TCP Open ports

[Gene]

WindowsXP Home - ICF enabled
I'm not using any 3rd party firewall yet.
Testing my available 'all service ports' shows the
following:
__________________________________________________________
GRC Port Authority Report created on UTC: 2003-10-09 at
19:14:36

Results from scan of ports: 0-1055

1 Ports Open
1053 Ports Closed
2 Ports Stealth
---------------------
1056 Ports Tested

The port found to be OPEN was: 80

Ports found to be STEALTH were: 0, 520

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS
RECEIVED.
__________________________________________________________

1)Can I manually close this 80(HTTP)port? How?
2)Why sometimes the FTP and Telnet ports (21&23 resp.)
appears as opened and sometimes they appears as closed?

I'd like to know if its possible doing it manually to
avoid using 3rd party firewalls.

Thanks in advance!!!
Gene

 

[Matt DuBois [MSFT]]

Go to the network connections control panel.
Right click on your network card and select properties.
Go to the Advanced tab.
Make sure the checkbox for ICF is checked ("Protect my computer and network
by limiting or preventing access to this computer from the internet").
- The fact that a ping was received, and that all the ports were not
listed as "stealth" indicates that ICF is not enabled. By default ICF will
block pings and all ports will appear as "stealth" unless they have been
explicitly opened.
Click on Settings at the bottom of the Advanced tab
Make sure all the check boxes on the Services tab are unchecked.

If ICF is enabled, but you do not see the little lock icon at the top right
of your network connection's icon in the network connections control panel,
then there may be something keeping the ICF service from starting. If this
is the case, report back to the newsgroup with the results of the following
command, run from a command prompt:

net start sharedaccess

 

[Gene]

Hi Matt thanks for your response, my ICF is always 'on'
with checkbox enabled, and yes, the network connection's
icon shows the little lock on top right side. Under
Services tab (Advanced settings) I see the following 4
services checked:
1)msmsgs 10991 TCP
2)msmsgs 12566 TCP
3)msmsgs 13832 UDP
4)msmsgs 15893 UDP
Should I clear these checkboxes? I think they were added
there with MSN Messenger application. Please warn me
about the next steps to follow.
Thanks again!

 

[Matt DuBois [MSFT]]

You are correct, those are added by messenger and should be okay. Do you
have another machine on your home network that you can use to attempt to
ping this machine? What may be happening is that when you connect to the
internet, you are not really on the internet but behind a proxy server. So,
when you go to the "Shields Up" web site and do a port scan, it isn't really
scanning your computer, but scanning that proxy server. So, answer these
questions:

Can another machine on the same network as your computer ping your computer
What ISP do you use?
Normally when you connect to an ISP, you get a different IP address every
time (unless you are paying more money or have made other arrangements with
your ISP to get a static address). If you connect, go to the scanning page,
and disconnect several times, with varying intervals between a few minutes
and a few hours, does the scanning page always show the same IP address (or
one of a small number of IP addresses)? That would be an indication you are
behind a proxy server.

Based on what you've told me, I believe that you are behind a proxy server
and that the internet connection firewall is probably working fine, but I
would like to confirm it just to be sure. If there is a problem with it
when it thinks everything is okay, we'd certainly like to know about it!

 

[Gene]

Thanks for your help Matt. I'll perform the tests as you
asked me to do. As far I know the IP address provided by
my ISP is 'dynamic' and my machine is not behind a proxy
server (the browser are configured without one), I'm
connected to the internet via adsl router working for one
PC only. What I feel confusing is that only the first
scanning from 'shields up' (within varying intervals)
shows the FTP and Telnet ports opened, the next ones
these ports shows closed status! - the HTTP port always
appears opened.
Thanks Matt

 

[Gene]

Thanks Matt, I made several tests from 'shields up' and I
see my 'unique ip address number' constantly changing.
What does it take, this means my ICF is working fine and
I have nothing to worry about for?
Thanks again!!!

