:oHi guys;

I just tried a security scan on HackerWatch (www.hackerwatch.org), testing a few common ports for vulnerabilities.

I was surprised to read on the results page that port 25 smtp was 'open, vulnerable and responding' despite a very good software firewall running on my machine. I first checked all the settings to look for potential configuration errors, but couldn't find any.

I went to pcflank (www.pcflank.com) and tried a similar test, which revealed port 25 as 'stealthed'. Tried again on sygate (scan.sygatetech.com) which 'confirmed' the stealthed result from pcflank.

IMHO, there might be a bug on hackerwatch server, but just to make sure and for the sake of my own peace of mind, could someone else (who surely knows the smtp 25 port vulnerability just CANNOT exist on his machine)try this test and report on his results here so I could get some kind of confirmation about this ?

Thanks a lot...

Crockett

Hi,
I must be still sleeping.I went there and did not find any test. ???
Where can i find it?

Hi Claire; :)

Thanks for replying.

Please follow the link http://www.hackerwatch.org/probe/ and select 'port scan'.

Crockett 8)

Hi Crockett,
I just passed the test.All my ports are stealhted ;D :)
I am using LnS with enhanced ruleset
Take care

Secure
21 (FTP)

This port is completely invisible to the outside world.



Secure
23 (Telnet)

This port is completely invisible to the outside world.



Secure
25 (SMTP Mail Server Port)

This port is completely invisible to the outside world.



Secure
79 (Finger)

This port is completely invisible to the outside world.



Secure
80 (HTTP)

This port is completely invisible to the outside world.



Secure
110 (POP3 Mail Server Port)

This port is completely invisible to the outside world.



Secure
139 (Net BIOS)

This port is completely invisible to the outside world.



Secure
143 (IMAP)

This port is completely invisible to the outside world.



Secure
443 (HTTPS)

This port is completely invisible to the outside world.

Hi Crockett,
Just did a scan at the link you provided came up secure on all ports. Did you try again?

Crockett

what I notice most was that the site's attempt of some sort to collect info prior to beginning the test....

snowman

dumb me...I should have just said I passed the test instead of posting the long results......

Hello all of you;

Claire's last post finished with 'take care'... Well, just seems I'm not doing that good a job of taking care of myself by now, am I ? :D

Tried to re-do the test, but can't get back on the site for the time being. Maybe other people are trying to pass the test following what has been written here. Hope I'm not causing too much havoc... ;)

Anyway, since all of your results seem to go in the same direction, the problem should probably come from my firewall. Recently installed one of the prior versions of it because I wanted to check interoperability among some softwares, and I guess this old version might be the culprit. Gonna switch back to a more recent version and see what will happen.

BUT - and that may be the most troublesome point - the hackerwatch testing procedure has been the only one to uncover this vulnerability on my machine. How could pcflank and sygate miss it ?

Don't mistake what I'm pointing to here. I am a big fan of pcflank - it simply IS one of my favorite sites. But one set of tests just doesn't seem to be enough in and of itself. Why, I don't know.

I'm glad I came across hackerwatch - I can now get my hands dirty and try to solve the problem.

I'll get back to this thread and post positive results as soon as I can...

Thanks for your replies.

Crockett

Crockett

imo the test at hackerwatch was very weak...

Hi Snowman;

You may be right, but then it makes the matter all the more mind-boggling - why this test and not 'stronger' ones ? ???

Crockett

Crockett

for your consideration.......you can open outlook express an change your pop3 ports to secure.....an try the test again..

Crockett

if you decide to change you pop3 port to secure....just for testing this test.......don't forget to change it back...otherwise you may not recieve mail......happens sometimes

:DHello back;

Can't wait to try all these possible solutions, but can't get back to hackerwatch either !

Seems to currently be a whole lot of traffic going on overthere...

I'll connect back later and post whatever improvement I may be able to obtain.

Thanks and see you later Snowman.

Crockett 8)

Crockett

you are most welcome......frankly I find it rather odd that your firewall blocked all the other ports but not port 25.......that just does not seem correct.

wishing you a pleasent day......later

snowman

I did the test and it showed about 1/2 secure and the other 1/2 open. My firewall logs showed they were blocked. Ran the test again and all were open except port 21. Did not change a thing before I ran the 2nd test.

I ran a port scan and discovered I have numerous vulnerabilities. I use the new version (free) of Zone Alarm. Is there a way to configure either ZA, or perhaps do something else to reduce my exposure?

Open and Unsecure!
21 (FTP)

This port is not being blocked and there is a program accepting connections on this port.

Open and Unsecure!
23 (Telnet)

This port is not being blocked and there is a program accepting connections on this port.

Open and Unsecure!
25 (SMTP Mail Server Port)

This port is not being blocked and there is a program accepting connections on this port.


Open and Unsecure!
79 (Finger)

This port is not being blocked and there is a program accepting connections on this port.


Open and Unsecure!
80 (HTTP)

If this computer is not supposed to be acting as a web server you should not have this port open.


Open and Unsecure!
110 (POP3 Mail Server Port)

This port is not being blocked and there is a program accepting connections on this port.


