We help IT Professionals succeed at work.

IPsec / Open Ports

breadsbox used Ask the Experts™
Hello Experts!

Recently I had an "acquaintance" of mine help me set up my virtual private server which I am hosting at 1and 1.com to run my websites.

I think that he set up some type of back door or left some ports open for himself to come back in and access my information.  You just know when people are acting shading.

He said that he doesn't like to use Windows Firewall and used some standard IPsec settings that work best for him.

when I run a port scanner is saw these ports open
Open Port 21 is open  
Open Port 25 is open
Open Port 80 is open
Open Port 135 is open
Open Port 139 is open
Open Port 3389 is open
 image of IPsec
When I was reading up the open ports I saw that hackers like ports 135 and 139.

Can you please tell me if there is a way for me to see if he's been logging on or downloading info from my server. Maybe through the event log?

And should any of these ports be closed , if so how ?

Thanks in advance for your help.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You can check Event Viewer to see if he has logged in.  Does he have his own user account?  I'd suggest first changing the passwords for the user accounts on the machine, therefore if he has Remote Desktop setup his credentials won't work.  You can change the permits to blocks within the screenshot you have up there or you can use Windows Firewall to lock down those ports as well.  To open Event Viewer or Windows Firewall just type the keywords, 'Event' or 'Firewall' in the windows start menu search bar.  

First off, I think we are missing some of the details.  Is this server at your home and hosts the websites which get pointed to domain names that are hosted at 1and1?  Do you ever use remote desktop to get into your computer?  If not, port 3389 can be locked down.  If this server is at your home do you have a router/firewall that he also configured to perform some port forwarding?  

If you don't you should really look into getting one as they are cheap and if you are hosting a webserver yourself it's really needed even for just your home network.


Thank you for your response DigitalTechy,

This is a virtual private server from 1 and 1.com which I use to host my web sites.

I do use Remote Desktop to access the server.

I have changed the user info but I am concerned that there may be some type of back door in use via the ports 135 or 139.

any thoughts on those 2 ports?
Greg HejlPrincipal Consultant

if this is a standalone server then port 135 (RPC Locator for domain and other windows services) and 139 (Netbios Session control) can be closed for the network type in windows firewall (public, private, domain)

if the server is part of a domain these ports should be open for your domain network and these ports should be blocked at your firewall.

use windows advanced firewall settings to determine what ports are open in what network type.

good luck.
Just like Greg said, if you don't use them in conjunction with any other domain connected computers then you can close them and block them via the advanced firewall.  If you do have other virtual private servers/computers you can change the network type to private/domain depending on how you have it configured.

Really 135 and 139 are not ports you want opened to the public so those need to be locked down regardless, they are for internal domain services.  Just turn those off for public networks on the firewall.  Also, if you are worried about him getting access I'd make sure you change the user account as he wouldn't need a backdoor or trojan to exploit a vulnerability via 135 or 139, rather he'd just RDP into your machine.  You could also lock down the Remote Desktop Connection via your IP address for an added layer of security.  


Thanks for your reply DigitalTechy,

Can you tell me how to close those ports to the public.
I am unsure how to do this.
If you open up Windows Firewall with Advanced Security (click on start menu, type in keyword firewall and it should display) then click on InBound Rules

This will display all the current rules for the Windows Firewall there is a column for Local Port and a column for Profile, the profile is whether the rule applies to a Domain, Private, or Public network.  You want to make sure those ports you want to lockdown are set to Deny for each Profile that is necessary.  The green checkbox on the far left tell if the rule is enabled/disabled.  Typically 135 and 445 are by default Denies at the Public and Private level.