LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices

Reply
 
Search this Thread
Old 10-05-2003, 09:05 AM   #1
lub0
Member
 
Registered: Aug 2003
Location: Glasgow Scotland
Posts: 92

Rep: Reputation: 15
Strange Ports in windows 98


Hi all,

Can anyone tell me why why after I asked someone using Linux to scan my 98 box which uses a cable connection, I got these results:

SYN Stealth Scan took 59 seconds to scan 1611 ports.
Interesting ports on h**-***-**-**.no.*********.net (**.***.**.***):
(The 1605 ports scanned but not shown below are in state: closed)
Port State Service
135/tcp filtered loc-srv
139/tcp open netbios-ssn
1080/tcp filtered socks
12345/tcp filtered NetBus
12346/tcp filtered NetBus
31337/tcp filtered Elite

Nmap run completed -- 1 IP address (1 host up) scanned in 60.380 seconds

I was aware that ports 135 and 139 are usually open on windows boxes, but are these other ports not Trojan ports ????

I would appreciate anyones opinion on this.

Cheers


Lub0
 
Old 10-05-2003, 09:13 AM   #2
CyberDoc
Member
 
Registered: Oct 2003
Location: usa
Distribution: linux mint 17, slackware, ubuntu server
Posts: 41

Rep: Reputation: 15
i'm not really up on windows anymore. (hence been using linux to long) but the only strange port i see is the "elite" do you know what software you maybe running associated with it? P2P etc...
please wait for a response from someone who remembers windows better then i. But i just saw that elite port 31337 looks odd to me.
 
Old 10-05-2003, 09:20 AM   #3
lub0
Member
 
Registered: Aug 2003
Location: Glasgow Scotland
Posts: 92

Original Poster
Rep: Reputation: 15
That what I thought, as far I know I am using no software that would open those ports ??? This windows box is partioned and I have Linux on it aswell ( windows is 4 my other half ) but unfortunately she spends a power of time on the internet using windows ( worrying ). anyway thanks for your time.

lub0
 
Old 10-05-2003, 09:23 AM   #4
antken
Member
 
Registered: Nov 2000
Location: england
Distribution: latest Mandrake
Posts: 368

Rep: Reputation: 30
the last four ports you have listed i have never seen on a windows machine before, what you could do is download a program called zone alarm to secure your machine.

after you download it and install zone alarm will tell and ask you about programs setting up as servers, then you have the option of saying yes to allow or no to deny.

also ask your friend to upgrade their nmap to the latest version, it offers a more advanced scan and it can querie the ports to find out whats on them.

also your cable company may be holding open those ports to prevent attacks, my cable company does it with windows ports ( 137, 135, 139 ) and i dont even run a samba server on my linux box!
 
Old 10-05-2003, 09:30 AM   #5
lub0
Member
 
Registered: Aug 2003
Location: Glasgow Scotland
Posts: 92

Original Poster
Rep: Reputation: 15
Thanks antken I know I installed a firewall ( VisNetic I think ? ) on the box for her but I had trouble getting it to start automatically and asked that she turns it on manually ( whether or not she does that hmmm... ) anyway thanks pal, talk again soon

lub0
 
Old 10-05-2003, 05:52 PM   #6
mrdensity
Member
 
Registered: Apr 2002
Location: Central US
Distribution: Libranet 1.9.1 & 2.0, tinyX (2dskxwin) & WinLinux 2001
Posts: 83

Rep: Reputation: 15
nmap reported those ports as "filtered" . Yes, they are Win/32 trojan ports .But they were not reported as open , which would mean that you had a trojan installed on your computer. They were not reported as closed , meaning that a computer was present but no servers were active on that port. Filtered means that somewhere a firewall is blocking access to those ports before they ever reach your computer. Most likely at your ISP's gateway. If you want to see what your windows box is listening on click Start>Run then type 'Command.com' after the terminnal window opens type 'netstat /an' and it will display the status of your machine about where it is connected and on what port there is a server "listening".
to see more of what netstat will do for you type 'netstat /?' and it will give a decent rundown of netstats capabilities. Much like a Linux machine whe you type netstat -h at the command line.

Like was mentioned earlier install a firewall and dont get on the net without it. ZoneAlarm and Sygate are the 2 I really recommend for a windows computer.

Cheers
 
Old 10-05-2003, 05:57 PM   #7
lub0
Member
 
Registered: Aug 2003
Location: Glasgow Scotland
Posts: 92

Original Poster
Rep: Reputation: 15
Thanks mrdensity.......
 
Old 10-05-2003, 06:59 PM   #8
Nexer
Member
 
Registered: May 2003
Distribution: Slackware 9.1
Posts: 35

Rep: Reputation: 15
Just download anti-virus software; that'll get rid of Netbus and Back Orifice (port 31337). Strange that you have a socks proxy server running.. the attacker probably installed it after he trojaned you.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
New installation of a VPS with Slackware: Strange filtered ports fax8 Linux - Security 5 09-10-2005 09:13 AM
connect linux to MS-windows via serial ports longnam Slackware 2 04-30-2005 03:08 PM
mdk 10 strange open ports bardinjw Mandriva 1 04-05-2004 08:02 PM
Mac OS X strange ports. uniQ General 2 01-24-2004 02:43 PM
Strange fodlers windows partition banana2 Linux - General 1 02-26-2003 10:44 PM


All times are GMT -5. The time now is 09:04 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration