Closing Ports

[Tiquea]

I'm using Windows XP Pro SP2, no servers being used, just an ordinary PC. Further to this I'm also using Norton Firewall and I would like to close the following ports on my computer:

Port 1025

Port ICMP Ping

Port 23 Telnet

Port 80 HTTP


I don't know how to close these ports on my computer, does anyone know how?

 

[montag451]

you should be able to do this in Norton - but you do realise that you are probably not going to be able to access internet if you shut off port80

 

[mechBgon]

Welcome to the Forums Tiquea If you have broadband of some kind (cable, DSL, satellite, etc) then another option is to get a router (they're a good idea anyway) and you can block whatever ports you want to block, in both directions.

I'm on dial-up, but if I were getting a new router, I would probably get a Netgear RP614 and block both TCP and UDP traffic on all ports except these:

20 and 21 for FTP
25 for SMTP email if I'm using it
53 for DNS
80 for Internet access
110 for POP3 email if I'm using it
135 for Network Time Protocol if I want WindowsXP to be able to sync to outside time servers
443 for HTTPS Internet access

and then if I had a game that used, say, port 7777 and 7778, I could set up Port Triggering for those ports, so my system can initiate connections on them when needed.

 

[montag451]

now that was a good answer mechbgon.

 

[mechBgon]

Thanks I like the hardware solution and I like slamming the door on all the unnecessary ports and just opening the ones I'll need. There's a boatload of malware that will try to do stuff like this one does:

Opens a back door by connecting to the IRC channel #iso through TCP port 3515, on one or more of the following hosts:

x.x1secure.com
ssl.tichrondius.com

The worm will listen for commands that allow the attacker to perform the following actions:

[*]Download and execute files
[*]List, stop, and start processes and threads
[*]Launch ACK, SYN, UDP, and ICMP denial of service attacks
[*]Perform port redirection
[*]Send files over IRC
[*]Send email using its own SMTP engine
[*]Start a local HTTP, FTP, or TFTP server
[*]Search for files on the compromised computer
[*]Log keystrokes to file
[*]Access network shares and copy itself to those network shares
[*]Scan the network for vulnerable hosts by means of port scanning
[*]Captures screenshots, data from the clipboard, and video from webcams
[*]Visit URLs
[*]Flush the DNS and ARP caches
[*]Open a command shell on the infected computer
[*]Start a SOCKSv4 proxy server
[*]Add and delete network shares and disable DCOM
[*]Reboot the infected computer

This type of stuff's enough to give me bad dreams at night! :Q Anyway, blocking all traffic on unnecessary ports could provide "damage control," if the user takes the time to configure his router to do so.

 

[Tiquea]

Nice to meet you mechBgon and montag451 my concern was alerted to these four ports when I went to the Symantec website and did a security check on my computer using their security checking facility and it came up with the three ports on my computer as being a security risk from hackers and one port being at risk from trojans.

I've tried to go through Norton Firewall to close these ports but I'm not sure about technical details when I get there so I don't properly know what to block or permit when I'm in Norton Firewall so consequently it's hit-and-miss for me to get the right thing blocked... I will keep trying and hope I don't cut out something important! :shocked:

That's a new idea for me about a router, from what you've said mechBgon it sounds as though they would do a good job of keeping ports secured on my computer, but as far as routers go I don't know what they are or what their main purpose is. How do they work and connect up with my computer? Do I need separate software to run a router on my computer, and are they internal or external hardware?

Also if it helps I am on ordinary 56k dial-up connection.

 

[mechBgon]

I'm on 56k dial-up too and routers are for broadband, so that's not going to work for you either.

Let me ask you this: what precise version of antivirus software do you have (example: Norton Antivirus 2003 or McAfee VirusScan 8.0, not just "Norton"). Because if you have Norton Firewall running (or seemingly running) and your system's visible on Port 80 and ICMP Ping from the outside, then I have a suspicion your system's been hit by a Trojan or something. And if that's the root problem, it needs addressing urgently.

 

[Tiquea]

It's a pity about not being able to use a router on 56k dial-up, why aren't they able to work like that?

Norton Internet Security 2004 and Norton SystemWorks Pro 2004 are both in operation (or seem to be) on my computer. You say I might have a Trojan (or something?) somewhere, this is where I get close to my present knowledge limits about that sort of thing but I am trying to learn fast because I have a feeling I need to! If it is a Trojan could it's removal help me get my ports closed?

