closing ports

Discussion in 'other firewalls' started by stubolt8, Jan 19, 2003.

Thread Status:
Not open for further replies.
  1. stubolt8

    stubolt8 Registered Member

    Joined:
    Jan 19, 2003
    Posts:
    5
    Hello - I need to close a couple of ports, one that has connections to it now and again, pretty sure this is a trojan, and one that is listening - I discovered this by creating a txt file using netstat -an...txt. I have tried a couple of port watching programmes, briefly, but they needed server rights according to zone alarm and someone advised me not to use them. I use win98 - I've just tried TCPVIEW which is ok but doesn't allow me to close ports or even to find out which programme is opening them. Thankyou.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Try to block them in your firewall
    do you see strange processes in contr+alt+del? Kill them and do another netstat -an to see if they're gone.
    I use Port Explorer: the free trial gives you a nice overview of what is connected to which ports, but it does not give you the full functionallity of the registered version to kill or disable sockets/processes and/or look into the datapackets from those sockets; even in the trial the whois and resolve functions are very nice.
    Possible hidden connections which might be trojans but not necessarily are in all cases, are displayed in red for instance.
    Further i use TDS, with lot of testing and scanning and killing processes too, netstat, etc.
    See those tools in the DiamondCS forums here.
    At least get your free trials, they function with Win98 too.
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi stubolt8,

    Welcome at Wilders. Could you specify the port numbers? Especially the one that is listening.
    If you suspect it is a trojan, what is stopping you from running a trojan scanner?

    Regards,

    Pieter

    Sorry Jooske. Didn´t see you were on the case already. :)
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Doesn't matter, TDS could be used as a fine trojan scanner, if updated after installing with the most recent database, so our advice is additional :) And you're the global mod, my vision is more from the DCS tools side (because i really love them so very much to use :) )
    So feel free to answer and the whole forum is looking forward to know about the ports and next results.
     
  5. stubolt8

    stubolt8 Registered Member

    Joined:
    Jan 19, 2003
    Posts:
    5
    Thankyou Jooske and Pieter
    I have BOClean anti trojan and AVG. I've not noticed anything dodgy in ctrl-alt-del. Regrun did notice one or two changes when I installed port listener. I've just noticed all the webpages I've saved on the desktop have had the icon change from IE to a sort of dark video like box with a green dot with a spanner superimposed! Anyway I don't know how to block ports with zone alarm, I block anything that asks to connect that shouldn't or I don't want to.
    The ports I'm worried about are 1524 ingreslock and 1513(listening in netstat when not connected).
    Just found out what that spanner icon is - it's Netmon.
    Thankyou.
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    I moved it to the firewall forum so our specialists can help you in blocking the ports. I´m pretty sure you don´t have a trojan or it must be a extremely new one ;)

    Regards,

    Pieter
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Hi stubolt8,

    Neither Zone Alarm, nor Zone Alarm Pro, have options to globally block specific ports when you've already set the firewall tab at the High Security level. For more information on this, take a look at this thread:

    "Blocking specific ports with ZAP"
    https://www.wilderssecurity.com/showthread.php?t=5677

    What you are already doing is the correct way to handle this - block all the programs that you don't want to have network access. "Programs" open ports and programs do the listening on those ports. If you block the programs, then the ports will be blocked.

    You may want to carefully review the Program tab in Zone Alarm and make sure that some unexpected program isn't set up already with either access or server rights. If that list of programs is secure, then nothing unapproved should get through ZA's security.

    Best Wishes,
    LowWaterMark
     
  8. stubolt8

    stubolt8 Registered Member

    Joined:
    Jan 19, 2003
    Posts:
    5
    Thankyou LowWaterMark- I have had a good look at ZA progs and removed a lot that I no longer use although none of them had server rights or access without permission.
    Perhaps you could tell me a little about port 1524 ingreslock - whats the point of it, I don't use it for ftp or whatever it's for. A search on google is quite alarming a, lot of the posts refer to linux though.
    I don't know a lot about computers but reading sites like this have made me aware of some of the problems that await the unwary - and the wary. I dread to think what lurks on the computers of all those who haven't even heard of ZA. Thankyou - this is a good site.
     
  9. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi stubolt8

    In regards to port 1524, have you been able to determine what on your system is listening on that port?

