Vulnerability questions: port 1025, Kazaa

Discussion in 'other security issues & news' started by Yinda, Jan 29, 2003.

Thread Status:
Not open for further replies.
  1. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Hi,

    I'd like to be be advised on vulnerability problems. My system is W2k, NTFS with password protected logon, VirusScan, Outpost, SpyBot S&D, SpywareBlaster, SpywareGuard.

    1. Port 1025 not stealthed ?

    According to netstat, I have had the following lines :
    TCP 0.0.0.0:135,445,1025-1027,1246,1248,1251
    TCP MyIPAddress:137-139,500
    UDP 127.0.0.1:1093,1387,1393

    According to http://www.cablemodemhelp.com/winmesec.htm, the 137-139 lines mean that the PC is vulnerable. But I have always seen "Block NetBIOS Traffic" messages in Outpost. Also, according to PCFLANK's tests, all ports are stealthed except for 1025. What does this mean ?

    2. My children would like to share files (KaZaA Lite). I don't like this idea but that's life. What should I do to improve security ?

    Thanks and regards,

    Yinda
     
  2. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    When you do a netstat, that shows what ports are open. It does not indicate that they are open to the net though. It is the job of the firewall to stealth those ports and Outpost can stealth all ports. Make sure you are using the Outpost ruleset for Kazaa.
    Looks like something is holding 1025 open and you need to find out what program or service is doing that.
    I suggest you go to webattack.com and download and install Active ports. It should show you what program is holding 1025 open.
    There is another considerations though. PC Flank has been giving erronious readings lately. Sometimes it is because it is picking up the wrong IP. I suggest you get scanned at a couple more sites like BlackCode
    http://www.blackcode.com/scan/
    and Security Metrics
    http://www.securitymetrics.com/securitytests.adp
    Make sure they have your correct IP.
    Also, if you have a proxy or your ISP uses one, or if you use a router, then they are getting scanned, and not your computer.
     
  3. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Thanks root.

    According to Active Ports, the port 1025 is opened by MSTask. I wonder why ! Since I have no scheduled task, and with the advice of http://www.answersthatwork.com/ on MSTask, I stop it and the port 1025 is stealthed now. Note that I could not stop it using the task manager (access denied even for Admin), but using Active Ports.

    My IP address was correct. I retrieved it from the connection icon, and also verified it at http://whatismyipaddress.com/

    I'll visit the two links you mentioned. It is better to have multiple check.

    Thanks again,

    Yinda
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    With W2K and the MSTask service running it is normal for it to be listening on your system.

    That is the simplest solution if you are not using the service. A tip if you should use the service in the future: MSTask will use random ports to listen on in the temp range 1024-5000, not just 1025. If an application rule for MSTask was required, it should block inbound to all local services/ports.

    Regards,
    CrazyM
     
  5. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Do you mean that MSTask needs to open a port in order to listen the system and, because of that, the port is visible to outside too ?

    Thanks and regards,

    Yinda
     
  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Yinda

    Yes MSTask will listen and depending on the firewall and configuration you may be required to make a rule for it.

    Regards,
    CrazyM
     
  7. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Hi CrazyM,

    As you recommended, I added the following rule for MSTask in Outpost:
    Where the direction is Inbound
    Deny it

    Despite of this, the port 1025 (used by MSTask according to Active Ports) is always found open by PCFLANK and Blackcode scans. SecurityMetrics doesn't scan 1025.

    Am I doing wrong ? Ok, open doesn't mean accessible, but I'd like to see it stealthed.

    Another point, a phase 2 scanning process from Blackcode site seems looping (always loading). Then Outpost displays:
    Application=MSTASK.EXE, Remote Host = www.blackcode.com, Remote Port = 47325.

    What does a remote scan has to do with MSTask?!

    Thanks,

    Yinda
     
  8. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Hi again. I'm not having any trouble with MSTask, probably because I have task scheduler disabled in Administrative tools\services. You can try that . Or, since you have a rule for MSTask, just block it both UDP and TCP, period.
    Also, just to make sure you dont have Opasoft worm, check here: http://vil.nai.com/vil/content/v_99930.htm
    I'm getting suspicious.
     
  9. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Hi root,

    According to the McAfee security link, the worm is known since end of December. Since I use VirusScan with auto update, there should be no problem. Anyway, I have just scanned the 2 HD's : no problem.

    As for blocking UDP and TCP, you remember that the rule is "Where the direction is Inbound, deny it". Doesn't this include both UDP and TCP ?

    In view of answering your post, I have just done a last test: the port 1025 is stealthed ! And Outpost confirms that the pcflank test has been blocked by "MSTASK Custom Rule #1" !

    Anyway, I want to disable MSTask as you do. I'll check the panel you mentioned in order to learn more about services.

    Thanks a lot.

    Yinda
     
  10. controler

    controler Guest

    If you are going to use Kazza , USE Kazza Lite

    Moderator edit: "Link removed" (If you don't like spyware, then don't use Kazaa. But, this board cannot condone the use of software in such a way that it violates EULA or any laws.)

    They even advertise Spybot Search & Destroy for removing spyware and include a hosts file to remove popups and ads.
    Check it out ;)
    To read a bit on their host file and a How To, click on the supertrick link on the left of the page.
     
  11. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Hi controler,

    Sorry for your link. Indeed I installed Kazaa Lite, which claims to be spyware free.

    Actually, I am much more interested in learning than in using Kazaa itself. I'd like to know how a host file can help removing popups and ads. As far as I remember, KL doesn't change the host file, but Diet Kaza does. And I uninstalled Diet Kaza just because it inserts some Kazaa related links in the host file.

    Regards,

    Yinda
     
  12. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Hi,

    After some readings on host file, I know how it helps blocking popups and ads. Changing host file is not (always) a bad thing !

    I always learn a lot from this forum. Thanks to all of you.

    Yinda
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Yinda,

    Probably this is the site you found, but just in case: http://www.accs-net.com/hosts/ I found very informative.

    Regards,

    Pieter
     
  14. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Hi Pieter,

    Yes, it's very informative !

    Thanks,

    Yinda
     
Loading...
Thread Status:
Not open for further replies.