Vulnerability questions: port 1025, Kazaa

Hi,

I'd like to be be advised on vulnerability problems. My system is W2k, NTFS with password protected logon, VirusScan, Outpost, SpyBot S&D, SpywareBlaster, SpywareGuard.

1. Port 1025 not stealthed ?

According to netstat, I have had the following lines :
TCP 0.0.0.0:135,445,1025-1027,1246,1248,1251
TCP MyIPAddress:137-139,500
UDP 127.0.0.1:1093,1387,1393

According to http://www.cablemodemhelp.com/winmesec.htm, the 137-139 lines mean that the PC is vulnerable. But I have always seen "Block NetBIOS Traffic" messages in Outpost. Also, according to PCFLANK's tests, all ports are stealthed except for 1025. What does this mean ?

2. My children would like to share files (KaZaA Lite). I don't like this idea but that's life. What should I do to improve security ?

Thanks and regards,

Yinda

 

When you do a netstat, that shows what ports are open. It does not indicate that they are open to the net though. It is the job of the firewall to stealth those ports and Outpost can stealth all ports. Make sure you are using the Outpost ruleset for Kazaa.
Looks like something is holding 1025 open and you need to find out what program or service is doing that.
I suggest you go to webattack.com and download and install Active ports. It should show you what program is holding 1025 open.
There is another considerations though. PC Flank has been giving erronious readings lately. Sometimes it is because it is picking up the wrong IP. I suggest you get scanned at a couple more sites like BlackCode
http://www.blackcode.com/scan/
and Security Metrics
http://www.securitymetrics.com/securitytests.adp
Make sure they have your correct IP.
Also, if you have a proxy or your ISP uses one, or if you use a router, then they are getting scanned, and not your computer.

 

Thanks root.

According to Active Ports, the port 1025 is opened by MSTask. I wonder why ! Since I have no scheduled task, and with the advice of http://www.answersthatwork.com/ on MSTask, I stop it and the port 1025 is stealthed now. Note that I could not stop it using the task manager (access denied even for Admin), but using Active Ports.

My IP address was correct. I retrieved it from the connection icon, and also verified it at http://whatismyipaddress.com/

I'll visit the two links you mentioned. It is better to have multiple check.

Thanks again,

Yinda

 

With W2K and the MSTask service running it is normal for it to be listening on your system.

That is the simplest solution if you are not using the service. A tip if you should use the service in the future: MSTask will use random ports to listen on in the temp range 1024-5000, not just 1025. If an application rule for MSTask was required, it should block inbound to all local services/ports.

Regards,
CrazyM

 

Do you mean that MSTask needs to open a port in order to listen the system and, because of that, the port is visible to outside too ?

Thanks and regards,

Yinda

 

Hi Yinda

Yes MSTask will listen and depending on the firewall and configuration you may be required to make a rule for it.

Regards,
CrazyM

 

Hi CrazyM,

As you recommended, I added the following rule for MSTask in Outpost:
Where the direction is Inbound
Deny it

Despite of this, the port 1025 (used by MSTask according to Active Ports) is always found open by PCFLANK and Blackcode scans. SecurityMetrics doesn't scan 1025.

Am I doing wrong ? Ok, open doesn't mean accessible, but I'd like to see it stealthed.

Another point, a phase 2 scanning process from Blackcode site seems looping (always loading). Then Outpost displays:
Application=MSTASK.EXE, Remote Host = www.blackcode.com, Remote Port = 47325.

What does a remote scan has to do with MSTask?!

Thanks,

Yinda

 

Hi again. I'm not having any trouble with MSTask, probably because I have task scheduler disabled in Administrative tools\services. You can try that . Or, since you have a rule for MSTask, just block it both UDP and TCP, period.
Also, just to make sure you dont have Opasoft worm, check here: http://vil.nai.com/vil/content/v_99930.htm
I'm getting suspicious.

 

Hi root,

According to the McAfee security link, the worm is known since end of December. Since I use VirusScan with auto update, there should be no problem. Anyway, I have just scanned the 2 HD's : no problem.

As for blocking UDP and TCP, you remember that the rule is "Where the direction is Inbound, deny it". Doesn't this include both UDP and TCP ?

In view of answering your post, I have just done a last test: the port 1025 is stealthed ! And Outpost confirms that the pcflank test has been blocked by "MSTASK Custom Rule #1" !

Anyway, I want to disable MSTask as you do. I'll check the panel you mentioned in order to learn more about services.

Thanks a lot.

Yinda

 

If you are going to use Kazza , USE Kazza Lite

Moderator edit: "Link removed" (If you don't like spyware, then don't use Kazaa. But, this board cannot condone the use of software in such a way that it violates EULA or any laws.)

They even advertise Spybot Search & Destroy for removing spyware and include a hosts file to remove popups and ads.
Check it out
To read a bit on their host file and a How To, click on the supertrick link on the left of the page.

 

Hi controler,

Sorry for your link. Indeed I installed Kazaa Lite, which claims to be spyware free.

Actually, I am much more interested in learning than in using Kazaa itself. I'd like to know how a host file can help removing popups and ads. As far as I remember, KL doesn't change the host file, but Diet Kaza does. And I uninstalled Diet Kaza just because it inserts some Kazaa related links in the host file.

Regards,

Yinda

 

Hi,

After some readings on host file, I know how it helps blocking popups and ads. Changing host file is not (always) a bad thing !

I always learn a lot from this forum. Thanks to all of you.

Yinda

 

Hi Yinda,

Probably this is the site you found, but just in case: http://www.accs-net.com/hosts/ I found very informative.

Regards,

Pieter

 

Hi Pieter,

Yes, it's very informative !

Thanks,

Yinda