    There are a number of legitimate programs/system functions that could doing this along with the alternative that it could be something you do not want on your system.

    Regards,
    CrazyM
     
  10. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi stubolt8

    A little further explanation...

    iana.org may show ingreslock being a service associated with that particular port, but it does not necessarily mean that is what it is being used for on your system in this particular instance.

    When your system, application or service communicates they may use specific services/ports or they may also use or listen on what are referred to as ephemeral ports. These will be ports in the range 1024-5000 (and will sometimes be referred to as the temp range). Examples of this would be Task Scheduler, AV email scanners, that you may see listening on one of these ephemeral ports. The application/service listening on one of these ports in the temp range, may have nothing to do with the service associated to it in the iana.org list.

    This is why it is important to determine what is listening on that port in this case instead of focussing on the service associated with it in the iana.org list.

    Regards,
    CrazyM
     
  11. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Yes, as CrazyM stated the key thing you have to do is figure out what program is listening on the specific port. Only then will you know for sure what's going on. Unfortunately, it can be difficult on Windows 9x systems to figure out what program is holding a port open.

    You could try process of elimination, I suppose. You may be able to find out from ZA which program is active or showing as connected while port 1524 is showing as open, and by closing every program possible, one at a time, watch to see if 1524 closes after a specific program closes down. Since TCPview didn't help, this is the best I think you may be able to do, unless perhaps another program might help to zero in on it.

    Another one I've used is "fport" from Foundstone. Fport is a free tool available from the link below. One great thing about it (and most tools from Foundstone) is that you don't even need to install it. You just unzip it, and run Fport.exe from a CMD/DOS prompt, and it displays the information. (It may not do any better than TCPview, but since it's so easy to get and use, it's worth a try.)

    http://www.foundstone.com/knowledge/proddesc/fport.html

    Since you've scanned with BOclean and AVG, have checked the task list (Ctrl-Alt-Del) and don't have unknown programs in ZA, you probably don't have a common piece of malware (trojan or otherwise) doing this. It may just be a random port being used by some application you are running, that you don't currently suspect is involved with what you are seeing.

    You'll need to try some trial and error poking around to figure this out.

    LowWaterMark
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi again, sorry for jumping in so rude again:)
    Fport is for NT, not for win98 systems.
    That's why i advised to get the free trial for Port Explorer in the first place, as this will tell what's listening anyway, but for deeper determination you will need other tools or the registered version.
    Found more on your ports mentioned:
    1524: INGRESLOCK - ingres, RAT: Trinoo
    1513: FUJITSU-DTC - Fujitsu Systems Business of America Inc
    That Trinoo thing could be a server on your system, for example, if you say it's listening already when not connected to internet, but on the other hand it's so known and should have been cleansed out by your software.
    Are you able to post a netstat output when it's there?
     
  13. stubolt8

    stubolt8 Registered Member

    Joined:
    Jan 19, 2003
    Posts:
    5
    Hi Jooske - I may have been misunderstood slightly.
    port 1524 isn't listening all the time, 1513 is listening all the time. I caught ingreslock appearing in netstat -a 5
    because I had the window open on the side of the screen whilst surfing out of curiosity. Suddenly I saw 1524:ingreslock appear, listening and after a short time it vanished - a couple of times I've seen it establish a connection and this is while I'm just regular surfing, bbc, cnn maybe.
    I read somewhere that you could test for a shell on that port by telneting to it, could you explain how to do that using my own machine- if possible? I've never used telnet.
    I will be using port explorer- it looks useful.
     
  14. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Have you been able to determine what is listening on port 1513 to know whether it is of concern or not?

    If you are just seeing port 1524 popping up occassionally as the local service/port and part of a valid remote service/port 80 connection (part of normal surfing), it is just being used as an ephemeral port and part of normal communication with your system as noted above. It does not have anything to do with ingreslock and you have nothing to worry about.

    Regards,
    CrazyM
     
  15. stubolt8

    stubolt8 Registered Member

    Joined:
    Jan 19, 2003
    Posts:
    5
    Hi CrazyM - Thanks for the info on ingreslock, it does connect to 8080.
    As for 1513 I've not caught anything connecting to it yet and will get back If anything interesting turns up.
     
Loading...
Thread Status:
Not open for further replies.