smeebud
asked on
Interpreting Netstat Reports
I've been told that the below indicates "OPEN PORTS".
that is what i'm trying to get away from.
Can someone tell me if this is true, Open Ports, and if it's the
UDP that specifies an open port or the *:*
D:\WINNT>netstat -a
UDP my machine3cj:epmap *:*
UDP my machine3cj:microsoft-ds *:*
UDP my machine3cj:1025 *:*
UDP my machine3cj:1027 *:*
UDP my machine3cj:netbios-ns *:*
UDP my machine3cj:netbios-dgm *:*
UDP my machine3cj:isakmp *:*
UDP my machine3cj:2278 *:*
UDP my machine3cj:2288 *:*
I'm using Zonealarm at present.
If I'm in the wrong area of experts-exchange please let me know.
Regards, Bud
http://www.wintrouble.net
that is what i'm trying to get away from.
Can someone tell me if this is true, Open Ports, and if it's the
UDP that specifies an open port or the *:*
D:\WINNT>netstat -a
UDP my machine3cj:epmap *:*
UDP my machine3cj:microsoft-ds *:*
UDP my machine3cj:1025 *:*
UDP my machine3cj:1027 *:*
UDP my machine3cj:netbios-ns *:*
UDP my machine3cj:netbios-dgm *:*
UDP my machine3cj:isakmp *:*
UDP my machine3cj:2278 *:*
UDP my machine3cj:2288 *:*
I'm using Zonealarm at present.
If I'm in the wrong area of experts-exchange please let me know.
Regards, Bud
http://www.wintrouble.net
ASKER
I was hoping for moremthan that.
i need to know how tom interprete these
thinks,
For instance, can you tell me which ports are open?
What does *:* mean, and so forth.
I'm not on a Lan.
Regards, Bud
http://www.wintrouble.net
i need to know how tom interprete these
thinks,
For instance, can you tell me which ports are open?
What does *:* mean, and so forth.
I'm not on a Lan.
Regards, Bud
http://www.wintrouble.net
List of TCp/IP ports ports list, port list TCP ports list
http://www.joemagee.com/filez/port-numbers.txt
Most of the ports are ports that MS listens on, Netbios, DHCP, WINS, DNS
etc.
I hope the list I quoted will help.
Hi smeebud,
basically what it is telling you is the
protocol -> TCP/UDP
hostname/computername -> my machine3cj
service/portnumber -> epmap or 80
connection status -> *:* or bab5:1046
*:* means that it is waiting for packets... you will only find this with UDP because it is a connectionless protocol i.e. you do not need to establish a connection before sending it data.
bab5:1046 means that it has a connection to a machine called bab5 on port 1046.
Hope this helps
l8knight
basically what it is telling you is the
protocol -> TCP/UDP
hostname/computername -> my machine3cj
service/portnumber -> epmap or 80
connection status -> *:* or bab5:1046
*:* means that it is waiting for packets... you will only find this with UDP because it is a connectionless protocol i.e. you do not need to establish a connection before sending it data.
bab5:1046 means that it has a connection to a machine called bab5 on port 1046.
Hope this helps
l8knight
ASKER
|8knight,
You've hit on it.
*:* means that it is waiting for packets... you will only find this with UDP because it is a connectionless
protocol i.e. you do not need to establish a connection before sending it data.
What I want to know is, (Does *:*) mean an open port that port sniffers can access.
Regards, Bud
http://www.wintrouble.net
You've hit on it.
*:* means that it is waiting for packets... you will only find this with UDP because it is a connectionless
protocol i.e. you do not need to establish a connection before sending it data.
What I want to know is, (Does *:*) mean an open port that port sniffers can access.
Regards, Bud
http://www.wintrouble.net
Yes, a port sniffer can tell that you have that port open... whether they can access it or not depends on what is using that port. If it is a backdoor program like "backoriface" then yes they could... if it is a DNS server then they could only use it for doing a DNS query.
l8knight
l8knight
A port sniffer will only show what ports are active on machine...
