Link to home
Start Free TrialLog in
Avatar of shawngilbert
shawngilbert

asked on

Do I have anything suspicious listed in my open ports?

I have recently killed a couple of trojans on my computer and have found that one of them supposedly opens some ports for remote access.  I have been experiencing some slowdowns on my local network and would like to know if there is anything specific here to be concerned with.  Local 2-system home network on a Linksys Nat router.


Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1030           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1039           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1042           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1047           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1048           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1049           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5000           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6346           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6346           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6346           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6346           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6346           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6347           0.0.0.0:0              LISTENING
  TCP    192.168.1.101:139      0.0.0.0:0              LISTENING
  TCP    192.168.1.101:1039     66.216.70.167:80       CLOSE_WAIT
  TCP    192.168.1.101:1042     216.155.193.142:5050   ESTABLISHED
  TCP    192.168.1.101:1047     205.188.7.254:5190     ESTABLISHED
  TCP    192.168.1.101:1048     207.46.107.140:1863    ESTABLISHED
  TCP    192.168.1.101:1049     205.188.5.15:5190      ESTABLISHED
  TCP    192.168.1.101:1654     63.240.76.10:110       TIME_WAIT
  TCP    192.168.1.101:1656     63.240.76.10:110       TIME_WAIT
  TCP    192.168.1.101:1667     63.240.76.10:110       TIME_WAIT
  TCP    192.168.1.101:1668     63.240.76.10:110       TIME_WAIT
  TCP    192.168.1.101:1669     63.240.76.10:110       TIME_WAIT
  TCP    192.168.1.101:6346     4.26.118.70:6346       ESTABLISHED
  TCP    192.168.1.101:6346     24.60.141.96:6348      ESTABLISHED
  TCP    192.168.1.101:6346     65.35.194.135:6348     ESTABLISHED
  TCP    192.168.1.101:6346     67.170.39.107:6346     ESTABLISHED
  UDP    0.0.0.0:445            *:*                    
  UDP    0.0.0.0:1034           *:*                    
  UDP    0.0.0.0:1035           *:*                    
  UDP    0.0.0.0:1036           *:*                    
  UDP    0.0.0.0:1037           *:*                    
  UDP    0.0.0.0:1038           *:*                    
  UDP    127.0.0.1:123          *:*                    
  UDP    127.0.0.1:1900         *:*                    
  UDP    127.0.0.1:3961         *:*                    
  UDP    192.168.1.101:123      *:*                    
  UDP    192.168.1.101:137      *:*                    
  UDP    192.168.1.101:138      *:*                    
  UDP    192.168.1.101:491      *:*                    
  UDP    192.168.1.101:1900     *:*                    
Avatar of jdlambert1
jdlambert1
Flag of United States of America image

This looks pretty bad. You should have firewall (could be built into router or available in your operating system) that blocks all inbound connections on every port unless you're running some kind of Internet service (such as a web server). If you run an Internet service, only the ports required for that service should be open on your firewall (e.g., 80, 443 for a web server). It can be open on all ports for outgoing connections. That means when you initiate a connection, the responses are allowed in and a 2-way connection can be established, but any connection that tries to *originate* from outside will be denied (again, unless you're running an Internet service).

Without a properly configured firewall, you're begging to be hacked and your computer may be used to attack other computers.
Avatar of shawngilbert
shawngilbert

ASKER

I have both the NAT firewall and Zone Alarm Pro installed on my XP SP1 system.
How can I shut these off if they are bad?
SOLUTION
Avatar of jdlambert1
jdlambert1
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
No, I got rid of it with several AV and spyware programs.  It runs better, but I'm concerned about those open ports.
I do use a p2p browser, but when ZAP asks about allowing it to act as a server, I state "no".
How do you shut down ports in the registry?
it looks like you also may be running some p2p program such as Shareaza. is this true? makes sure u encrypt ur router if it is wireless. also, run Spybot search and destroy and Adaware (2 of the best spyware cleaners), they are also free. if u want to spend some cash i recommend also Webroot's SpySweaper. I have all 3 of these, i recommend u do 2.
I suggest posting your connection list to Zone Labs, because that's their specialty -- they may be in the best position to tell you what's bad vs. what's okay. And it's free.

You don't shut down ports in the registry, you shut them down with your firewall configuration. In XP, you can disable most services via the Control Panel and by removing items from the Startup folders in the start menu.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you for the information.  I have run spybot, adaware, hijackthis & xcleaner.  I've run online virus scanners from symantec, mcafee, panda & trend.  All comes up clean.  
So there is no way to turn off 6346 and 6347 for good?  
I am using a p2p browser, but each time it asks (zone alarm) I disallow it, although that only, supposedly, has access to my shared files folder.
why in the world whould u be using a p2p browser? use IE,mozila, firefox, anything but p2p. im pretty sure those connections are coming from the p2p app. try shutting down the p2p program. then disconnct from the internet, wait a min or 2 and reconnect again. then post ur results.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
shawngilbert,

I'm not familiar with ZA, but you may be able to create a global block rule to disallow those ports (I've dont this with NPF).  You might also try using TCP/IP filtering, which I briefly described above.  And by the way, just because a port you have opened appears in that list, it doesnt necessarily mean you've got a trojan.

