Port 110 should be closed, but shows open.

I've been fighting with this for a while.  I have a firewall on our Netopia router.  I have blocked port 110 for incomming and outgoing connections, also I have NAT enabled on this router and I am not translating port 110 to anything.

Still when I run a port scan I show that port 110 is open, but when I telnet the port it opens a connection but is just a blank screen.

I am afraid that it is a trojan horse, but I do not know how to find out what machine on our network has it.  Any suggestions will be greatly appreciated.

Thank you,

Fernando.
LVL 2
JFercanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nemesis-ServicesCommented:
when you do a port scan, are you port scanning the firewall router ? also when you telnet into port 110 is this also the router ip address?

Also look at The Display/Change Input Filter screen and it will list ports that the firewall router is actively using / listening on.
0
JFercanAuthor Commented:
Yes, I do scan the firewall router.  Also I do telnet to port 110 of the router, but as I said, I do not see anything, not event what I type (Only uderscores are shown when I type).

When I look at Display/Change Input Filter I only see my input rules, I do not see if the port is active at that time or not.

Port port 110 I have the following:

Source: 0.0.0.0
Dest:     0.0.0.0
Prot:      TCP
Source:  NC
Dest:     =110
On:        Yes
Fwd:       No

I thought this will block that port, but it still shows open, then I thought a machine from the inside was opening the port, so I create an output filter to block this port, but it still shows open on my scan.

Thank you,

Fernando.
0
Nemesis-ServicesCommented:
go into the filter rule and take off port 110 and then submit the changes and also switch off the router as I've noticed that a reboot of the router doesn't take the neccessary changes and then try a scan again.
0
MSSPs - Are you paying too much?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

JFercanAuthor Commented:
I did and it still shows open.

Woudl having port 25 open and routed to our SMTP server make a difference?  We are running Qmail on Redhat 8 (I am thinking of upgrading).  Anyway, the router uses NAT to send requests on 25 to this machine, I still do not know what machine port 110 goes to as I do not have a map for this port.

Is there a trojan that opens this port from the inside?

Thank you.

Fernando
0
Julian_CCommented:
No, my guess is it's the Virus scanner you are running from the machine you are doing the scan from. As this AV catches all incoming and outgoing mails it messes with port scans and it is very common to get 110 and/or  25 open for every client you ever scan. Try disabling it (service and everything to make sure) and have another go. And make sure your not behind a client FW either as these can mess you up too.

Cheers
Julian
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
idyllicsysCommented:
Are you scanning from inside the firewall or outside? Try going to grc.com and run shields up to see if it is open to the world.
0
JFercanAuthor Commented:
Thank you Julian_C,

As soon as I disable Norton's Email Scanner the ports stopped showing open.  After I enabled it again the ports showed open again.

Thank you for your help.

Fernando!
0
Julian_CCommented:
No problem. I speak from experience! Had me going for a while too.

Cheers
Julian
0
nummagumma2Commented:
Great answer - thank you, just kept me from having a heart attack about my firewall(s). =)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.