I have already installed SpyBot S&D which also seems to be doing its job. I have installed CCleaner which seems to do quite a good job removing junk littered about my computer and I've also installed TweakNow RegCleaner which seems to work well too. I thought these might be enough to keep my computer clean but maybe they are not enough! Can anyone suggest a better combination?

Recent regular virus scans by Norton Anti-virus have not found anything, except recently actually now that I come to think of it! Hang on, Ok, I 've just found a list of files which I wrote down after a scan that my Norton Anti-virus made a couple of weeks ago or so, these files showed up at the end of a scan and did not refer to any virus' but instead they were referring to Adware or Spyware, and when I clicked on fix/delete at the end of the scan it didn't seem to fix the problem but instead it asked me if I wanted to make an exception of these files because they were not fixed/deleted so perhaps I would like to except them from future scans! I did not choose to except these files from future scans! The thing is that I ran Norton Anti-virus scan several times that day and the same thing kept happening. The next day I ran the virus scan again and it continued to show the same results, that is until later on in the day when I ran the virus scan once more and the files previously found were all gone!

Here are the file names that I wrote down, do they mean anything to anyone:

Dc1.exe
Dc2.exe
Dc3.EXE
Dc4.EXE
Dc5.DLL
Dc6.GIF
Dc7.EXE
Webhdll.dll
WhAgent.exe
Whiehlpr.dll
whInstaller.exe
WhSurvey.exe

I tried exploring and searching my computer for the file names and found a few of them which I deleted but I did not find all of the above files in the list even though the Norton scan showed them as being there.

Does any of this make any sense to anyone, and might it be related to my problem of having ports open?

 

[mechBgon]

Try the free Microsoft Antispyware beta, there is a link to it on Microsoft's home page. Also do these things:

1) update Norton with today's daily update from here

2) ensure that Norton Antivirus is set to use maximum Heuristics for both manual scans and also for its autoprotect scanning

3) ensure that Norton Antivirus is set to scan inside of compressed files

4) disable System Restore, reboot into Safe Mode, and run an exhaustive Norton Antivirus scan while in Safe Mode

5) while you are in Safe Mode, also do the Microsoft Antispyware scan and a Spybot Search & Destroy scan

6) get Microsoft Baseline Security Analyzer (link is in my signature at the moment) and also run a MBSA scan. Correct whatever problems it points out.


If Norton Firewall is proving too difficult to deal with for you, then after removing any malware, update WindowsXP with Service Pack 2 and enable the Windows Firewall instead. Set it to not allow any exceptions.

 

[Tiquea]

Good suggestions mechBgon, my computer is already using XP SP2 and I'm considering removing Spybot S&D from my computer now and running with just the Microsoft Antisypware beta because the Microsoft Antispyware beta found things that Spybot S&D didn't previously find even in safe mode, so although I'm well please with finding and removing new threats on my computer I'm not so convinced about Spybot S&D anymore. What do you think? Anyhow, even with the removal of the threats found, none of the four ports were closed as a result.

The Microsoft Baseline Security Analyzer I found would not run unless I was online (whether in safe mode or not), and when I went online and successfully completed a scan using it there was nothing in it's results to be worried about, it all seemed quite clear, and still the four ports are open....

I did a virus scan, spyware scan, disk clean and even a defrag all in safe mode but still the four ports have not been closed as a result....

Norton I can live with for now and learn, I found how to make sure it was scanning things how you suggested but still even though I went into safe mode and did a full virus scan the results did not bring up a single threat from it, not one, and those four ports are still open!

From the scans you suggested and the advice from your last post mechBgon I feel my computer is cleaner and better off, but perhaps I need to discover more about how to configure my Norton firewall or does it sound as though there is still something else which can be tried?

I even did an online Trojan Horse scan using a website I found called http://www.windowsecurity.com/ but that found nothing, although I don't know if this website or it's facilities can be trusted because I've never heard of it before a couple of days ago, any thoughts on this?

Still wishing my four ports were closed...

 

[montag451]

Could try another firewall.

Keep spybot, always a trusty old friend. Even if you think you have a better one at the moment.

 

[mechBgon]

If you can't figure out how to configure Norton, then uninstall it and enable your Windows Firewall, and set it to not allow any exceptions.