NETBIOS Port Confusion

Discussion in 'Port Explorer' started by barnesy, Jan 20, 2004.

Thread Status:
Not open for further replies.
  1. barnesy

    barnesy Registered Member

    Joined:
    Sep 25, 2003
    Posts:
    15
    Some time ago I ran a web-based security check from Symantec. It identified an exposure with NETBIOS (possibly ports 137, 138, 139?) which it then fixed. I assumed this worked OK as the Network setting in Control Panel is no longer showing NETBIOS entries.

    After installing PE, the socket list however still shows the NETBIOS ports with 137, 138 showing both TCP and UDP, and 139 TCP only. o_O

    I don't need these ports (not running a home network) but can't kill or disable them in PE. What can be done to remove them?
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Steve, If you look at the PE window that shows these ports are thes entries shown as follows:

    *System Process ID4 137 *.*.*.* Local host

    If so this is your own PC (System) & Local host as there is no remote port listed, You cannot kill these sockets as it will be greyed out in the menu and these sockets are usually necessary for your system to operate correctly.

    From PE help file:
    Blue - System Sockets
    Blue sockets indicate ownership by either the System process or by a registered service process (usually started by the operating system). It is possible for trojans to register themselves as service processes, but this is very rare.
     
  3. barnesy

    barnesy Registered Member

    Joined:
    Sep 25, 2003
    Posts:
    15
    The entries were similar to the one above, but showing up as black in the sockets list. The menus were greyed out, so I couldn't kill/disable them so my thinking then was how to make those ports unnecessary in the system (W98SE).

    Visited grc.com where there are several pages that provide an excellent explanation of the problem and its resolution (and rather scary unless you like making your drives and their contents available to everyone on the Internet). Link is:
    http://grc.com/su-fixit.htm

    By following instructions here I have managed to solve the problem and all entries for ports 137, 138 and 139 are now gone. :D :D

    All the processes named *SYSTEM in my sockets list show as black, not blue, and that is with the defaults applied. There are no blue entries at all!
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Steve, Glad you've it sorted :)

    That is because W98 does not handle sockets in the Same way as NT based systems:)

    Here is a bit more information - It is well worth reading through the help file and FAQ's :D

    Again from the help file:

    Why do some processes show as --NETSTAT-- when others display the actual process?
    Under Windows 95/98/ME, Port Explorer isn't always able to map all ports back to their parent processes. This is because some of these processes (system services) start before Port Explorer is initialised by the operating system. However, the common "netstat" program can see them, so Port Explorer combines both results into one table, showing the netstat sockets as '--NETSTAT--'.

    TIME_WAIT sockets will also often display as --NETSTAT--, as the system has taken ownership of these sockets.

    What do the colors of the sockets (red, black, blue) indicate?
    Each color indicates the type of parent process that the socket belongs to. The colors can be altered to your personal preferences, but the default colors are:
    Blue - system process. These are processes that normally start as services.
    Black - normal process. Most applications will display in this color. Black indicates that the program has at least one visual property, such as a window, that is on-screen.
    Red - hidden process. Rare, as this only applies to hidden servers - processes that run invisibly but use sockets (as nearly all remote access trojans do). This is extremely efficient at detecting trojans, but red doesn't necessarily confirm that a process is a trojan. Sockets can also display as red if their parent process has hung or crashed but not yet terminated.
    For a further detailed explanation, please see Socket Colors.
     
  5. grant

    grant Registered Member

    Joined:
    Jan 10, 2004
    Posts:
    11
    Been kicked out twice after writing long posts which have been lost.. Says someone is logged in under the same name
     
  6. barnesy

    barnesy Registered Member

    Joined:
    Sep 25, 2003
    Posts:
    15
    Thanks, Pilli. I had read the help info - start to finish, so including the parts on socket colours.

    Just hadn't grasped the significance of the difference between the Win 9x approach and NT type services (as I use W98SE) and so why I had no blue entries.

    I suppose when you are just starting out with this stuff...
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Grant, for long postings it is advised to first copy the text to the clipboard before pressing the send, as it can happen sometimes we drop out.
    To stay logged in select that in you inlog, so you might jump in the forum logged in at alltimes, without falling out because of time settings.
    Hope this helps.
    Looking forward to your postings!
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    OK Steve, Glad to have been of help. Yes it does take a bit reading to get your head round some of the concepts :)

    Have fun. Pilli
     
Thread Status:
Not open for further replies.