 

[Matt DuBois [MSFT]]

Okay, you had some new information in your earlier mail that changed things
a little bit. I have a couple more questions I'd like to get clarification
on, so I can make sure I'm telling you the right thing.

When you tried shields up several times, were you disconnecting and
reconnecting your ADSL each time? Did you do them all in a row? Normally
with ADSL unless you disconnect and reconnect it, your IP address should not
change that frequently. If you ran it three or four times in a row and saw
three or four different "unique ip address numbers", that is an indication
that shields up isn't actually scanning YOUR computer.

You mentioned that you have an ADSL router. Which router do you have? ADSL
routers can normally act as a sort of firewall, too, by virtue of the way
they work. Is your ADSL router configured with your single computer as a
"DMZ host" (the wording can vary with different manufacturers, but usually
contains "DMZ"), or is it configured so that you could connect another
computer to your network and have it be on the internet too?

If you go into the configuration of your ADSL router, there will be a page
that shows what its current configuration is. It should show you what the
IP address it got from your ISP is. On some routers, that information is
located on the "Status" page instead of the configuration one. Does the IP
address that your ADSL router gets from your ISP match the IP address that
"shields up" thinks is your IP address?

I realize some of the above may be a little confusing, because I can't tell
you exactly what to look for. If you have trouble finding any of the things
I asked for, reply back with the type of ADSL router you have and I can be
more specific.

-Matt

 

[Gene]

Thanks Matt. Yes, I disconnected and reconnected the ADSL
device on every test I ran (2 hours between them, not in
a row). My 'unique IP address number' changes only when I
shut off and reconnect the ADSL device. IP numbers
showing at 'shields up' scanning page goes from, say,
200.60.240.219 yesterday, to 200.60.240.103 today
earlier, to 200.48.52.223 now.
My ADSL router is a Zyxel, model Prestige 643, with 4-
port ethernet switch. As far I know, this device is
configured to work with my single PC only (single user
account). Going into the router's configuration, the IP
address that it gets from my ISP does not match the IP
address that 'shields up' displays from there.
I hope these lines can help, please let me know if you
need additional information and/or what's your conclusion.
Thanks for your time!

-----Original Message-----
Okay, you had some new information in your earlier mail that changed things
a little bit. I have a couple more questions I'd like to get clarification
on, so I can make sure I'm telling you the right thing.

When you tried shields up several times, were you disconnecting and
reconnecting your ADSL each time? Did you do them all in a row? Normally
with ADSL unless you disconnect and reconnect it, your IP address should not
change that frequently. If you ran it three or four times in a row and saw
three or four different "unique ip address numbers", that is an indication
that shields up isn't actually scanning YOUR computer.

You mentioned that you have an ADSL router. Which router do you have? ADSL
routers can normally act as a sort of firewall, too, by virtue of the way
they work. Is your ADSL router configured with your single computer as a
"DMZ host" (the wording can vary with different manufacturers, but usually
contains "DMZ"), or is it configured so that you could connect another
computer to your network and have it be on the internet too?

If you go into the configuration of your ADSL router, there will be a page
that shows what its current configuration is. It should show you what the
IP address it got from your ISP is. On some routers, that information is
located on the "Status" page instead of the

configuration one. Does the IP

 

[Matt DuBois [MSFT]]

Okay, I think we're almost there, thanks for hanging on. Just to make sure,
the IP address the ISP gives you will NOT be anything like 192.168.x.x or
10.x.x.x. If you see that, then you're looking at the address of the router
on your local lan and not on the internet. From what you've said so far, I
THINK that you are okay. As a last step, can you paste what "shields up"
thinks your address is, and then what the router says is its address? If it
makes you nervous, you can disconnect your modem and reconnect it again to
change the address right after you get the info.

 

[Gene]

Thanks Matt!
This morning when I turn router on and get connected to
my ISP, I attempted to perform a new scanning from
grc.com, this time 'shields up' shows the following
message:
----------------------------------------------------------
Your Internet connection has no Reverse DNS
Many Internet connection IP addresses are associated with
a DNS machine name. (But yours is not.) The presence
of "Reverse DNS", which allows the machine name to be
retrieved from the IP address, can represent a privacy
and possible security concern for Internet consumers
since it may uniquely and persistently identify your
Internet account - and therefore you - and may disclose
other information, such as your geographic location.

