shawngilbert
asked on
Do I have anything suspicious listed in my open ports?
I have recently killed a couple of trojans on my computer and have found that one of them supposedly opens some ports for remote access. I have been experiencing some slowdowns on my local network and would like to know if there is anything specific here to be concerned with. Local 2-system home network on a Linksys Nat router.
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1039 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1042 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1047 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1048 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1049 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6346 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6346 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6346 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6346 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6346 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6347 0.0.0.0:0 LISTENING
TCP 192.168.1.101:139 0.0.0.0:0 LISTENING
TCP 192.168.1.101:1039 66.216.70.167:80 CLOSE_WAIT
TCP 192.168.1.101:1042 216.155.193.142:5050 ESTABLISHED
TCP 192.168.1.101:1047 205.188.7.254:5190 ESTABLISHED
TCP 192.168.1.101:1048 207.46.107.140:1863 ESTABLISHED
TCP 192.168.1.101:1049 205.188.5.15:5190 ESTABLISHED
TCP 192.168.1.101:1654 63.240.76.10:110 TIME_WAIT
TCP 192.168.1.101:1656 63.240.76.10:110 TIME_WAIT
TCP 192.168.1.101:1667 63.240.76.10:110 TIME_WAIT
TCP 192.168.1.101:1668 63.240.76.10:110 TIME_WAIT
TCP 192.168.1.101:1669 63.240.76.10:110 TIME_WAIT
TCP 192.168.1.101:6346 4.26.118.70:6346 ESTABLISHED
TCP 192.168.1.101:6346 24.60.141.96:6348 ESTABLISHED
TCP 192.168.1.101:6346 65.35.194.135:6348 ESTABLISHED
TCP 192.168.1.101:6346 67.170.39.107:6346 ESTABLISHED
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1034 *:*
UDP 0.0.0.0:1035 *:*
UDP 0.0.0.0:1036 *:*
UDP 0.0.0.0:1037 *:*
UDP 0.0.0.0:1038 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:3961 *:*
UDP 192.168.1.101:123 *:*
UDP 192.168.1.101:137 *:*
UDP 192.168.1.101:138 *:*
UDP 192.168.1.101:491 *:*
UDP 192.168.1.101:1900 *:*
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1039 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1042 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1047 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1048 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1049 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6346 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6346 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6346 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6346 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6346 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6347 0.0.0.0:0 LISTENING
TCP 192.168.1.101:139 0.0.0.0:0 LISTENING
TCP 192.168.1.101:1039 66.216.70.167:80 CLOSE_WAIT
TCP 192.168.1.101:1042 216.155.193.142:5050 ESTABLISHED
TCP 192.168.1.101:1047 205.188.7.254:5190 ESTABLISHED
TCP 192.168.1.101:1048 207.46.107.140:1863 ESTABLISHED
TCP 192.168.1.101:1049 205.188.5.15:5190 ESTABLISHED
TCP 192.168.1.101:1654 63.240.76.10:110 TIME_WAIT
TCP 192.168.1.101:1656 63.240.76.10:110 TIME_WAIT
TCP 192.168.1.101:1667 63.240.76.10:110 TIME_WAIT
TCP 192.168.1.101:1668 63.240.76.10:110 TIME_WAIT
TCP 192.168.1.101:1669 63.240.76.10:110 TIME_WAIT
TCP 192.168.1.101:6346 4.26.118.70:6346 ESTABLISHED
TCP 192.168.1.101:6346 24.60.141.96:6348 ESTABLISHED
TCP 192.168.1.101:6346 65.35.194.135:6348 ESTABLISHED
TCP 192.168.1.101:6346 67.170.39.107:6346 ESTABLISHED
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1034 *:*
UDP 0.0.0.0:1035 *:*
UDP 0.0.0.0:1036 *:*
UDP 0.0.0.0:1037 *:*
UDP 0.0.0.0:1038 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:3961 *:*
UDP 192.168.1.101:123 *:*
UDP 192.168.1.101:137 *:*
UDP 192.168.1.101:138 *:*
UDP 192.168.1.101:491 *:*
UDP 192.168.1.101:1900 *:*
ASKER
I have both the NAT firewall and Zone Alarm Pro installed on my XP SP1 system.
