Port 143: open or not?

Discussion in 'other firewalls' started by POS, Oct 27, 2005.

Thread Status:
Not open for further replies.
  1. POS

    POS Guest

  2. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Look in Outpost.. It has a display of which ports are open..
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The first site is down, so I couldn't check.

    A port can show stealthed from the outside but can be listening inside. This is true on my Win2K system. Services and Svchost listen, but nothing gets in.

    Port 445 for example. Does your Outpost show open connections? Image below is the GRC test, then my firewall connections box, then netstat (microsoft-ds is the name of port 445).

    Recent logging shows the firewall blocking port 445:

    ---------------------------------------------
    [27/Oct/2005 11:59:48] Rule 'Deny All Remaining Protocols': Blocked: In TCP, 66-52-165-123.okld.pon.net [66.52.165.123:2825]->localhost:445, Owner: SYSTEM
    ---------------------------------------------

    You might check to see what is listening on port 143. Isn't this an email port for some programs?


    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     

    Attached Files:

  4. POS

    POS Guest

    Outpost do not show Port 143 as an open port
     
  5. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    My best guess is that you don't have a problem then. Any open ports would be shown by Outpost, and Grc.com says you're good too. It is possible that the other site just gave you spurious results. I have seen this happen before myself at pcflank. Just to be sure, you could also try the Sygate scan at http://scan.sygate.com/
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The first site you listed is still down.

    Maybe some can try it when it comes back up to see if we get the same results as you do.

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I found the site at

    http://www.hackerwatch.org/probe/

    and ran their scan and Port 143 shows secure. You might run it again just to check.

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Kerodo, try this scan and see what you get:

    http://www.seifried.org/security/ports/0/143.html

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  9. Arup

    Arup Guest

    I got all green with a score of 5 with CHX running but it shows my port 143 as open.
     
  10. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    I get green here and have passed all the tests 100% stealth, however, I am behind a router. That one test shows my port 143 open, which is nonsense. Right now, in addition to the router, I have Kerio 4 installed, and see nothing in it's logs, or does it show that port open in the stats. So I would say that test is invalid.. (the 2nd one).

    The first test here: http://www.hackerwatch.org/probe/ shows my port 143 stealth.
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Same here, Arup.

    Kerodo,

    I received the same results as you in both tests, and agree with your conclusions.


    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  12. AvianFlux

    AvianFlux Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    237
    What does CurrPorts or netstat tell you?
     
    Last edited: Oct 27, 2005
  13. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Port 143 is used for IMAP (Internet Message Access Protocol) which is a method of managing emails. It is therefore possible for a scan site to report this port as being open if you were retrieving emails using IMAP at the time (though this should not happen since the firewall should only allow incoming traffic from that server).

    However if one site only reports a port open, then it is more likely that it is giving a false alarm.
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Might the confusion be over what exactly is an open and closed port?

    -------------------------
    open port

    A TCP/IP port number that is configured to accept packets.

    Contrast with "closed port," which is set to deny all packets with that port number.

    http://www.pcmag.com/encyclopedia_term/0,2542,t=open port&i=48464,00.asp
    ---------------------------

    My assumption is that open and closed is controlled by the operating system. You close a port by disabling a program or service.

    An open port is either in a Connected state or Listening state, as the 'Open Connections at Local Host' box shows in my Post #3 above.

    Now, a port can listen all it wants to, but if the firewall blocks communication to a specific port, then nothing can enter.

    So, it's confusing when a probe test returns an "Open Port" result. I don't understand how an outside probe can see inside whether or not a port is open/closed. All the probe can determine is whether or not it can communicate with the computer via a certain port. Perhaps the probe results should state "able (or not able) to communicate with the computer" instead of "open" or "closed."

    My port 445 shows "closed" from the outside in these probe tests, but it is really Open/Listening inside as far as the computer is concerned.

    This has been my understanding - subject to revision if incorrect :eek:


    -rich
    ________________
    [size=+1]~~Opera is Great!!~~[/size]
     
Loading...
Thread Status:
Not open for further replies.