Where to start?

I am new to this defense suite, but I'm willing to put the time in to learn. I was unsure where to begin so I started with a port scan and have attached a file containing the results. How can I determain which ports should be in use and which should not. Does anyone have any suggestions on reading material that will help me? Thanks.

 

Just to let everyone know. I found a good starting point for reading material. Who would have thought to look in the TDS help file? I'm still open for any suggestions.

 

Hi again Dallen,
good to see you learning! The Help Manual is a respected piece of information in which you find more then info about pressing the right button!
You have this forum and as licensed TDS operator you also can now ask access to the TDS private (licensed operators only) areas in the DCS forums (see link in my signature)
for lots more info and backgrounds.
Did you also check your TDS configuration with basics FanJ described in his thread http://www.wilderssecurity.com/showthread.php?t=2871

If you look in the TDS > Utilities > Port Reference
you type in the port numbers and see if there is a special description for them.
In PE is the same function, btw.
Seeing those ports in use can be because of your system settings, maybe you have sockets installed to listen on default trojan ports, some software using those ports like 443 and 445, such things. Suppose you see the same in the PE netstat sockets list, right?

 

Which ports are open isn't an overly accurate method to detect trojans, but of course knowing which ports are open is useful !

Use Port Explorer to see which ports are being used by which process, and then you will have a much better indication of what is going on

Use TDS to run scans on files you are unsure about, and scan the rest of your system - most importantly memory. The rest of the nice people on the forums will help you learn the advanced features when you are ready.. of course the help file does list a lot

 

Hi dallen,
if you could give us some information about your OS then you'll get a couple of hints about what to think of ports 135,139,445 and 5000 (what services are they? are they necessary? if not, how can they be disabled?).
Ports 80 and 443 look like you're running a http server. If this is what you intended, then it's fine.
If you've done the local ports scan after some of your programs (e.g. browser, updaters) have already connected or are still connected to the internet, then the Ports 1025-1038 are okay as well (when a program needs a connection, it is given ports starting from 1025 by the OS).
I'd like to know what port 16200 is, tho. Do you have an idea? If you don't, there are several tools (some free, some shareware - of course DiamondCS' PortExplorer is best at that ) that can tell you which program use that port...

HTHH,
Andreas

 

Hi dallen,
Block ports 135-139, 445, and 5000 tcp/udp from inbound connections. They have no use on the Internet and can cause you only trouble
Port 135-139:
look here:
https://nanoprobe.grc.com/x/ne.dll?bh0bkyd2
under file sharing and messenger spam
port 5000, look here:
https://grc.com/unpnp/unpnp.htm
Port 445:
LANMAN service on Microsoft Windows 2000 allows remote attackers to cause a denial of service (CPU/memory exhaustion) via a stream of malformed data to microsoft-ds port 445.

Windows XP with port 445 open allows remote attackers to cause a denial of service (CPU consumption) via a flood of TCP SYN packets containing possibly malformed data.

(from dshield.org)

Dolf

 

Hi guys,

not so fast with tips to block some ports! The ports 135, 139 and 445 I'm using myself as well. These ports are used by NetBIOS. If you are in a network you need those ports to be open. If you use a firewall and/or a router besides this works fine. So don't touch these ports prematurely! Otherwise you won't be able to use your network printer and to share or access files with other computers.

Best regards,

Patrice

 

Hi Patrice,
I was only referring to inbound connections from the Internet.
For local network interfaces you are right, although I don't see any reason for somebody to block any ports on his local network
Dolf