When present, reverse DNS is supported by Internet
service providers. But no such lookups are possible with
your current Internet connection address
(200.106.23.155). That's generally a good thing.
----------------------------------------------------------

This is the first time I see a message like this. What
does it mean? As I told you earlier, my previous tests
indicates 'unique IP address number' like 200.60.x.x
(changes every time I shut off/reconnect the router).
This time appears the message above. Very confusing.
I can't get into router configuration because techs from
my ISP have changed the password access. Is secure(or
helpful) to post details of my Local Area Connection
Status here in newsgroups? (sorry if its dumb question)
The file sharing results test from 'shields up' shows
following:

----------------------------------------------------------
Shields UP! is checking YOUR computer's Internet
connection security . . . currently located at IP:

200.106.23.155

Please Stand By. . .

1) Attempting connection to your computer. . .
Shields UP! is now attempting to contact the Hidden
Internet Server within your PC. It is likely that no one
has told you that your own personal computer may now be
functioning as an Internet Server with neither your
knowledge nor your permission. And that it may be serving
up all or many of your personal files for reading,
writing, modification and even deletion by anyone,
anywhere, on the Internet!
2) Preliminary Internet connection refused!
This is extremely favorable for your system's overall
Windows File and Printer Sharing security. Most Windows
systems, with the Network Neighborhood installed, hold
the NetBIOS port 139 wide open to solicit connections
from all passing traffic. Either this system has closed
this usually-open port, or some equipment or software
such as a "firewall" is preventing external connection
and has firmly closed the dangerous port 139 to all
passersby. (Congratulations!)
3) Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer
have FAILED. (This is very uncommon for a Windows
networking-based PC.) Relative to vulnerabilities from
Windows networking, this computer appears to be VERY
SECURE since it is NOT exposing ANY of its internal
NetBIOS networking protocol over the Internet.
----------------------------------------------------------



Common ports test summary: (first test only shows 21 and
23 ports open, next ones shows them closed)
----------------------------------------------------------
3 Ports Open
21 Ports Closed
1 Ports Stealth
---------------------
25 Ports Tested

Ports found to be OPEN were: 21, 23, 80

The port found to be STEALTH was: 0

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS
RECEIVED.
----------------------------------------------------------



All service ports test: (21 and 23 ports generally closed)
----------------------------------------------------------
1 Ports Open
1053 Ports Closed
2 Ports Stealth
---------------------
1056 Ports Tested

The port found to be OPEN was: 80

Ports found to be STEALTH were: 0, 520

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS
RECEIVED.

 

[Matt DuBois [MSFT]]

I don't know enough about your ISP and how they have your router configured
to say for sure whether Shields Up is scanning your router or one of your
ISP's servers. I do believe at this point that it is NOT scanning your
computer. If you call your ISP, they can help you figure out what exactly
is being scanned. If it winds up being your router, then you can talk to
them about your concerns and they can explain why those ports are sometimes
open.

As for the message you got this morning about the Reverse DNS - its
something to do with the configuration of your ISPs DNS servers. I wouldn't
worry about that bit either way. My ISP, for instance, has reverse lookups
configured, but the name is pure nonsense that doesn't identify who I am or
my account name at all. Most ISPs are the same way.

The three ports it mentioned being open this time are 21,23, and 80. Those
ports are, respectively, FTP, telnet and HTTP. These are things that are
probably not on your computer, but MIGHT be on your router so that your ISP
can configure it remotely. . .though FTP is a stretch for that. You can do
a quick check on your computer to confirm the ports are not open, but I am
pretty convinced at this point that what Shields Up is finding isn't your
computer.

