Help, not sure if proper forum

Discussion in 'other firewalls' started by Cap, Jul 8, 2004.

Thread Status:
Not open for further replies.
  1. Cap

    Cap Registered Member

    Joined:
    Jul 8, 2004
    Posts:
    9
    Hello everyone, what a great place I stumbled upon here.

    I noticed my system acting funny recently, bad def but when you run a system constantly you notice when it seems off. Anyways I came across these forums, have read quite a bit, downloaded several suggested programs and now have a question. I noticed in pedemo that port 445 under system had a few entries, I filtered this port in my router, and now have noticed in my router logs that there is several differnet ips attempting to connect theu this port. Is there anything I should be looking for on my system?
     
  2. Cap

    Cap Registered Member

    Joined:
    Jul 8, 2004
    Posts:
    9
    Ok i should have added that I am wondering if it is a backdoor or trojan that uses this port 445. Thanks
     
  3. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Port 445 is used by Windows for sharing files and printers (using the NetBIOS protocol which can also use ports 137-139). However, due to numerous Windows security flaws, there are several worms and viruses that use these ports to spread themselves - and it is most likely these that are causing the entries you see.

    As a consequence, no Internet access for these ports should be allowed - if you have a home network then allowing restricted access to your other PCs on these ports may be needed for file/printer sharing.

    If you are not running a firewall, then you should assume that your system has been compromised. Install one immediately (ZoneAlarm is a good simple one for novices - however it is a pig to uninstall and problems have been reported with version 5.0, trialling 4.5 may be a safer option) and then scan your system for trojans/viruses. For a more advanced firewall, consider Outpost or Kerio.

    Even with a router firewall (which is great for blocking Internet attack), you should still run a software firewall to be able to control what programs can access the Internet. A properly configured (this is *critical*) firewall can alert you to any spyware on your system trying to connect out (this can include Windows components like Media Player) and can provide further useful features like web and ad filtering.
     
  4. Cap

    Cap Registered Member

    Joined:
    Jul 8, 2004
    Posts:
    9
    Thanks for the reply Paranoid.
    I have ZA 4.5 running and nod32 trial. Nod has found nothing on my system. Today I noticed svchost on port 1025,1026 with about 20 entries in pedemo, under procID 0. I also regularly run adaware. Gonna try some online virus scanners. I am also running tds 3 trial on startup, although I admit im new to it and not sure if i have it configured correctly.
     
  5. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hello Cap, welcome to forums :)

    Just create rulesets to block the Netbios and 445 ports. see pic... Everything will work.

    In relation to TDS and 'set-up' here is a great link for you...

    HERE

    Scroll down to TDS configuration link by FanJ to get a pretty good basic set up.

    Hint: The vast majority of us do NOT have TDS starting up with Windows, as takes too long, especially the Process Memory Space Scan on start-up even manually. We usually just make sure that one gets done during a full system scan.
     

    Attached Files:

    • 065.GIF
      065.GIF
      File size:
      10.4 KB
      Views:
      77
  6. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Svchost.exe does a lot of things on a Windows XP system - some of it critical (like DNS and DHCP), others optional (Windows Help, time synchronisation, UPnP) and some downright dangerous (DCOM/RPC access - used by worms like MSBlast).

    I would suggest checking section E of A Guide to Producing a Secure Configuration for Outpost for recommendations on what to allow and what to block. Although it is written for Outpost, it should be straightforward enough to implement in ZoneAlarm Pro (if you are using ZA Free then you do not have the ability to finetune rules to this extent - either consider an upgrade to Pro or try out Kerio/Outpost).
     
  7. Cap

    Cap Registered Member

    Joined:
    Jul 8, 2004
    Posts:
    9
    Thanks for the info and link Tassie Devils. Paranoid thanks again for replying.

    Paranoid, If svchost is used for these different things, Is it possible to know which svchost process is doing what? I know from experience ;) that killing all instances shuts down the system. I can usually kill all but one.
    In services I have UPNP disabled, Help, and Windows time disabled. I have also used grcs dcom disabler program.
    Well before i ask too many more questions that are probably answered in the links you guys have provided, Ill get to reading them. Thanks again.
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    It is normal and required for proper OS functionality for certain services on a system to listen on a number of ports locally. Trying to shut all these down, will result in what you experienced, an inoperable system.

    What is important, is to restrict access to these listening services. You mention that you are behind a router, which should be blocking all unsolicited connection attempts if properly configured. The firewall on your system should also be protecting these required listening services providing you have not allowed inbound connections.

    One site you could use as a reference/guide for which services you may require is blackviper.com.

    Regards,

    CrazyM
     
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Using a firewall to limit svchost access by port and destination is the only reliable way to restrict its activities (even if you have disabled unnecessary services, it is still possible for malware to invoke svchost to gain network access).

    In addition to CrazyM's links, I would suggest you review the article Minimizing Windows network services for details on closing default open ports manually - GKWeb has also produced a tool WWDC for closing common ports.
     
  10. Cap

    Cap Registered Member

    Joined:
    Jul 8, 2004
    Posts:
    9
    Crazy M, thanks for the info. I actually have BlackVipers site listed in my favorites.

    Paranoid thanks again for the links and info, once again It seems I have much more reading to do ;)
     
  11. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Considering BlackViper originally put the page up to help get dates it does seem to get pretty wide coverage! :D
     
Loading...
Thread Status:
Not open for further replies.