Strange Ports in windows 98
 

Hi all,

Can anyone tell me why why after I asked someone using Linux to scan my 98 box which uses a cable connection, I got these results:

SYN Stealth Scan took 59 seconds to scan 1611 ports.
Interesting ports on h**-***-**-**.no.*********.net (**.***.**.***):
(The 1605 ports scanned but not shown below are in state: closed)
Port State Service
135/tcp filtered loc-srv
139/tcp open netbios-ssn
1080/tcp filtered socks
12345/tcp filtered NetBus
12346/tcp filtered NetBus
31337/tcp filtered Elite

Nmap run completed -- 1 IP address (1 host up) scanned in 60.380 seconds

I was aware that ports 135 and 139 are usually open on windows boxes, but are these other ports not Trojan ports ????

I would appreciate anyones opinion on this.

Cheers


Lub0
:newbie:

i'm not really up on windows anymore. (hence been using linux to long) but the only strange port i see is the "elite" do you know what software you maybe running associated with it? P2P etc...
please wait for a response from someone who remembers windows better then i. But i just saw that elite port 31337 looks odd to me.

That what I thought, as far I know I am using no software that would open those ports ??? This windows box is partioned and I have Linux on it aswell ( windows is 4 my other half ) but unfortunately she spends a power of time on the internet using windows ( worrying ). anyway thanks for your time.

lub0

the last four ports you have listed i have never seen on a windows machine before, what you could do is download a program called zone alarm to secure your machine.

after you download it and install zone alarm will tell and ask you about programs setting up as servers, then you have the option of saying yes to allow or no to deny.

also ask your friend to upgrade their nmap to the latest version, it offers a more advanced scan and it can querie the ports to find out whats on them.

also your cable company may be holding open those ports to prevent attacks, my cable company does it with windows ports ( 137, 135, 139 ) and i dont even run a samba server on my linux box!

Thanks antken I know I installed a firewall ( VisNetic I think ? ) on the box for her but I had trouble getting it to start automatically and asked that she turns it on manually ( whether or not she does that hmmm... ) anyway thanks pal, talk again soon

lub0

nmap reported those ports as "filtered" . Yes, they are Win/32 trojan ports .But they were not reported as open , which would mean that you had a trojan installed on your computer. They were not reported as closed , meaning that a computer was present but no servers were active on that port. Filtered means that somewhere a firewall is blocking access to those ports before they ever reach your computer. Most likely at your ISP's gateway. If you want to see what your windows box is listening on click Start>Run then type 'Command.com' after the terminnal window opens type 'netstat /an' and it will display the status of your machine about where it is connected and on what port there is a server "listening".
to see more of what netstat will do for you type 'netstat /?' and it will give a decent rundown of netstats capabilities. Much like a Linux machine whe you type netstat -h at the command line.

Like was mentioned earlier install a firewall and dont get on the net without it. ZoneAlarm and Sygate are the 2 I really recommend for a windows computer.

Cheers

Thanks mrdensity.......

Just download anti-virus software; that'll get rid of Netbus and Back Orifice (port 31337). Strange that you have a socks proxy server running.. the attacker probably installed it after he trojaned you.