tayloenic
asked on
netstat mystery on Win XP Home computer
Experts:
I am using a PC named Blackhawk which is running Windows XP Home. I ran the Shields Up program at the Gibson Research website (grc.com) on Blackhawk and it said that I have ports 21, 22, 23, and 80 open. That's ftp, ssh, telnet, and http. I went to another office (several miles away) where I have a linux computer and did an nmap scan of Blackhawk's IP address. It also showed the same 4 ports open on Blackhawk.
But when I do a netstat -a | find LIST on Blackhawk, none of those ports show up. The output of the netstat command on Blackhawk is below:
TCP blackhawk:epmap blackhawk:0 LISTENING
TCP blackhawk:microsoft-ds blackhawk:0 LISTENING
TCP blackhawk:873 blackhawk:0 LISTENING
TCP blackhawk:2002 blackhawk:0 LISTENING
TCP blackhawk:4454 blackhawk:0 LISTENING
TCP blackhawk:1030 blackhawk:0 LISTENING
TCP blackhawk:1241 blackhawk:0 LISTENING
TCP blackhawk:10080 blackhawk:0 LISTENING
TCP blackhawk:10110 blackhawk:0 LISTENING
TCP blackhawk:13128 blackhawk:0 LISTENING
TCP blackhawk:18080 blackhawk:0 LISTENING
TCP blackhawk:netbios-ssn blackhawk:0 LISTENING
To my knowledge I have no ftp, ssh, telent, or http servers running on blackhawk. So why does grc and nmap show the ports open and netstat does not?????? It is my understanding that an open port means that there is some software listening on that port which will respond when contacted. I have no firewall at Blackhawk other than Windows firewall.
Thanks,
T Nickey
Memphis TN
I am using a PC named Blackhawk which is running Windows XP Home. I ran the Shields Up program at the Gibson Research website (grc.com) on Blackhawk and it said that I have ports 21, 22, 23, and 80 open. That's ftp, ssh, telnet, and http. I went to another office (several miles away) where I have a linux computer and did an nmap scan of Blackhawk's IP address. It also showed the same 4 ports open on Blackhawk.
But when I do a netstat -a | find LIST on Blackhawk, none of those ports show up. The output of the netstat command on Blackhawk is below:
TCP blackhawk:epmap blackhawk:0 LISTENING
TCP blackhawk:microsoft-ds blackhawk:0 LISTENING
TCP blackhawk:873 blackhawk:0 LISTENING
TCP blackhawk:2002 blackhawk:0 LISTENING
TCP blackhawk:4454 blackhawk:0 LISTENING
TCP blackhawk:1030 blackhawk:0 LISTENING
TCP blackhawk:1241 blackhawk:0 LISTENING
TCP blackhawk:10080 blackhawk:0 LISTENING
TCP blackhawk:10110 blackhawk:0 LISTENING
TCP blackhawk:13128 blackhawk:0 LISTENING
TCP blackhawk:18080 blackhawk:0 LISTENING
TCP blackhawk:netbios-ssn blackhawk:0 LISTENING
To my knowledge I have no ftp, ssh, telent, or http servers running on blackhawk. So why does grc and nmap show the ports open and netstat does not?????? It is my understanding that an open port means that there is some software listening on that port which will respond when contacted. I have no firewall at Blackhawk other than Windows firewall.
Thanks,
T Nickey
Memphis TN
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I will assume that Blackhawk is behind some sort of router/firewall & not connected directly to cable/dsl modem.
It may be that your router/firewall either has ports forwarded for those services (even to a different machine) or that it's simply giving false readings when being scanned from the internet.
The easiest way to test this is from the Linux machine you mentioned by doing the following nmap scan:
nmap -sV IPaddress
This is a Version scan that will attempt to complete a TCP/IP 3 way handshake and identify the service of any open ports.
Another possibly is that you have a rootkit on your machine which could hide results from netstat amongst other things.
It may be that your router/firewall either has ports forwarded for those services (even to a different machine) or that it's simply giving false readings when being scanned from the internet.
The easiest way to test this is from the Linux machine you mentioned by doing the following nmap scan:
nmap -sV IPaddress
This is a Version scan that will attempt to complete a TCP/IP 3 way handshake and identify the service of any open ports.
Another possibly is that you have a rootkit on your machine which could hide results from netstat amongst other things.
yup, it's showing your router, not your machine.
ASKER
Experts:
Sorry for the delay in getting back to you. ....
It was my router, as several of you suggested. I didn't realize that the DSL "modem" was a router. I called Birch telecom and got the username and password for the router and opened up the web interface to the router. I saw that the 4 ports I listed in my question were open on the router. I was able to temporarily close them and verify that they were closed by using grc.com and nmap from my other office.
I am giving points to tharstern since he was first with correct answer. Thanks to everybody who answered!!
Sorry for the delay in getting back to you. ....
It was my router, as several of you suggested. I didn't realize that the DSL "modem" was a router. I called Birch telecom and got the username and password for the router and opened up the web interface to the router. I saw that the 4 ports I listed in my question were open on the router. I was able to temporarily close them and verify that they were closed by using grc.com and nmap from my other office.
I am giving points to tharstern since he was first with correct answer. Thanks to everybody who answered!!
Follow tharstern post above, check your firewall port forwarding if two office are not connected to each other.
Anyway, do not need to go to linux box at your office to scan your current PC. Just use nmap for windows instead for the same result
http://nmap.org/dist/nmap-4.85BETA8-setup.exe
Or if you can understand telnet, do as above