port 12345-12346 with Sygate SPF5.0

Discussion in 'other firewalls' started by gerico, Feb 18, 2003.

Thread Status:
Not open for further replies.
  1. gerico

    gerico Registered Member

    Joined:
    Jul 6, 2002
    Posts:
    14
    I've a problem with Sygate PF 5.0 r1150,
    with a port scan I find all ports stealthed, but the ports:
    12345-12346 only "closed".

    Really annoying the fact that the Sygate scan (http://scan.sygate.com) considers those ports "blocked", while other scanners (pcaudit.com, pcflank.com) only "closed".

    Moreover I can't see on the packet log the packets to port 12345 and 12346.

    Could someone with Sygate SPF5.0 tell me if this is normal or not?
    I've scanned my system for Netbus but I've found anything.
     
  2. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    I don't use Sygate, but I don't think thats normal.
    If you use NT, 2k, or XP(I think) you could download Active Ports from Webattack and see if some program is using those two ports.
    http://www.webattack.com/get/activeports.shtml
    There are a couple of other trojans that use those two ports besides NetBus. It's worth investigating further.
    You might also see what Kalish says. It checks 12345.
    http://www.mycgiserver.com/~kalish/
    I assume you checked to make sure they have been getting the right IP for you when you get scanned.
     
  3. gerico

    gerico Registered Member

    Joined:
    Jul 6, 2002
    Posts:
    14
    Your test says 12345 is stealthed, but I still can't see in the sygate packet log the packets destinated to 12345.
    Very difficult to say what's happening, maybe a new trojan that intercepts packets before SPF.


    ================================
    Attempting connection with your port 8080.
    Cannot open TCP socket on port 8010.
    java.net.SocketException: Address already in use No TCP port is detected (stealth).

    Attempting connection with your port 12345.
    No TCP port is detected (stealth).

    Attempting connection with your port 12345.
    Cannot open TCP socket on port 8080.
    java.net.SocketException: Address already in use No TCP port is detected (stealth).


    Test complete.
    Number of connections established = 0.

    Number of refused connections = 0.

    Number of stealthed ports = 97.
    ================================
     
  4. gerico

    gerico Registered Member

    Joined:
    Jul 6, 2002
    Posts:
    14
    I've tried removing the SYGATE SPF, (even from the startup), then I've installed KERIO 214, just to see if the firewall was the problem.
    However, anything new, the 12345-12346 still result "closed" as you can see below, and I continue to be unable to see 12345-12346 packets, even in the log of KERIO!
    Maybe my system has been corrupted...

    ================================
    Infector 35000 stealthed

    NetBus 12345 closed

    NetBus 12346 closed


    We have determined there are no open Trojans' ports on your system. But following ports we scanned are non- stealthed: 12345, 12346.

    Although these ports are non-stealthed, they are not open, so your system is not infected. However, having non- stealthed ports on your system means your computer can be "seen" over the Internet. This makes your system a potential target for remote attacks.

    Recommendation:

    The absence of a Trojan horse on your system does not mean this problem cannot happen, of course. Anti-virus and/or anti-Trojan software should be installed and used on your system. If you already use this type of software on your system, its virus definitions (virus database) should regularly be updated. If you have a firewall, check if it is set to make all your computer ports stealthed.
     
  5. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Is it possible you ISP is using a proxy?
    What is your OS?
    Did you try Active Ports?
    Are you on a network or small lan?
    You can also download StartupList, and look for strange entries starting up.
    http://www.tomcoyote.org/hjt/
    There's a reason for those ports not being stealthed or the port scanners are wrong.
     
  6. gerico

    gerico Registered Member

    Joined:
    Jul 6, 2002
    Posts:
    14
    Finally, I've found the reason, it wasn't a trojan, instead only a problem of my current provider, that was blocking packets addressed to 12345-12346 ports, and I was unable to receive any datas from these ports.

    A week has been needed to solve the matter.

    The conclusion is that the PCFLANK.COM advanced port test is the best around...
     
Loading...
Thread Status:
Not open for further replies.