To do the quick check of your own computer, run the following commands from
a command prompt (copy and paste them from here):

netstat -an |findstr ":21"
netstat -an |findstr ":23"
netstat -an |findstr ":80"

These commands will filter the output of "netstat -an", which shows all open
ports and connections on your computer, down to just the things you are
interested in.

After you run each one, look at the output. It will look something like
this (note, the IP addresses will be different). Note that the output for
the first two commands will likely be a blank line, so don't be concerned.

TCP 169.254.10.23:2266 169.254.10.24:80 CLOSE_WAIT
TCP 169.254.10.23:2268 169.254.10.24:80 CLOSE_WAIT
TCP 169.254.10.23:3945 169.254.10.25:80 ESTABLISHED
TCP 169.254.10.23:3946 169.254.10.26:80 ESTABLISHED
TCP 169.254.10.23:3947 169.254.10.26:80 ESTABLISHED

You are looking for either of two things:
1) The last column saying "LISTENING"
2) The number after the : in the second column being 21,23, or 80

If you see either of the above two things, then there is cause for concern
and we can chase down what is listening. Otherwise, the best thing to do is
give your ISP a call. No one will know more about how their network is set
up, and how your router is set up, than they do, so they will be able to
tell you why Shields Up reports what it does.

 

[Gene]

Matt,
I ran the commands you asked me to do, you are correct, the first two
commands looked like a blank line as results. The netstat -an |findstr ":80"
command looked like this:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Ronald>netstat -an |findstr ":80"
TCP 192.168.1.2:3266 207.22.51.86:80 ESTABLISHED
TCP 192.168.1.2:3267 199.125.90.97:80 ESTABLISHED
TCP 192.168.1.2:3268 199.125.90.101:80 ESTABLISHED
TCP 192.168.1.2:3269 199.125.90.101:80 ESTABLISHED
TCP 192.168.1.2:3270 207.22.51.86:80 ESTABLISHED

C:\Documents and Settings\Ronald>netstat -an |findstr ":80"
TCP 192.168.1.2:3272 65.82.150.11:80 LAST_ACK
TCP 192.168.1.2:3275 65.82.150.30:80 ESTABLISHED
TCP 192.168.1.2:3276 65.82.150.30:80 ESTABLISHED
TCP 192.168.1.2:3306 65.82.150.11:80 LAST_ACK
TCP 192.168.1.2:3312 65.82.150.11:80 TIME_WAIT
TCP 192.168.1.2:3316 65.82.150.11:80 ESTABLISHED
TCP 192.168.1.2:3317 65.82.150.11:80 ESTABLISHED

C:\Documents and Settings\Ronald>netstat -an |findstr ":80"
TCP 192.168.1.2:3272 65.82.150.11:80 LAST_ACK
TCP 192.168.1.2:3312 65.82.150.11:80 TIME_WAIT
TCP 192.168.1.2:3322 65.82.150.11:80 LAST_ACK

C:\Documents and Settings\Ronald>netstat -an |findstr ":80"
TCP 192.168.1.2:3328 200.4.216.200:80 ESTABLISHED
TCP 192.168.1.2:3329 200.4.216.200:80 ESTABLISHED
TCP 192.168.1.2:3330 200.4.216.200:80 ESTABLISHED
TCP 192.168.1.2:3331 200.4.216.200:80 ESTABLISHED
TCP 192.168.1.2:3332 200.4.216.200:80 ESTABLISHED

I have noted the ESTABLISHED status while (or recent) browsing activity. How
this sounds to you?
I'll give a call to my ISP as you suggest.

I'm grateful thanked for your diligent help Matt. You are great!

I don't know enough about your ISP and how they have your router configured
to say for sure whether Shields Up is scanning your router or one of your
ISP's servers. I do believe at this point that it is NOT scanning your
computer. If you call your ISP, they can help you figure out what exactly
is being scanned. If it winds up being your router, then you can talk to
them about your concerns and they can explain why those ports are sometimes
open.

As for the message you got this morning about the Reverse DNS - its
something to do with the configuration of your ISPs DNS servers. I wouldn't
worry about that bit either way. My ISP, for instance, has reverse lookups
configured, but the name is pure nonsense that doesn't identify who I am or
my account name at all. Most ISPs are the same way.

