A. Setaro]

I'm having trouble making myself understood. I am new to this whole
game and have no idea how to view the open port listings and blocked
port listings on my computer. Is there a way to do that in XP Pro SP1?

You can open a command prompt and type netstat -an that'll give you a
list of listening ports. If you post the results here and we'll be able
tell you if there is anything unusual listed.

The free port scan you recommended had trouble with my router.

You left out this bit of essential information. Your router will
effectively block access to your computer from the internet. Even if
port 445 is open on you computer you router will block access to it from
the internet.

It
identified my OS accurately as XP, but claimed I was running Netscape
5.0 when I'm actually running 7.1, and was unable to find my computer's
name.

That's normal. Your OS and browser version info is provided by Netscape.

At the next step it froze.

The "Trying to find out what services you are running..." step can take
several minutes (10-20 in some cases) to complete. Your can try
rerunning the test, the "Quick Scan" is what you're most interested in.

A caveat though... The port scan will not tell anything about the status
of you machine just your router. Your router sits between you computer
and the internet and filters the traffic traveling back and forth. If it
has been properly configured your router should block any unsolicited
incoming traffic (such as ports scans) before it reachers you PC.

HTH.

--
Cheers-

Jeff Setaro
(e-mail address removed)
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[Hannibal]

You can open a command prompt and type netstat -an that'll give you a
list of listening ports. If you post the results here and we'll be able
tell you if there is anything unusual listed.

These are my established listings:

3375 localhost 3376
3376 localhost 3375
3470 205.188.11.240:5190
3535 nr-ott02.bellnexia.net:nntp
3577 imap-d24a.mx.aol.com:5002
3582 nr-ott02.bellnexia.net:nntp

There are a few closed listings relating to an online game I played -
when my browser itself intercepted some popups.

The bellnexia listings are my ISP, Sympatico. The only one I'm worried
about is the 3577 AOL listing. Has someone hacked me?

Hannibal

 

[Jeffrey A. Setaro]

These are my established listings:

3375 localhost 3376
3376 localhost 3375
3470 205.188.11.240:5190
3535 nr-ott02.bellnexia.net:nntp
3577 imap-d24a.mx.aol.com:5002
3582 nr-ott02.bellnexia.net:nntp

There are a few closed listings relating to an online game I played -
when my browser itself intercepted some popups.

The bellnexia listings are my ISP, Sympatico. The only one I'm worried
about is the 3577 AOL listing. Has someone hacked me?

That's your Netscape/AOL instant messenger. You may wan't to consider
Using Mozilla <http://www.mozilla.org>... It's basically Netscape
without the AOL crap.

--
Cheers-

Jeff Setaro
(e-mail address removed)
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[Hannibal]

That's your Netscape/AOL instant messenger. You may wan't to consider
Using Mozilla <http://www.mozilla.org>... It's basically Netscape
without the AOL crap.

Thanks for the suggestion. Now that I think of it, I can't figure out
what the 205.188.11.240 is either. Typing it in my browser location bar
brings no results, so it's not a valid URL. It's also not my Netgear's
fake-URL configuration thing. Anyone have any ideas?

Hannibal

 

[Jeffrey A. Setaro]

Thanks for the suggestion. Now that I think of it, I can't figure out
what the 205.188.11.240 is either. Typing it in my browser location bar
brings no results, so it's not a valid URL. It's also not my Netgear's
fake-URL configuration thing. Anyone have any ideas?

AOL Instant Messenger... Port 5190 is the default communications port
used by AOL instant messenger. The 205.188.11.240 IP address belongs to
AOL.


--
Cheers-

Jeff Setaro
(e-mail address removed)
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[null]

Thanks for the suggestion. Now that I think of it, I can't figure out
what the 205.188.11.240 is either. Typing it in my browser location bar
brings no results, so it's not a valid URL. It's also not my Netgear's
fake-URL configuration thing. Anyone have any ideas?

Some general suggestions:

1. Use something like Sam Spade to look up IP address assignments. The
one you mention is part of a AOL assigned block. That doesn't tell us
much though without more detective work.
2. One simple way to find which apps or services are connecting is to
use a running application killer. I suggest APPSWAT available at my
web site. You can often swat (kill) suspect running apps one by one
until the netstat reading disappers. But don't kill core Windows
apps. This does require knowing what _not_ to try to kill on your
particular OS. Of course, core apps may be impossible to kill anyway.

Another way is to download and use a free personal firewall since they
will pop up and ask your permission for apps to access the internet.
Thus, you should easily be able to find the name of a .EXE file and
you can temporarily rename it (if it's not locked) or in some cases
you might want to permanently delete it. There are one or two even
simpler freeware apps available which are useful for IDing apps but I
normally keep Sygate personal firewall around for such purposes since
I like its traffic logging. You should be able to rename or delete
locked files in Safe mode.

3. For communicating netstat info to a newsgroup, I suggest forcing it
to create a text file. For example, open a DOS window and type:

netstat -an >net.txt

should produce a text file named net.txt
BTW, with Win XP the netstat command often used includes an extra
command as: netstat -ano Try this and check the difference.

Also, for maximum clarity, run netstat after restarting Windows and
just after going on line. Then there is no recent history to get in
the way and clutter things up.

Art
http://www.epix.net/~artnpeg

 

[Jeffrey A. Setaro]

Some general suggestions:

1. Use something like Sam Spade to look up IP address assignments. The
one you mention is part of a AOL assigned block. That doesn't tell us
much though without more detective work.

Actually 205.188.11.240:5190 tells us the the that AOL Instant Messenger
open the connection.

