Blocking FTP 21 w/Zone Alarm

Discussion in 'other firewalls' started by Mudd, Aug 22, 2003.

Thread Status:
Not open for further replies.
  1. Mudd

    Mudd Registered Member

    Joined:
    Aug 20, 2003
    Posts:
    38
    Location:
    Howard Co, TX
    I' not only new to the Forum, I'm new to Computers.

    I have done a scan from Gibsons page and it indicates that my FTP Port 21 is open. None of the others are. I don't know what service to block to stop this. I don't have a FTP program installed on this PC.

    My Machine is Host, networked by crossover with the wife. I have the free edition of Zone Alarm, just updated.

    Running Win XP Home on both machines.
     
  2. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey Mudd

    Is it possible you have a router which has that port opened?
     
  3. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    In this configuration you should have a firewall on both machines if they are both on the internet.

    Are you running a ICS(Interent Connection Sharing) configuration?

    Here is a program that can show you which programs are listening on which port, try it on both computers to see if either has a program listening on this port if you need to.
    TCP View

    An ICS config can complicate finding whch program is listening on a port as it redirects ports without showing them as listening.

    If you don't find the program, make sure that alg.exe(Application Layer Gateway service) isn't allowed to be a internet server in ZA as a test, then re-scan.
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Of course, the GRC scan result may just be wrong. Results from any online scan should be cross checked with a few other online scans. There are a number of other scanners listed in this thread under the heading "FIREWALL / SYSTEMS TESTS:"

    https://www.wilderssecurity.com/showthread.php?t=6341
     
  5. Mudd

    Mudd Registered Member

    Joined:
    Aug 20, 2003
    Posts:
    38
    Location:
    Howard Co, TX
    No router, just slow Dialup. We are far out in the country from a One-Horse Town and as of now this is all that is available.

    We share the dialup connection, and the old woman does have ZA installed. Odd about that because she never has had an intrusion blocked, or as is indicates on the program. Last week I was getting 30-40 a day on Port 135. Suppose it was the Worm Virus.

    Which brings up another question. Does the fact that she has no intrusions mean that my program is a block between her's and the internet? I have configured her ZA to accept only the things she needs, OE, IE, etc.

    Going to look for alg.exe now and if it's there, will disable it and rescan.

    Thanks
     
  6. Mudd

    Mudd Registered Member

    Joined:
    Aug 20, 2003
    Posts:
    38
    Location:
    Howard Co, TX
    LowWaterMark: I also scanned with Symantec and it indicated the same, open FTP Port 21
     
  7. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    I hope you didn't misunderstand me, don't disable alg.exe, it needs to have outbound communications in an ICS configuration, but it doesn't need to take inbound connections it didn't ask for which would be a server.

    Edit: I forgot a peice of information, alg.exe should only need to be running on the machine sharing the connection, however if ICS or ICF(Internet Connection Firewall) is enabled on a machine alg.exe is required to be running.
     
  8. Mudd

    Mudd Registered Member

    Joined:
    Aug 20, 2003
    Posts:
    38
    Location:
    Howard Co, TX
    I'm OK on the alg, exe. Didn't find it anywhere!!

    I'm now going to do some more scanning from the information that was furnished. If I have new information I'll post for more help. If not, will just have to chance it.
     
  9. Mudd

    Mudd Registered Member

    Joined:
    Aug 20, 2003
    Posts:
    38
    Location:
    Howard Co, TX
    Checked two more of the Port Scanners. Already forgot the names. One was "Black ......", the first on the list. Every Port is closed except for:


    "WARNING! The following ports are open on your system:
    Port: 21
    Service: ftp
    Description: File Transfer [Control]"

    So, back to square one.
     
  10. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey Mudd

    Go download TCPView as BlitzenZeus suggested, and scroll through the lines finding what’s listening on port 21…
     
  11. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
  12. Mudd

    Mudd Registered Member

    Joined:
    Aug 20, 2003
    Posts:
    38
    Location:
    Howard Co, TX
    The program TCPView was downloaded and installed and it "doesn't show FTP or Port 21!." Unless I'm reading it wrong. I suppose the Port number in in the ADDRESS column.

    I scanned all the columns for the letters "FTP" and "21" and neither are there!