The three ports it mentioned being open this time are 21,23, and 80. Those
ports are, respectively, FTP, telnet and HTTP. These are things that are
probably not on your computer, but MIGHT be on your router so that your ISP
can configure it remotely. . .though FTP is a stretch for that. You can do
a quick check on your computer to confirm the ports are not open, but I am
pretty convinced at this point that what Shields Up is finding isn't your
computer.

To do the quick check of your own computer, run the following commands from
a command prompt (copy and paste them from here):

netstat -an |findstr ":21"
netstat -an |findstr ":23"
netstat -an |findstr ":80"

These commands will filter the output of "netstat -an", which shows all open
ports and connections on your computer, down to just the things you are
interested in.

After you run each one, look at the output. It will look something like
this (note, the IP addresses will be different). Note that the output for
the first two commands will likely be a blank line, so don't be concerned.

TCP 169.254.10.23:2266 169.254.10.24:80 CLOSE_WAIT
TCP 169.254.10.23:2268 169.254.10.24:80 CLOSE_WAIT
TCP 169.254.10.23:3945 169.254.10.25:80 ESTABLISHED
TCP 169.254.10.23:3946 169.254.10.26:80 ESTABLISHED
TCP 169.254.10.23:3947 169.254.10.26:80 ESTABLISHED

You are looking for either of two things:
1) The last column saying "LISTENING"
2) The number after the : in the second column being 21,23, or 80

If you see either of the above two things, then there is cause for concern
and we can chase down what is listening. Otherwise, the best thing to do is
give your ISP a call. No one will know more about how their network is set
up, and how your router is set up, than they do, so they will be able to
tell you why Shields Up reports what it does.

 

[Matt DuBois [MSFT]]

Yep, you are right. ESTABLISHED means you are currently connected. In this
case, those would be web sites, since the port is 80 (web traffic usually
goes over 80). LAST_ACK and TIME_WAIT are details of the TCP/IP connection.
If you're really curious I can explain it in more detail, but the short of
it means that those connections are either closed now, or will soon be.
You've already closed the browser window, or moved on to another site at
that point, so your computer is in the process of tearing down the
connection it had established.

You're welcome for the assistance. Sorry I wasn't able to give you the
whole answer, but I feel confident at this point that there isn't anything
wrong with your firewall and that those open ports aren't on your computer,
at least.

--
This posting is provided AS IS with no warranties, and confers no rights.

Matt,
I ran the commands you asked me to do, you are correct, the first two
commands looked like a blank line as results. The netstat -an |findstr ":80"
command looked like this:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Ronald>netstat -an |findstr ":80"
TCP 192.168.1.2:3266 207.22.51.86:80 ESTABLISHED
TCP 192.168.1.2:3267 199.125.90.97:80 ESTABLISHED
TCP 192.168.1.2:3268 199.125.90.101:80 ESTABLISHED
TCP 192.168.1.2:3269 199.125.90.101:80 ESTABLISHED
TCP 192.168.1.2:3270 207.22.51.86:80 ESTABLISHED

C:\Documents and Settings\Ronald>netstat -an |findstr ":80"
TCP 192.168.1.2:3272 65.82.150.11:80 LAST_ACK
TCP 192.168.1.2:3275 65.82.150.30:80 ESTABLISHED
TCP 192.168.1.2:3276 65.82.150.30:80 ESTABLISHED
TCP 192.168.1.2:3306 65.82.150.11:80 LAST_ACK
TCP 192.168.1.2:3312 65.82.150.11:80 TIME_WAIT
TCP 192.168.1.2:3316 65.82.150.11:80 ESTABLISHED
TCP 192.168.1.2:3317 65.82.150.11:80 ESTABLISHED

C:\Documents and Settings\Ronald>netstat -an |findstr ":80"
TCP 192.168.1.2:3272 65.82.150.11:80 LAST_ACK
TCP 192.168.1.2:3312 65.82.150.11:80 TIME_WAIT
TCP 192.168.1.2:3322 65.82.150.11:80 LAST_ACK

