[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

risky ports on windows 2003

Posted on 2010-09-04
7
Medium Priority
?
894 Views
Last Modified: 2013-12-04
Hello
I did a portscan to our webserver, windows server 2003 sp2 latest patches. I got the
following from nmap scan:

135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn
443/tcp  open  https?
445/tcp  open  microsoft-ds  Microsoft Windows 2003 or 2008 microsoft-ds
1025/tcp open  msrpc         Microsoft Windows RPC
1069/tcp open  msrpc         Microsoft Windows RPC
1070/tcp open  msrpc         Microsoft Windows RPC
2301/tcp open  http          CompaqHTTPServer 9.9 (HP System Management 3.0.1.73; httpd 2.2.6+)
| html-title: HP System Management Homepage
|_Requested resource was http://10.x.x .x /red2301.html?RedirectUrl=/
2381/tcp open  http          Apache SSL-only mode httpd
3389/tcp open  microsoft-rdp Microsoft Terminal Service
7937/tcp open  nsrexec       1 (rpc #390113)
7938/tcp open  rpcbind       2 (rpc #100000)

I would like to know about risky ports especially the last two 7937, and 7938
0
Comment
Question by:alex-2010
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 26

Accepted Solution

by:
MidnightOne earned 2000 total points
ID: 33605352
Are you scanning from inside your network or outside?

If these results are from outside the network, shoot your network admin immediately. From the inside, it appears this is a pretty common Windows 2003/2008 system running IIS and PSP on an HP server.
0
 

Author Comment

by:alex-2010
ID: 33605435
it is form inside offcourse, i understand that 7937 for the backup system, but what is rpcbind port 7938! is it risky?
0
 
LVL 26

Expert Comment

by:MidnightOne
ID: 33605444
It's entirely possible it's a secondary port for the backup - one to communicate with the backup system normally, and the other for errors and status messages. What backup are you running?
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 43

Expert Comment

by:Adam Brown
ID: 33605524
RPC is used for replication in an Active Directory environment. It's used to allow access to remote computers without specific programming. Wikipedia has a little bit of info on it, though it's pretty technical and mostly written toward programmers. http://en.wikipedia.org/wiki/Remote_procedure_call
The RPCBind protocol facilitates in RPC broadcasts and allows communication and function operations on multiple computers at once. If this server is running as a central backup server or is communicating with one, then the RPCBind protocol is being used to assist in that communication. http://uw714doc.sco.com/en/SDK_netapi/xdrD.rpcbind.html has more info, but is extremely technical and very much written for programmers.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33617636
Your wasting you  time scanning from inside the LAN.  Every service running on the machine is going to show listening,...and just because something is listeing does not make it "bad".  The listeing service must be unneeded, unused, and have a known security vulnerability and the "hacker" would have to be physically on the LAN,...and the server would have to have something accessable via the particular service, and "desireable" to the hacker for it to have any "bad" potential.
You need to scan from the outside, and be scanning the firewall that you are using to make the web server available to the outside.
0
 
LVL 26

Expert Comment

by:MidnightOne
ID: 33718245
Your wasting you  time scanning from inside the LAN.  
I'd have to disagree with this, but only lightly. Overall, scans inside the network are of far less value than from outside, but scans inside the network are a good way of highlighting things that are running but shouldn't be - such as rogue WAPs, SMTP servers and SQL boxes.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33788925
That's true, but I only make the statement in the particular context I meant it in.
I think it is the term "risky ports" that get me "going".    There is no such thing as a "risky port".  There are apps & services that have a perfectly legitament purpose that have a good reason to exist,...but in the wrong context/situaiton such Apps or services should not be available.  This would be done by either removing, uninstalling, or shutting down the App or service,...or preventing access to the app or service from selected sources.   Focusing on "ports" instead of the app or service that created it I believe is the wrong way to view the issue.  So I like to get people to think correctly about things.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question