-Yohan
After turning off the browser, I took another snapshot and this is what I have:


Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1030           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5000           0.0.0.0:0              LISTENING
  TCP    192.168.1.101:3058     63.240.76.10:110       TIME_WAIT
  TCP    192.168.1.101:3059     63.240.76.10:110       TIME_WAIT
  TCP    192.168.1.101:3060     63.240.76.10:110       TIME_WAIT
  TCP    192.168.1.101:6346     4.26.118.70:6346       TIME_WAIT
  TCP    192.168.1.101:6346     24.60.141.96:6348      TIME_WAIT
  TCP    192.168.1.101:6346     216.12.28.158:6346     TIME_WAIT
  UDP    0.0.0.0:445            *:*                    
  UDP    0.0.0.0:1034           *:*                    
  UDP    0.0.0.0:1035           *:*                    
  UDP    0.0.0.0:1036           *:*                    
  UDP    0.0.0.0:1037           *:*                    
  UDP    0.0.0.0:1038           *:*                    
  UDP    127.0.0.1:123          *:*                    
  UDP    127.0.0.1:1900         *:*                    
  UDP    127.0.0.1:3062         *:*                    
So the only ones I need to have any concern over are the valid (although private) addresses?
Which leads me to think that the first three are my pop3 mail and who knows what the last three are for (6346, & 6348)
6346 and 6348 may be kazaa, is that what ur using?
No, www.deepnetexplorer.com - it's a new browser I stumbled upon... I may ditch it now though.
do u hv kazaa?
Well, those ports are saying TIME_WAIT.  Have you restarted your computer lately?  If not, try it.  Also, according to a port list I've got, 6346 and 6347 are registered to Gnutella, a file sharing program.  But who's to say Kazaa can't use them too.
No kazaa (I hate it - have had to remove it from some friend's computers).
No gnutella that I know of either.

This one is after a clean reboot and I'm not using the p2p browser (though I haven't uninstalled it yet).  Seems to me like the list is growing?

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1030           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1031           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1045           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1046           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1055           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1058           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1061           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1065           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1066           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5000           0.0.0.0:0              LISTENING
  TCP    127.0.0.1:445          127.0.0.1:1031         ESTABLISHED
  TCP    127.0.0.1:1031         127.0.0.1:445          ESTABLISHED
  TCP    192.168.1.101:139      0.0.0.0:0              LISTENING
  TCP    192.168.1.101:1033     0.0.0.0:0              LISTENING
  TCP    192.168.1.101:1033     192.168.1.102:139      ESTABLISHED
  TCP    192.168.1.101:1044     207.46.104.20:1863     TIME_WAIT
  TCP    192.168.1.101:1045     216.155.193.136:5050   ESTABLISHED
  TCP    192.168.1.101:1046     66.216.70.167:80       CLOSE_WAIT
  TCP    192.168.1.101:1049     66.77.183.81:80        TIME_WAIT
  TCP    192.168.1.101:1050     66.77.183.81:80        TIME_WAIT
  TCP    192.168.1.101:1051     12.129.72.158:80       TIME_WAIT
  TCP    192.168.1.101:1052     12.129.72.158:80       TIME_WAIT
  TCP    192.168.1.101:1053     12.129.72.158:80       TIME_WAIT
  TCP    192.168.1.101:1054     12.129.72.158:80       TIME_WAIT
  TCP    192.168.1.101:1055     205.188.7.253:5190     ESTABLISHED
  TCP    192.168.1.101:1056     12.129.72.158:80       TIME_WAIT
  TCP    192.168.1.101:1057     12.129.72.158:80       TIME_WAIT
  TCP    192.168.1.101:1058     207.46.106.114:1863    ESTABLISHED
  TCP    192.168.1.101:1059     12.129.72.158:80       TIME_WAIT
  TCP    192.168.1.101:1060     12.129.72.158:80       TIME_WAIT
  TCP    192.168.1.101:1061     205.188.5.12:5190      ESTABLISHED
  TCP    192.168.1.101:1062     12.129.72.158:80       TIME_WAIT
  TCP    192.168.1.101:1063     192.168.1.102:445      TIME_WAIT
  TCP    192.168.1.101:1065     64.12.26.30:5190       ESTABLISHED
  TCP    192.168.1.101:1066     205.188.176.69:5190    ESTABLISHED
  TCP    192.168.1.101:1165     204.127.202.10:110     TIME_WAIT
  TCP    192.168.1.101:1166     204.127.202.10:110     TIME_WAIT
  TCP    192.168.1.101:1167     204.127.202.10:110     TIME_WAIT
  TCP    192.168.1.101:1215     63.211.210.221:80      TIME_WAIT
  UDP    0.0.0.0:445            *:*                    
  UDP    0.0.0.0:1034           *:*                    
  UDP    0.0.0.0:1035           *:*                    
  UDP    0.0.0.0:1036           *:*                    
  UDP    0.0.0.0:1037           *:*                    
  UDP    0.0.0.0:1038           *:*                    
  UDP    0.0.0.0:1039           *:*                    
  UDP    127.0.0.1:123          *:*                    
  UDP    127.0.0.1:1069         *:*                    
  UDP    127.0.0.1:1900         *:*                    
  UDP    192.168.1.101:123      *:*                    
  UDP    192.168.1.101:137      *:*                    
  UDP    192.168.1.101:138      *:*                    
  UDP    192.168.1.101:491      *:*                    
  UDP    192.168.1.101:1900     *:*                    
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
use netstat :)
x-netstat for GUI :)
Thank you everyone for your help.