asked on
risky ports on windows 2003
Hello
I did a portscan to our webserver, windows server 2003 sp2 latest patches. I got the
following from nmap scan:
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
1069/tcp open msrpc Microsoft Windows RPC
1070/tcp open msrpc Microsoft Windows RPC
2301/tcp open http CompaqHTTPServer 9.9 (HP System Management 3.0.1.73; httpd 2.2.6+)
| html-title: HP System Management Homepage
|_Requested resource was http://10.x.x .x /red2301.html?RedirectUrl=
2381/tcp open http Apache SSL-only mode httpd
3389/tcp open microsoft-rdp Microsoft Terminal Service
7937/tcp open nsrexec 1 (rpc #390113)
7938/tcp open rpcbind 2 (rpc #100000)
I would like to know about risky ports especially the last two 7937, and 7938
I did a portscan to our webserver, windows server 2003 sp2 latest patches. I got the
following from nmap scan:
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
1069/tcp open msrpc Microsoft Windows RPC
1070/tcp open msrpc Microsoft Windows RPC
2301/tcp open http CompaqHTTPServer 9.9 (HP System Management 3.0.1.73; httpd 2.2.6+)
| html-title: HP System Management Homepage
|_Requested resource was http://10.x.x .x /red2301.html?RedirectUrl=
2381/tcp open http Apache SSL-only mode httpd
3389/tcp open microsoft-rdp Microsoft Terminal Service
7937/tcp open nsrexec 1 (rpc #390113)
7938/tcp open rpcbind 2 (rpc #100000)
I would like to know about risky ports especially the last two 7937, and 7938
OS Security
Last Comment
pwindell
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
it is form inside offcourse, i understand that 7937 for the backup system, but what is rpcbind port 7938! is it risky?
It's entirely possible it's a secondary port for the backup - one to communicate with the backup system normally, and the other for errors and status messages. What backup are you running?
RPC is used for replication in an Active Directory environment. It's used to allow access to remote computers without specific programming. Wikipedia has a little bit of info on it, though it's pretty technical and mostly written toward programmers. http://en.wikipedia.org/wiki/Remote_procedure_call
The RPCBind protocol facilitates in RPC broadcasts and allows communication and function operations on multiple computers at once. If this server is running as a central backup server or is communicating with one, then the RPCBind protocol is being used to assist in that communication. http://uw714doc.sco.com/en/SDK_netapi/xdrD.rpcbind.html has more info, but is extremely technical and very much written for programmers.
The RPCBind protocol facilitates in RPC broadcasts and allows communication and function operations on multiple computers at once. If this server is running as a central backup server or is communicating with one, then the RPCBind protocol is being used to assist in that communication. http://uw714doc.sco.com/en/SDK_netapi/xdrD.rpcbind.html has more info, but is extremely technical and very much written for programmers.
Your wasting you time scanning from inside the LAN. Every service running on the machine is going to show listening,...and just because something is listeing does not make it "bad". The listeing service must be unneeded, unused, and have a known security vulnerability and the "hacker" would have to be physically on the LAN,...and the server would have to have something accessable via the particular service, and "desireable" to the hacker for it to have any "bad" potential.
You need to scan from the outside, and be scanning the firewall that you are using to make the web server available to the outside.
You need to scan from the outside, and be scanning the firewall that you are using to make the web server available to the outside.
Your wasting you time scanning from inside the LAN.
I'd have to disagree with this, but only lightly. Overall, scans inside the network are of far less value than from outside, but scans inside the network are a good way of highlighting things that are running but shouldn't be - such as rogue WAPs, SMTP servers and SQL boxes.
That's true, but I only make the statement in the particular context I meant it in.
I think it is the term "risky ports" that get me "going". There is no such thing as a "risky port". There are apps & services that have a perfectly legitament purpose that have a good reason to exist,...but in the wrong context/situaiton such Apps or services should not be available. This would be done by either removing, uninstalling, or shutting down the App or service,...or preventing access to the app or service from selected sources. Focusing on "ports" instead of the app or service that created it I believe is the wrong way to view the issue. So I like to get people to think correctly about things.
I think it is the term "risky ports" that get me "going". There is no such thing as a "risky port". There are apps & services that have a perfectly legitament purpose that have a good reason to exist,...but in the wrong context/situaiton such Apps or services should not be available. This would be done by either removing, uninstalling, or shutting down the App or service,...or preventing access to the app or service from selected sources. Focusing on "ports" instead of the app or service that created it I believe is the wrong way to view the issue. So I like to get people to think correctly about things.