C:\Documents and Settings\Ronald>netstat -an |findstr ":80"
TCP 192.168.1.2:3328 200.4.216.200:80 ESTABLISHED
TCP 192.168.1.2:3329 200.4.216.200:80 ESTABLISHED
TCP 192.168.1.2:3330 200.4.216.200:80 ESTABLISHED
TCP 192.168.1.2:3331 200.4.216.200:80 ESTABLISHED
TCP 192.168.1.2:3332 200.4.216.200:80 ESTABLISHED

I have noted the ESTABLISHED status while (or recent) browsing activity. How
this sounds to you?
I'll give a call to my ISP as you suggest.

I'm grateful thanked for your diligent help Matt. You are great!

I don't know enough about your ISP and how they have your router configured
to say for sure whether Shields Up is scanning your router or one of your
ISP's servers. I do believe at this point that it is NOT scanning your
computer. If you call your ISP, they can help you figure out what exactly
is being scanned. If it winds up being your router, then you can talk to
them about your concerns and they can explain why those ports are sometimes
open.

As for the message you got this morning about the Reverse DNS - its
something to do with the configuration of your ISPs DNS servers. I wouldn't
worry about that bit either way. My ISP, for instance, has reverse lookups
configured, but the name is pure nonsense that doesn't identify who I am or
my account name at all. Most ISPs are the same way.

The three ports it mentioned being open this time are 21,23, and 80. Those
ports are, respectively, FTP, telnet and HTTP. These are things that are
probably not on your computer, but MIGHT be on your router so that your ISP
can configure it remotely. . .though FTP is a stretch for that. You can do
a quick check on your computer to confirm the ports are not open, but I am
pretty convinced at this point that what Shields Up is finding isn't your
computer.

To do the quick check of your own computer, run the following commands from
a command prompt (copy and paste them from here):

netstat -an |findstr ":21"
netstat -an |findstr ":23"
netstat -an |findstr ":80"

These commands will filter the output of "netstat -an", which shows all open
ports and connections on your computer, down to just the things you are
interested in.

After you run each one, look at the output. It will look something like
this (note, the IP addresses will be different). Note that the output for
the first two commands will likely be a blank line, so don't be concerned.

TCP 169.254.10.23:2266 169.254.10.24:80 CLOSE_WAIT
TCP 169.254.10.23:2268 169.254.10.24:80 CLOSE_WAIT
TCP 169.254.10.23:3945 169.254.10.25:80 ESTABLISHED
TCP 169.254.10.23:3946 169.254.10.26:80 ESTABLISHED
TCP 169.254.10.23:3947 169.254.10.26:80 ESTABLISHED

You are looking for either of two things:
1) The last column saying "LISTENING"
2) The number after the : in the second column being 21,23, or 80

If you see either of the above two things, then there is cause for concern
and we can chase down what is listening. Otherwise, the best thing to

do

 

[Gene]

Matt
Your help was quite helpful, more than I had expected from anyone. By the
way, what firewall do you use? XP's ICF or other one? Just curious.
I hope to count on your assistance in the near future.
Thanks a lot for your time.

Yep, you are right. ESTABLISHED means you are currently connected. In this
case, those would be web sites, since the port is 80 (web traffic usually
goes over 80). LAST_ACK and TIME_WAIT are details of the TCP/IP connection.
If you're really curious I can explain it in more detail, but the short of
it means that those connections are either closed now, or will soon be.
You've already closed the browser window, or moved on to another site at
that point, so your computer is in the process of tearing down the
connection it had established.

You're welcome for the assistance. Sorry I wasn't able to give you the
whole answer, but I feel confident at this point that there isn't anything
wrong with your firewall and that those open ports aren't on your computer,
at least.

--
This posting is provided AS IS with no warranties, and confers no rights.

