After first port scan, I have a few questions

Hello Firewall Experts,
I was wondering if you could answer a few questions. I am running Winxp and the software involved in my questions are
1. ZA pro with internet zone and trusted zone both set to high.
2. visual zone
3. Simple portscanner(from Blackcode)
4. TDS-3 licensed
Okay, I ran the port scanner with target host the machine address 127.0.0.1. The scan showed that ports 135,,389, 1002, 1025, 1720, and 3001-3004 were open. The port scanner had 1025 highlighted as a trojan port and TDS seems to agree, although I"m not sure what "RAT" means. I'm assuming then that this is a vulnerablility.
Question 1: Should I block 1025? If so, how do I do this?
I've done some of the online scans(gibson, pcflank, etc). They alll say that all common ports are "stealth."
2. Question 2: Why the discrepancy between the online scans and the
results of my scan?
3. Should I block the other open ports? If so, how do I do this?
Visual zone shows that my isp scans 135 or 445 about every 5-10 minutes. If I block 135, will that create a problem with my internet service?.
(Apologies if some of these are dumb questions, as I'm still learning).

 

If TDS is flaging a "RAT".....that could be a real problem.....an would strongly advised you to discuss the rat issue in the TDS forum before going any further..........strongly advised!!!

Your port questions: all your ports should be closed...unless you are file sharing an allowing inbound connections.......I am at a lost in understanding how some port scans show all your ports as stealthed but that one port scan shows ports as open.....either they or closed or open.....its not going to be both ways. Certainly you should block your ports...thats the whole point of having a firewall..........I don't use ZA so wont advised in that respect.....mostly posting due to the mention of that RAT being flagged.....check into that real soon...

 

Hi bluekey23

Using a port scanner on your own system to test your own system (127.0.0.1) will show open ports (results should be the same as doing a netstat), but is not the same as a remote system scanning your WAN/Public IP.

Edit: While port 1025 is associated with known trojans, it is also commonly opened/used by your system. Running a netsta -ano at the commond prompt should confirm this for you. RAT = Remote Access Trojan.

No need to block 1025 as it is already being blocked by ZA. The online scans are scanning your WAN/Public IP which is protected by ZA Pro. Your internal scan never left your system and ZA Pro would not block that localhost traffic.

Your ISP or just other users in the same IP range as you? It is common to see numerous scans from other users of your ISP in the same IP range you are in. Scans to port 135 and 445 are very common and frequent right now.

The only dumb question is the one that does not get asked.

Aren't we all

Regards,

CrazyM

 

Bluekey23,

CrazyM appears to have supplied a pretty comprehensive answer (and I would agree with all the points he has made). I did write an FAQ on this (Online Scans - What to do with Open and Closed Ports) which may provide some extra useful background detail (particularly in explaining what ports are). While it is aimed at Outpost Firewall users, most of the information it supplies is general enough to be useful to everyone.

 

Crazy M and Paranoid,
Thanks so much for the excellent advice. I'm now feeling much better!
To Crazy M - I've followed your posts in here for awhile and your knowledge is very impressive. Where do I go to begin learning this stuff? Can you point me in the right direction to learn the basics(and beyond) of ports, how they are open and closed by ZA, and so on?
Thanks again.