How can I shut these off if they are bad?
How can I shut these off if they are bad?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No, I got rid of it with several AV and spyware programs. It runs better, but I'm concerned about those open ports.
I do use a p2p browser, but when ZAP asks about allowing it to act as a server, I state "no".
How do you shut down ports in the registry?
I do use a p2p browser, but when ZAP asks about allowing it to act as a server, I state "no".
How do you shut down ports in the registry?
it looks like you also may be running some p2p program such as Shareaza. is this true? makes sure u encrypt ur router if it is wireless. also, run Spybot search and destroy and Adaware (2 of the best spyware cleaners), they are also free. if u want to spend some cash i recommend also Webroot's SpySweaper. I have all 3 of these, i recommend u do 2.
I suggest posting your connection list to Zone Labs, because that's their specialty -- they may be in the best position to tell you what's bad vs. what's okay. And it's free.
You don't shut down ports in the registry, you shut them down with your firewall configuration. In XP, you can disable most services via the Control Panel and by removing items from the Startup folders in the start menu.
You don't shut down ports in the registry, you shut them down with your firewall configuration. In XP, you can disable most services via the Control Panel and by removing items from the Startup folders in the start menu.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for the information. I have run spybot, adaware, hijackthis & xcleaner. I've run online virus scanners from symantec, mcafee, panda & trend. All comes up clean.
So there is no way to turn off 6346 and 6347 for good?
I am using a p2p browser, but each time it asks (zone alarm) I disallow it, although that only, supposedly, has access to my shared files folder.
So there is no way to turn off 6346 and 6347 for good?
I am using a p2p browser, but each time it asks (zone alarm) I disallow it, although that only, supposedly, has access to my shared files folder.
why in the world whould u be using a p2p browser? use IE,mozila, firefox, anything but p2p. im pretty sure those connections are coming from the p2p app. try shutting down the p2p program. then disconnct from the internet, wait a min or 2 and reconnect again. then post ur results.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
shawngilbert,
I'm not familiar with ZA, but you may be able to create a global block rule to disallow those ports (I've dont this with NPF). You might also try using TCP/IP filtering, which I briefly described above. And by the way, just because a port you have opened appears in that list, it doesnt necessarily mean you've got a trojan.
-Yohan
I'm not familiar with ZA, but you may be able to create a global block rule to disallow those ports (I've dont this with NPF). You might also try using TCP/IP filtering, which I briefly described above. And by the way, just because a port you have opened appears in that list, it doesnt necessarily mean you've got a trojan.
-Yohan
ASKER
After turning off the browser, I took another snapshot and this is what I have:
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 192.168.1.101:3058 63.240.76.10:110 TIME_WAIT
TCP 192.168.1.101:3059 63.240.76.10:110 TIME_WAIT
TCP 192.168.1.101:3060 63.240.76.10:110 TIME_WAIT
TCP 192.168.1.101:6346 4.26.118.70:6346 TIME_WAIT
TCP 192.168.1.101:6346 24.60.141.96:6348 TIME_WAIT
TCP 192.168.1.101:6346 216.12.28.158:6346 TIME_WAIT
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1034 *:*
UDP 0.0.0.0:1035 *:*
UDP 0.0.0.0:1036 *:*
UDP 0.0.0.0:1037 *:*
UDP 0.0.0.0:1038 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:3062 *:*
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 192.168.1.101:3058 63.240.76.10:110 TIME_WAIT
TCP 192.168.1.101:3059 63.240.76.10:110 TIME_WAIT
TCP 192.168.1.101:3060 63.240.76.10:110 TIME_WAIT
TCP 192.168.1.101:6346 4.26.118.70:6346 TIME_WAIT
TCP 192.168.1.101:6346 24.60.141.96:6348 TIME_WAIT
TCP 192.168.1.101:6346 216.12.28.158:6346 TIME_WAIT
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1034 *:*
UDP 0.0.0.0:1035 *:*
UDP 0.0.0.0:1036 *:*
UDP 0.0.0.0:1037 *:*
UDP 0.0.0.0:1038 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:3062 *:*
ASKER
So the only ones I need to have any concern over are the valid (although private) addresses?