Matt,
I ran the commands you asked me to do, you are correct, the first two
commands looked like a blank line as results. The netstat -an |findstr ":80"
command looked like this:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Ronald>netstat -an |findstr ":80"
TCP 192.168.1.2:3266 207.22.51.86:80 ESTABLISHED
TCP 192.168.1.2:3267 199.125.90.97:80 ESTABLISHED
TCP 192.168.1.2:3268 199.125.90.101:80 ESTABLISHED
TCP 192.168.1.2:3269 199.125.90.101:80 ESTABLISHED
TCP 192.168.1.2:3270 207.22.51.86:80 ESTABLISHED

C:\Documents and Settings\Ronald>netstat -an |findstr ":80"
TCP 192.168.1.2:3272 65.82.150.11:80 LAST_ACK
TCP 192.168.1.2:3275 65.82.150.30:80 ESTABLISHED
TCP 192.168.1.2:3276 65.82.150.30:80 ESTABLISHED
TCP 192.168.1.2:3306 65.82.150.11:80 LAST_ACK
TCP 192.168.1.2:3312 65.82.150.11:80 TIME_WAIT
TCP 192.168.1.2:3316 65.82.150.11:80 ESTABLISHED
TCP 192.168.1.2:3317 65.82.150.11:80 ESTABLISHED

C:\Documents and Settings\Ronald>netstat -an |findstr ":80"
TCP 192.168.1.2:3272 65.82.150.11:80 LAST_ACK
TCP 192.168.1.2:3312 65.82.150.11:80 TIME_WAIT
TCP 192.168.1.2:3322 65.82.150.11:80 LAST_ACK

C:\Documents and Settings\Ronald>netstat -an |findstr ":80"
TCP 192.168.1.2:3328 200.4.216.200:80 ESTABLISHED
TCP 192.168.1.2:3329 200.4.216.200:80 ESTABLISHED
TCP 192.168.1.2:3330 200.4.216.200:80 ESTABLISHED
TCP 192.168.1.2:3331 200.4.216.200:80 ESTABLISHED
TCP 192.168.1.2:3332 200.4.216.200:80 ESTABLISHED

I have noted the ESTABLISHED status while (or recent) browsing activity. How
this sounds to you?
I'll give a call to my ISP as you suggest.

I'm grateful thanked for your diligent help Matt. You are great!



"Matt DuBois [MSFT]" <[email protected]> escribió en el mensaje

I don't know enough about your ISP and how they have your router configured
to say for sure whether Shields Up is scanning your router or one of your
ISP's servers. I do believe at this point that it is NOT scanning your
computer. If you call your ISP, they can help you figure out what exactly
is being scanned. If it winds up being your router, then you can talk to
them about your concerns and they can explain why those ports are sometimes
open.

As for the message you got this morning about the Reverse DNS - its
something to do with the configuration of your ISPs DNS servers. I wouldn't
worry about that bit either way. My ISP, for instance, has reverse lookups
configured, but the name is pure nonsense that doesn't identify who I

am
or

my account name at all. Most ISPs are the same way.

The three ports it mentioned being open this time are 21,23, and 80. Those
ports are, respectively, FTP, telnet and HTTP. These are things that are
probably not on your computer, but MIGHT be on your router so that

your
ISP

can configure it remotely. . .though FTP is a stretch for that. You

can
do

a quick check on your computer to confirm the ports are not open, but

I

am all
open do is
set

 

[Matt DuBois [MSFT]]

I use XP's ICF on my home machines, and they are additionally tucked away
behind a DSL "router". Some people like the additional feature of being
able to filter outgoing connections from their computer though, which is
something the XP ICF can't do. What firewall you use depends on how you use
your computer and what control you want. The XP ICF is a pretty good basic
firewall, which is enough for me.

If you need help, newsgroups are a great way to go. For me personally, some
weeks are busier than others, and there are lots of newsgroup posts every
day. Fortunately for you, there are also lots of really knowledgable and
skilled folks that read and respond to the newsgroups. A good subject and a
clear description of what you're seeing, like your initial post, is a good
way to get help!