You would then need to either to use a security vulnerability in the legitimate software e.g. running an executable via script directory in a Web Server or access illegimate software such back oriface.
there is no magic way of hackers gaining access to your machine.
keep adding security updates to your machine and use a virus checker (most of these will detect a trojan) and you should be fairly safe.
hope this explains it a little better
regards
l8knight
You would then need to either to use a security vulnerability in the legitimate software e.g. running an executable via script directory in a Web Server or access illegimate software such back oriface.
there is no magic way of hackers gaining access to your machine.
keep adding security updates to your machine and use a virus checker (most of these will detect a trojan) and you should be fairly safe.
hope this explains it a little better
regards
l8knight
ASKER
it explains it very well.
I just like to know how to close these ports.
For instance I'm using ZoneAlarm.
There are sections in it where I can specify ports to lock.
But a port with the # 1025 is used for instance when I FTP.
So if I lock it, the FTP will just look for the next highr number.
I can't lock them all.
Reason I'm paraniod is last week as I was working my screen went black, locked tight.
When I shut down and tried to re-boot, the system didn't see any drives. it took two days to rebuild my boot loader,
but when I Restored Drive D:, where I have and was working on windows 2000 when system crashed, I saw that drive had been named "John".....
I never label my drives so I'm sure someone came in and did this.
Regards, Bud
http://www.wintrouble.net
I just like to know how to close these ports.
For instance I'm using ZoneAlarm.
There are sections in it where I can specify ports to lock.
But a port with the # 1025 is used for instance when I FTP.
So if I lock it, the FTP will just look for the next highr number.
I can't lock them all.
Reason I'm paraniod is last week as I was working my screen went black, locked tight.
When I shut down and tried to re-boot, the system didn't see any drives. it took two days to rebuild my boot loader,
but when I Restored Drive D:, where I have and was working on windows 2000 when system crashed, I saw that drive had been named "John".....
I never label my drives so I'm sure someone came in and did this.
Regards, Bud
http://www.wintrouble.net
Zone Alarm - if kept updated is not easy to bypass.
It could have been a random label caused when you crashed.
Just use 2 updated virus scanners and keep your OS security patches updated also.
Turn off all sharing.
I hope this helps !
It could have been a random label caused when you crashed.
Just use 2 updated virus scanners and keep your OS security patches updated also.
Turn off all sharing.
I hope this helps !
hi bud,
Sorry I have no experience whatsoever with ZoneAlarm so I can't tell you how to block/close ports with it. :-(
I wouldn't worry about outgoing ports that get opened while you are using internet software like ftp. Your software needs to open these to communicate with the internet.
Worry about the incoming ports that are always open.
A quick check is to close all you internet apps, then do a netstat -a and check the ports with a known port list like the one SysExpert provided a link to above. This way you can work out which services are using the ports. If the ports/services seem suspect or you can't match up the port number with a known service then I would think about blocking it.
Another thing you could do is get a list of ports that trojans are known to use... you should be able to find such a list at any good security orientated website.
cheers and good hunting
l8knight
Sorry I have no experience whatsoever with ZoneAlarm so I can't tell you how to block/close ports with it. :-(
I wouldn't worry about outgoing ports that get opened while you are using internet software like ftp. Your software needs to open these to communicate with the internet.
Worry about the incoming ports that are always open.
A quick check is to close all you internet apps, then do a netstat -a and check the ports with a known port list like the one SysExpert provided a link to above. This way you can work out which services are using the ports. If the ports/services seem suspect or you can't match up the port number with a known service then I would think about blocking it.
Another thing you could do is get a list of ports that trojans are known to use... you should be able to find such a list at any good security orientated website.
cheers and good hunting
l8knight
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks you both sysexpert
and |8knight.
I'm going to have to give this port subject some serious study.
Regards, Bud
http://www.wintrouble.net
and |8knight.
I'm going to have to give this port subject some serious study.
Regards, Bud
http://www.wintrouble.net
I would use.
Test firewall ports and port blocking
http://grc.com/
To see if you have any real problems
or use NMAP or similar to do intrusion testing.
I hope this helps !