Which leads me to think that the first three are my pop3 mail and who knows what the last three are for (6346, & 6348)
Which leads me to think that the first three are my pop3 mail and who knows what the last three are for (6346, & 6348)
6346 and 6348 may be kazaa, is that what ur using?
ASKER
No, www.deepnetexplorer.com - it's a new browser I stumbled upon... I may ditch it now though.
do u hv kazaa?
Well, those ports are saying TIME_WAIT. Have you restarted your computer lately? If not, try it. Also, according to a port list I've got, 6346 and 6347 are registered to Gnutella, a file sharing program. But who's to say Kazaa can't use them too.
ASKER
No kazaa (I hate it - have had to remove it from some friend's computers).
No gnutella that I know of either.
This one is after a clean reboot and I'm not using the p2p browser (though I haven't uninstalled it yet). Seems to me like the list is growing?
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1031 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1045 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1046 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1055 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1058 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1061 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1065 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1066 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 127.0.0.1:445 127.0.0.1:1031 ESTABLISHED
TCP 127.0.0.1:1031 127.0.0.1:445 ESTABLISHED
TCP 192.168.1.101:139 0.0.0.0:0 LISTENING
TCP 192.168.1.101:1033 0.0.0.0:0 LISTENING
TCP 192.168.1.101:1033 192.168.1.102:139 ESTABLISHED
TCP 192.168.1.101:1044 207.46.104.20:1863 TIME_WAIT
TCP 192.168.1.101:1045 216.155.193.136:5050 ESTABLISHED
TCP 192.168.1.101:1046 66.216.70.167:80 CLOSE_WAIT
TCP 192.168.1.101:1049 66.77.183.81:80 TIME_WAIT
TCP 192.168.1.101:1050 66.77.183.81:80 TIME_WAIT
TCP 192.168.1.101:1051 12.129.72.158:80 TIME_WAIT
TCP 192.168.1.101:1052 12.129.72.158:80 TIME_WAIT
TCP 192.168.1.101:1053 12.129.72.158:80 TIME_WAIT
TCP 192.168.1.101:1054 12.129.72.158:80 TIME_WAIT
TCP 192.168.1.101:1055 205.188.7.253:5190 ESTABLISHED
TCP 192.168.1.101:1056 12.129.72.158:80 TIME_WAIT
TCP 192.168.1.101:1057 12.129.72.158:80 TIME_WAIT
TCP 192.168.1.101:1058 207.46.106.114:1863 ESTABLISHED
TCP 192.168.1.101:1059 12.129.72.158:80 TIME_WAIT
TCP 192.168.1.101:1060 12.129.72.158:80 TIME_WAIT
TCP 192.168.1.101:1061 205.188.5.12:5190 ESTABLISHED
TCP 192.168.1.101:1062 12.129.72.158:80 TIME_WAIT
TCP 192.168.1.101:1063 192.168.1.102:445 TIME_WAIT
TCP 192.168.1.101:1065 64.12.26.30:5190 ESTABLISHED
TCP 192.168.1.101:1066 205.188.176.69:5190 ESTABLISHED
TCP 192.168.1.101:1165 204.127.202.10:110 TIME_WAIT
TCP 192.168.1.101:1166 204.127.202.10:110 TIME_WAIT
TCP 192.168.1.101:1167 204.127.202.10:110 TIME_WAIT
TCP 192.168.1.101:1215 63.211.210.221:80 TIME_WAIT
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1034 *:*
UDP 0.0.0.0:1035 *:*
UDP 0.0.0.0:1036 *:*
UDP 0.0.0.0:1037 *:*
UDP 0.0.0.0:1038 *:*
UDP 0.0.0.0:1039 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1069 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.1.101:123 *:*
UDP 192.168.1.101:137 *:*
UDP 192.168.1.101:138 *:*
UDP 192.168.1.101:491 *:*
UDP 192.168.1.101:1900 *:*
No gnutella that I know of either.