--
This posting is provided AS IS with no warranties, and confers no rights.

Matt
Your help was quite helpful, more than I had expected from anyone. By the
way, what firewall do you use? XP's ICF or other one? Just curious.
I hope to count on your assistance in the near future.
Thanks a lot for your time.

Yep, you are right. ESTABLISHED means you are currently connected. In this
case, those would be web sites, since the port is 80 (web traffic usually
goes over 80). LAST_ACK and TIME_WAIT are details of the TCP/IP connection.
If you're really curious I can explain it in more detail, but the short of
it means that those connections are either closed now, or will soon be.
You've already closed the browser window, or moved on to another site at
that point, so your computer is in the process of tearing down the
connection it had established.

You're welcome for the assistance. Sorry I wasn't able to give you the
whole answer, but I feel confident at this point that there isn't anything
wrong with your firewall and that those open ports aren't on your computer,
at least.

--
This posting is provided AS IS with no warranties, and confers no rights.

Matt,
I ran the commands you asked me to do, you are correct, the first two
commands looked like a blank line as results. The netstat -an |findstr ":80"
command looked like this:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Ronald>netstat -an |findstr ":80"
TCP 192.168.1.2:3266 207.22.51.86:80 ESTABLISHED
TCP 192.168.1.2:3267 199.125.90.97:80 ESTABLISHED
TCP 192.168.1.2:3268 199.125.90.101:80 ESTABLISHED
TCP 192.168.1.2:3269 199.125.90.101:80 ESTABLISHED
TCP 192.168.1.2:3270 207.22.51.86:80 ESTABLISHED

C:\Documents and Settings\Ronald>netstat -an |findstr ":80"
TCP 192.168.1.2:3272 65.82.150.11:80 LAST_ACK
TCP 192.168.1.2:3275 65.82.150.30:80 ESTABLISHED
TCP 192.168.1.2:3276 65.82.150.30:80 ESTABLISHED
TCP 192.168.1.2:3306 65.82.150.11:80 LAST_ACK
TCP 192.168.1.2:3312 65.82.150.11:80 TIME_WAIT
TCP 192.168.1.2:3316 65.82.150.11:80 ESTABLISHED
TCP 192.168.1.2:3317 65.82.150.11:80 ESTABLISHED

C:\Documents and Settings\Ronald>netstat -an |findstr ":80"
TCP 192.168.1.2:3272 65.82.150.11:80 LAST_ACK
TCP 192.168.1.2:3312 65.82.150.11:80 TIME_WAIT
TCP 192.168.1.2:3322 65.82.150.11:80 LAST_ACK

C:\Documents and Settings\Ronald>netstat -an |findstr ":80"
TCP 192.168.1.2:3328 200.4.216.200:80 ESTABLISHED
TCP 192.168.1.2:3329 200.4.216.200:80 ESTABLISHED
TCP 192.168.1.2:3330 200.4.216.200:80 ESTABLISHED
TCP 192.168.1.2:3331 200.4.216.200:80 ESTABLISHED
TCP 192.168.1.2:3332 200.4.216.200:80 ESTABLISHED

I have noted the ESTABLISHED status while (or recent) browsing

activity.
How

this sounds to you?
I'll give a call to my ISP as you suggest.

I'm grateful thanked for your diligent help Matt. You are great!



"Matt DuBois [MSFT]" <[email protected]> escribió en el mensaje
I don't know enough about your ISP and how they have your router
configured
to say for sure whether Shields Up is scanning your router or one of your
ISP's servers. I do believe at this point that it is NOT scanning your
computer. If you call your ISP, they can help you figure out what exactly
is being scanned. If it winds up being your router, then you can

talk
to

them about your concerns and they can explain why those ports are
sometimes
open.

As for the message you got this morning about the Reverse DNS - its
something to do with the configuration of your ISPs DNS servers. I
wouldn't
worry about that bit either way. My ISP, for instance, has reverse
lookups
configured, but the name is pure nonsense that doesn't identify who

I

am that
are

but

I output
for to
do

able

to