RBmuzac
asked on
SIP on Windows 2000
I have just taken over some older windows 2000 servers that house a client server application. A recent scan from the Security Operations Center tells me that I have SIP services running and I need to justify having them or remove them. As far as I know, SIP is for IP telephony and we don't use anything like that on our servers. How do I go about disabling this? And is this wise?
ASKER
They sent me this text of the scan:
Starting Nmap 4.76 ( http://nmap.org ) at 2009-05-04 09:02 MDT
Interesting ports on 161.X.X.X
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
111/tcp open rpcbind
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
1032/tcp open msrpc Microsoft Windows RPC
1095/tcp open msrpc Microsoft Windows RPC
1720/tcp filtered H.323/Q.931
2000/tcp filtered callbook
3372/tcp open msdtc?
3389/tcp open microsoft-rdp Microsoft Terminal Service
5060/tcp filtered sip
6502/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port3372-TCP:V=4.76%I=7 %D=5/4%Tim e=49FF0379 %P=i686-pc -linux-gnu %r(GetRe
SF:quest,6,"P\x9a\n\0x\x01 ")%r(RTSPR equest,6," P\x9a\n\0x \x01")%r(H TTPOptio
SF:ns,6,"P\x9a\n\0x\x01")% r(Help,6," P\x9a\n\0x \x01")%r(S SLSessionR eq,6,"P\
SF:x9a\n\0x\x01")%r(FourOh FourReques t,6,"P\x9a \n\0x\x01" )%r(LPDStr ing,6,"P
SF:\x9a\n\0x\x01")%r(SIPOp tions,6,"P \x9a\n\0x\ x01");
Service Info: OS: Windows
Host script results:
| Discover OS Version over NetBIOS and SMB: Windows 2000
|_ Discover system time over SMB: 2009-05-04 09:03:24 UTC-4
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.04 seconds
Honestly I don't know what to make of it. I downloaded the tools that you pointed out and was not able to come to a conclusion. I didn't see anything with regards to port 5060. Is there anything else you can tell me about this? Thanks
Starting Nmap 4.76 ( http://nmap.org ) at 2009-05-04 09:02 MDT
Interesting ports on 161.X.X.X
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
111/tcp open rpcbind
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
1032/tcp open msrpc Microsoft Windows RPC
1095/tcp open msrpc Microsoft Windows RPC
1720/tcp filtered H.323/Q.931
2000/tcp filtered callbook
3372/tcp open msdtc?
3389/tcp open microsoft-rdp Microsoft Terminal Service
5060/tcp filtered sip
6502/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port3372-TCP:V=4.76%I=7
SF:quest,6,"P\x9a\n\0x\x01
SF:ns,6,"P\x9a\n\0x\x01")%
SF:x9a\n\0x\x01")%r(FourOh
SF:\x9a\n\0x\x01")%r(SIPOp
Service Info: OS: Windows
Host script results:
| Discover OS Version over NetBIOS and SMB: Windows 2000
|_ Discover system time over SMB: 2009-05-04 09:03:24 UTC-4
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.04 seconds
Honestly I don't know what to make of it. I downloaded the tools that you pointed out and was not able to come to a conclusion. I didn't see anything with regards to port 5060. Is there anything else you can tell me about this? Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Dave. That worked! You are the man!
It sounds more likely that *something* is running on port 5060 and/or 5061, and your SOC can't tell the difference between a random app on those ports and a real sip server.
I would suggest the easiest method is to use tcpview (from the sysinternals/microsoft site -
http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx - and see what is running on that port. If it is non-obvious what it is that is running (its a service under svchost) then note the process id, and look THAT up using process explorer - http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
I suspect you will find that it is something harmless, but check with your SOC that they are just concerned that SOMETHING is running on 5060 (and if not, ask them what it is they *are* reporting so you can investigate further)