    Does tha make any sense? If it would help and this Forum allows, will paste the results.
     
  13. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Must of had a false report then.....
     
  14. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Mudd,

    I want to you do something, as you don't run a firewall on your machine which is the ICS host I want you to disconnect, go into the properties of the connection you use to connect to the internet, on the advanced tab check the Internet Connection Firewall Box, and click ok. Connect again, and make sure your sharing still works.

    With the ICF(Internet Connection Firewall) running it should protect the port if its not being opened by an outside source for some reason.
     
  15. Mudd

    Mudd Registered Member

    Joined:
    Aug 20, 2003
    Posts:
    38
    Location:
    Howard Co, TX
    OK, I did that. I had the Firewall running. So, I unchecked, and restarted the connection. Ran the scan from the Program I mentioned earlier. Got the same result. All Ports closed except for "Port 21 FTP"

    I have now checked the Firewall, closed down and redialed and ran the Scan again. No change. Still shows the Fort 21 to be open. All the sharing and internet connection still works fine.

    Don't want to waste anymore of anybodys time on this. I appreciate all the suggestion and directions. Maybe something is wrong with the machine.

    Funny thing though, I went to the old woman's machine and did a scan and hers does not show Port 21 to be open.

    So I will pass on with this. Thanks again.
     
  16. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Well without direct access to the system to do tests it would be hard, but in the settings on the advanced tab you can choose some settings with ICF. Just make sure that ftp isn't checked. Other than that its hard to think of anything else to suggest at the moment.

    So just leave the XP firewall(ICF) enabled for now so your stealth except for that port, and hopefully this can be figured out.

    On a last note, do you run any anti-virus, or anti-trojan software? You might consider looking into those just incase something happened... Check out the other forums here that deal with that if your not using any.
     
  17. Mudd

    Mudd Registered Member

    Joined:
    Aug 20, 2003
    Posts:
    38
    Location:
    Howard Co, TX
    Thank you again. Yes, I have Norton AntiVirus 2003. Don't know about any Trojans as I'm not at all familiar with that. Know about what it is but have nothing that I know of.

    I'll keep my eyes and ears open and maybe somewhere I will see or hear something that pertains to this.

    Again thank you.
     
  18. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey Mudd

    Is your browser configured up on any proxies?
     
  19. Mudd

    Mudd Registered Member

    Joined:
    Aug 20, 2003
    Posts:
    38
    Location:
    Howard Co, TX
    Proxies: Sir, I hate to plead ignorant but I must. I know nothing about such a thing. I'm relatively new at this, my brain is old and if I've heard of proxies I don't know it.

    I am using a Mom & Pop type dialup service, independently own by a couple of Farmers.

    So I can't anser your question as I don't know.
     
  20. Mudd

    Mudd Registered Member

    Joined:
    Aug 20, 2003
    Posts:
    38
    Location:
    Howard Co, TX
    BLITZEN ZEUS

    You hit it on the head with your advice. I found the FTP SERVER checked. Unchecked that and that took care of the problem. Wonder what else I should uncheck? I have a dialup connection shared by one other computer.

    Checked:
    dpnsr (255.255.255.255.6073) 6073 UDP
    Internet Mail Access Protocol Version 3 (IMAP3)
    Internet Mail Access Protocol Version 4 (IMAP4)
    Internet Mail Server (SMTP)
    Post-Office Protocol Version 3 (POP3)
    Web Server (HTTP)

    Any suggestions as to what I should not have checked from the list above?
     
  21. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Since your not running any of those servers none should be checked, as these settings allow inbound connections.

    At least the problem was finally found, but how in the hell did all those get selected I wonder? By default none of those should be seletected, at least on XP Pro which I'm running none of those were selected by default when I played with it before I used my real firewall.
     
  22. Mudd

    Mudd Registered Member

    Joined:
    Aug 20, 2003
    Posts:
    38
    Location:
    Howard Co, TX
    What I shall do is uncheck all of them! If something doesn't do just right will go back to check what I need.

    Sure appreciate you heading me in the right direction for this correction. First problem I've posted since joining this Forum and got the correct answer.

    Thanks to all.
     
Loading...
Thread Status:
Not open for further replies.