This one is after a clean reboot and I'm not using the p2p browser (though I haven't uninstalled it yet). Seems to me like the list is growing?
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1031 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1045 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1046 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1055 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1058 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1061 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1065 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1066 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 127.0.0.1:445 127.0.0.1:1031 ESTABLISHED
TCP 127.0.0.1:1031 127.0.0.1:445 ESTABLISHED
TCP 192.168.1.101:139 0.0.0.0:0 LISTENING
TCP 192.168.1.101:1033 0.0.0.0:0 LISTENING
TCP 192.168.1.101:1033 192.168.1.102:139 ESTABLISHED
TCP 192.168.1.101:1044 207.46.104.20:1863 TIME_WAIT
TCP 192.168.1.101:1045 216.155.193.136:5050 ESTABLISHED
TCP 192.168.1.101:1046 66.216.70.167:80 CLOSE_WAIT
TCP 192.168.1.101:1049 66.77.183.81:80 TIME_WAIT
TCP 192.168.1.101:1050 66.77.183.81:80 TIME_WAIT
TCP 192.168.1.101:1051 12.129.72.158:80 TIME_WAIT
TCP 192.168.1.101:1052 12.129.72.158:80 TIME_WAIT
TCP 192.168.1.101:1053 12.129.72.158:80 TIME_WAIT
TCP 192.168.1.101:1054 12.129.72.158:80 TIME_WAIT
TCP 192.168.1.101:1055 205.188.7.253:5190 ESTABLISHED
TCP 192.168.1.101:1056 12.129.72.158:80 TIME_WAIT
TCP 192.168.1.101:1057 12.129.72.158:80 TIME_WAIT
TCP 192.168.1.101:1058 207.46.106.114:1863 ESTABLISHED
TCP 192.168.1.101:1059 12.129.72.158:80 TIME_WAIT
TCP 192.168.1.101:1060 12.129.72.158:80 TIME_WAIT
TCP 192.168.1.101:1061 205.188.5.12:5190 ESTABLISHED
TCP 192.168.1.101:1062 12.129.72.158:80 TIME_WAIT
TCP 192.168.1.101:1063 192.168.1.102:445 TIME_WAIT
TCP 192.168.1.101:1065 64.12.26.30:5190 ESTABLISHED
TCP 192.168.1.101:1066 205.188.176.69:5190 ESTABLISHED
TCP 192.168.1.101:1165 204.127.202.10:110 TIME_WAIT
TCP 192.168.1.101:1166 204.127.202.10:110 TIME_WAIT
TCP 192.168.1.101:1167 204.127.202.10:110 TIME_WAIT
TCP 192.168.1.101:1215 63.211.210.221:80 TIME_WAIT
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1034 *:*
UDP 0.0.0.0:1035 *:*
UDP 0.0.0.0:1036 *:*
UDP 0.0.0.0:1037 *:*
UDP 0.0.0.0:1038 *:*
UDP 0.0.0.0:1039 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1069 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.1.101:123 *:*
UDP 192.168.1.101:137 *:*
UDP 192.168.1.101:138 *:*
UDP 192.168.1.101:491 *:*
UDP 192.168.1.101:1900 *:*
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
use netstat :)
x-netstat for GUI :)
x-netstat for GUI :)
ASKER
Thank you everyone for your help.
Without a properly configured firewall, you're begging to be hacked and your computer may be used to attack other computers.