2. One simple way to find which apps or services are connecting is to
use a running application killer. I suggest APPSWAT available at my
web site. You can often swat (kill) suspect running apps one by one
until the netstat reading disappers. But don't kill core Windows
apps. This does require knowing what _not_ to try to kill on your
particular OS. Of course, core apps may be impossible to kill anyway.

Complete overkill in this case all the OP needs to do is close AOL
instant messenger (Replacing Netscape with Mozilla would be an even
better solution... in less of course you like AOL instant messenger).

Another way is to download and use a free personal firewall since they
will pop up and ask your permission for apps to access the internet.
Thus, you should easily be able to find the name of a .EXE file and
you can temporarily rename it (if it's not locked) or in some cases
you might want to permanently delete it. There are one or two even
simpler freeware apps available which are useful for IDing apps but I
normally keep Sygate personal firewall around for such purposes since
I like its traffic logging. You should be able to rename or delete
locked files in Safe mode.

Not a bad idea... The native Windows XP Firewall doesn't do application
level filtering.

3. For communicating netstat info to a newsgroup, I suggest forcing it
to create a text file. For example, open a DOS window and type:

netstat -an >net.txt

should produce a text file named net.txt
BTW, with Win XP the netstat command often used includes an extra
command as: netstat -ano Try this and check the difference.

Also, for maximum clarity, run netstat after restarting Windows and
just after going on line. Then there is no recent history to get in
the way and clutter things up.

In this case neither was necessary the OP provided exactly the
information I asked for and in an acceptable manner for the discussion.

--
Cheers-

Jeff Setaro
(e-mail address removed)
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[null]

In this case neither was necessary the OP provided exactly the
information I asked for and in an acceptable manner for the discussion.

And I offered him self-help information. Why are you being such a
jerk?

Art
http://www.epix.net/~artnpeg

 

[Bart Bailey]

the OP provided exactly the
information I asked for and in an acceptable manner for the discussion.

Mark your calendar!
How often does that happen?

 

[Hannibal]

Relax, guys. You both did right. One of you helped me figure things
out, and the other one told me how I can do things better next time.

Hannibal

 

[Jeffrey A. Setaro]

I just ran a free plugin that allegedly disables Netscape/AOL Instant
Messenger in Mozilla products, including Netscape 7.1, which I use.
Following your instructions above, this is what netstat reports:


I rebooted my computer but not my router or DSL modem before doing this.
So what does that look like to you? Thanks much.

It look like Netscape/AOL Instant Messenger is loading at startup... Or
you had Netscape loaded when you ran netstat.

OK at second glance it looks like the latter... 207.35.177.134:119 is
your news server. 205.188.11.240:5190 is AOL instant messenger
205.188.157.95:5005 resolves to imap-d24a.mx.aol.com probably Netscape
or AOL "Web" mail... Not sure why the end point is port 5005 though...
Normally IMAP uses port 143.

--
Cheers-

Jeff Setaro
(e-mail address removed)
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[null]

I just ran a free plugin that allegedly disables Netscape/AOL Instant
Messenger in Mozilla products, including Netscape 7.1, which I use.
Following your instructions above, this is what netstat reports:


I rebooted my computer but not my router or DSL modem before doing this.
So what does that look like to you? Thanks much.

Using this as a reference for Win XP:
http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html.en

It looks like you have a ton of stuff to track down and try to explain
even before you address the issue of disabling unwanted/unnecessary
services built into XP. But at least this reference illustrates what
is seen on a fresh install.

I didn't follow and don't have available the begining of this thread,
so I don't know what you've done in the way of running av and spyware
scanners, or even what your original call for help was about.

Anyway, when you're ready for it, there's a really good general
purpose utility by KAV called Trojan_Finder (link at my web site).

Art
http://www.epix.net/~artnpeg

 

[Hannibal]

This is what happens in my netstat immediately after I close Netscape
and restart Windows:

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1029 127.0.0.1:1028 TIME_WAIT
TCP 127.0.0.1:3001 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3002 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3003 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3009 0.0.0.0:0 LISTENING
TCP 192.168.0.2:139 0.0.0.0:0 LISTENING
TCP 192.168.0.2:3010 152.163.208.57:80 TIME_WAIT
TCP 192.168.0.2:12256 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1026 *:*
UDP 0.0.0.0:3011 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.0.2:123 *:*
UDP 192.168.0.2:137 *:*
UDP 192.168.0.2:138 *:*
UDP 192.168.0.2:1900 *:*
UDP 192.168.0.2:14460 *:*
UDP 192.168.0.2:14556 *:*

Any comments?

For the fellow who wanted to know: My original question was how to
manually shut down Port 135 to avoid vulnerability. I then asked a
question about how to manually view my ports. I still need help with
what these listings mean.

Thanks guys.

Hannibal

 

[Jeffrey A. Setaro]

This is what happens in my netstat immediately after I close Netscape
and restart Windows:


Any comments?

Nope... Nothing unusual.

For the fellow who wanted to know: My original question was how to
manually shut down Port 135 to avoid vulnerability.

That's kind of a moot issue since your router will filter/block
unsolicited incoming traffic.

I then asked a
question about how to manually view my ports. I still need help with
what these listings mean.

OK... Quick and dirty... X.X.X.X is an IP address the numbers after the
: are a TCP or UDP or port. 127.0.0.1 is the local loop back address,
192.168.0.2 is your PC, 0.0.0.0 is a broadcast address.

If you really want to learn how all this stuff works pick a copy of
"Networking for Dummies" and "TCP/IP for Dummies". They're fairly basic
and a good place to start.

Thanks guys.

Your welcome. HTH.

--
Cheers-

Jeff Setaro
(e-mail address removed)
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34