Port 22 and 443 "open"

[dredd2929]

I did a port scan at grc.com, and it said that ports 22 and 443 are Open. I was a little surprised because it's the first time I've ever had open ports (usually they've all been Stealth except a few times when a couple were Closed). I am behind a D-Link DGL-4300 router. I have the latest firmware, and I'm using Windows XP SP3 I'm connected to the internet through my school's network (I live on campus). I tried going into the router and setting up port forwarding to a nonexistent IP on the network, but after running the port scan it still says they are open.

I ran "netstat -a" at the command prompt, and there was no listing for either of these ports. Why would these ports be open? More importantly, how could they be open if I'm behind a NAT router. Is this something I should worry about? If so, how can I fix this?

 

[RebateMonger]

Have you run a malware scan lately? Try MalwareBytes. Those two ports are commonly used for secure web servers and for ftp servers.

 

[Jamsan]

More than likely, the university has services running on those ports. You share your internet connection with the school, so when the scan runs, it looks for ANY services running at that IP address, which is not solely dedicated to you.

To test, see what GRC gives for your external IP address. Try connecting to an FTP server and HTTPS server at that IP, and see if you get any website or banner messages when connecting to the FTP server. That should give you an idea as to what is running on them.

 

[RebateMonger]

Yeah, I missed that the OP is likely on a bigger private network. If that's the case, then any port scans are going to end at the school's inbound router and they are likely running secure web sites and ftp.

OP:
What's the external IP address of your router? And what's the IP that GRC reports it's scanning?

 

[Crusty]

Port 22 is SSH, not FTP. It's could be just the routers remote admin interfaces.

 

[dredd2929]

How do I found out the external address of the router? I went to www.whatismyip.com and it is the same as grc.com says. Is there a way I can determing the external IP independently? I don't see it in ipconfig or anywhere in the router's interface.

 

[RebateMonger]

Originally posted by: dredd2929
How do I found out the external address of the router? I went to www.whatismyip.com and it is the same as grc.com says. Is there a way I can determing the external IP independently? I don't see it in ipconfig or anywhere in the router's interface.

It'll be in the WAN section of the router's interface.

 

[JackMDS]

Download and use this, http://keir.net/download/ip2.zip

However since you do not know how the school network is configured your effort might be useless, and if you would persist you might hear the School "IT Police" knocking on your door.

 

[dredd2929]

The IP address under the WAN section is 10.5.10.5

This is different from what GRC says it is. Does this mean the ports are open on the school's server and not my router?

 

[RebateMonger]

Originally posted by: dredd2929
The IP address under the WAN section is 10.5.10.5

This is different from what GRC says it is. Does this mean the ports are open on the school's server and not my router?

Your WAN IP is a private network IP, so that means that a router ahead of yours is using Network Address Translation and is intercepting all inbound requests from the Internet.

All you can tell for sure is that either the school's router is accepting requests on those ports or SOME computer on the school's network is accepting the requests after they are forwarded by the router. The GRC scan can't dig any deeper than that.

 

[dredd2929]

Does that mean that a potential intruder can't dig any deeper as well?

 

[RebateMonger]

Originally posted by: dredd2929
Does that mean that a potential intruder can't dig any deeper as well?

Any Network Address Translation pretty much stops external attacks cold unless ports are being forwarded to your PC. If there's a NAT router in place, then almost all infections will either come from INSIDE your own PC (clicking on the wrong thing in email or on a web site or running an infected file) or from attacks from other PCs inside your own network.

 

[Modelworks]

443 is SSL - are you running an SSL server ?
22 - SSH - are you running a telnet server ?

Open ports does not mean it is bad, it just means that if you were running something like a server then someone could try to connect to it. If you aren't don't worry about it. They can't create the server to connect to, you have to do that or run a program to do it.

 

[JackMDS]

Originally posted by: Modelworks

Open ports does not mean it is bad, it just means that if you were running something like a server then someone could try to connect to it. If you aren't don't worry about it. They can't create the server to connect to, you have to do that or run a program to do it.

This.

Or to put in another way, Ports are Not like a doors to the house.

Computer's Ports are always Open ready to be used by applications.

Firewalls Blocks the access to the ports. If the access is not blocked we call it that the port is open.

However if No application is using this port, then it can not be accessed even if it Not Blocked.

And if a port (as an example) is opened toward a running FTP Server than you need an FTP Client to Access it.

If One wants to know whether there is actively open ports this free application can be used.

http://technet.microsoft.com/e...nternals/bb897437.aspx

 

[dredd2929]

Modelworks: No, I'm not running SSL or telnet servers.

Thanks to all for the info. It seems that someone breaking into your computer is a lot more difficult than many people make it out to be.

Thanks JackMDS for the tip on the utility. Sysinternals has some pretty slick utilities. I'm surprised I've never heard of them before today.

 

[Nothinman]

Thanks to all for the info. It seems that someone breaking into your computer is a lot more difficult than many people make it out to be.

Yes and no. The most common attack vector for regular users these days would be email and web browsing. A router doing NAT won't protect you from a link that runs some malicious code.

 

[JackMDS]

Internet page is Not one full page that comes in (like a regular paper page).

When One logs to a site the actual logging downloads many files to the Browser cache. The Browser is actually an Assemblage Tool that organizes the content of the files according to the html instructions to be presented as a coherent page on the screen

Among the Files downloaded there can be files that are Not part of the Visual presentation of the page but rather Infestation (put ther by the page programmer) that can do all kind of things to the computer. Spy, install Viruses, install Zombies, Delete Files, Alter Content, Make your computer a Spam Machine, etc.

Porn sites, shady business sites, and many others deliberately load thie pages with Infestation. AntiVirus software, Firewalls, AntiSpyware etc. suppose to protect us from the "Junky" files.

However, the "A** H**" that do these things are always One step ahead, and the updated of the security application is a reactionary one.

In sum, if one is behind NAT Firewall, beefed up with Good two ways None intrusive Software Firewall, AntiVirus, and Anti Spyware, than the worry from attack and None Voluntarily intrusion is Not an issue regarding End-Users.

Almost all End-Users problems related to Internet infestation/Security comes from where he/she Log, what he/she downloads, and the attachments open by email.