Open and Unsecure!
139 (Net BIOS)

Having the NetBIOS port accessible to the Internet is very dangerous. Check your firewall configuration or install McAfee.com Personal Firewall if you have not already done so.


Open and Unsecure!
143 (IMAP)

This port is not being blocked and there is a program accepting connections on this port.

Open and Unsecure!
443 (HTTPS)

If this computer is not supposed to be acting as a web server you should not have this port open.

Also, when I do a port scan, via the Shield's Up site and Symantic, everything is fine. Also, how does this site finish the scan in litterly a nano-second?

Thanks for taking the time to read this.

Everywhere but here I am stealth too. I am not putting any stock in this scan. My firewall logs show blocked even though hackerwatch is saying I am open, so to me it is nothing to worry about.

I remember at one time there was a version of NAV that in checking the email, held the SMTP port open and some firewalls would show an open port because of NAV. I think NAV fixed it in the next version though.
Also sometimes some of the port scans on the net are totally unreliable. I have quit using Sygates, which used to be one of the best, but will indeed report secured ports as open, now.
Also, people with routers need to remember that scans scan the router, not the machine with the firewall. Same goes for anyone using a proxy.

I just went there and ran the scan. It said all my ports were open. Well, outpost has the ability to look at active packets being transferred and I found that Hackerwatch was picking up the IP of my ISP, not me. I would expect my ISPs ports to show open.
Never trust a scan site unless it shows you the IP it is scanning. Otherwise, you never know who it is scanning.

Crockett,

From the postings between your last one and now, it seems to me that there's a real possibility that you're ISP is routing you through a proxy server that it runs. In that case, HackerWatch could well be testing the proxy server rather than your own currently assigned IP address. I haven't been there in a long time, but that seems the most likely possibility to me.

There's another one (always is! ;) ) Are you running a configurable router? Sometimes, what happens is that your router ends up getting tested; not your firewall. (And this definitely can happen at PCFlank, for example.)

Indeed Root, that would be the deal. I was wide open there, contrary to Sygate, GRC, Symantec, PCFlank, Security Safe and TDS-3 which show its tight as a drum - now I see why. Thanks for the headsup Crockett, it sure gets your attention, but good to crosscheck before changing anything and illustrates the value of the forum. Can just imagine the number of people freaking out and fiddling with otherwise good security profiles, perhaps for the worse, on basis of dip stick test configurations like that one.

When in doubt..give us a shout! ;D ;D ;D ;D


http://www.dslreports.com/forum/remark,4051324~root=security,1~mode=flat
(http://www.dslreports.com/forum/remark,4051324~root=security,1~mode=flat)

Well, at least now I don't have to sleep with one eye open.

-{ Quote: " quoting: jnibori link=board=23;threadid=2791;start=15#19282 date=1028659551]
Well, at least now I don't have to sleep with one eye open.
" }-
Yes you do. Never heard of the firewall fairy? :)

:)Hi guys; sorry for being late...

Here's where I've gotten since I last wrote.

I tried several firewalls in turn, and am afraid I have to say they all brought me back to the exact same results.

I don't believe the ip address which is scanned when I initiate the scanning test belongs to anyone else but me - although I absolutely do agree that the router question often is a valid possibility, and can be a source for mistaking some tests results.

One of the firewalls I used logged the different connection attempts and it looked something like this: 21 (attack detection: blocked); 23 (attack detection: blocked); 79 (attack detection: blocked) etc. The point here being that port 25 does not appear on the list of blocked attempts (between ports 23 and 79).

The second thing that worries me is that my firewall's log shows the exact same verdict as the scanning site does. I wish those two would contradict each other so I could pick my firewall as the one to be trusted, but right now I can't.

I also agree that some tests are not to be trusted, but then how do we know which one to pick as reference ?

Still trying to figure something out by myself, at least until a miraculous (and logical) explanation just hits me... :D

I'll keep you up to date.

Crockett 8)

"I also agree that some tests are not to be trusted, but then how do we know which one to pick as reference ?"

Check out the Test sites you will find at the link I posted..they can be trusted.

By chance to you have file sharing enabled??

I don't.

Root;

I went through the whole thread all over again, and it's only now I'm really hit by two things you pointed to.

The first one is worth mentionning again, i.e. [paraphrasing] 'never trust a scanning site unless it mentions your own ip as scanning address'.

I'm so used to check my firewall against scanning sites which do mention this ip (not to mention the fact that I was shocked to 'discover' port 25 could finally be a weakness on my system) that I never paid due attention to Hackerwatch not crosschecking my ip.

The second one is this: one of the firewalls I used in trying to outscore Hackerwatch was Outpost. What exactly do you mean by "Well, outpost has the ability to look at active packets being transferred" ?

Looks like I still don't master all the tools embedded in today's leading firewalls.

Joseph, thanks to you for the interesting mention of proxies being scanned instead of the user's pc - I didn't pay all the attention I should have to his post.

Rickster, you're right - this forum is rather useful to say the least. Hope I didn't cause too much panic by starting this thread.

Finally, I followed MyNethingyman's advice and followed his thread to the list of scanning sites. A lot of them I already knew, some of them I discovered - thanks. I went through all of them except for the Java-requiring ones. Hackerwatch is the only one I [consistently] failed.

See you later.:)

Crockett