EvilAngel
04-04-04, 10:07 PM
I did a SG security scan and it fdound 5 open ports how do I close them? TIA
(The 271 ports scanned but not shown below are in state: filtered)
Port Status Service Description
11/udp closed systat system / active users information.
13/udp closed daytime Daytime service (RFC 867) - responds with the current time of day. Different machines respond with slightly different date/time format, so port can be used to fingerprint machines.
19/udp closed chargen Generates and replies with a character when queried. Should be disabled if there is no specific need for it. Source for potential attacks.
20/udp closed ftp-data
21/udp closed ftp FSP/FTP
22/udp closed ssh Old verson of pcAnywhere uses port 22/udp (no relation to ssh and port 22/tcp).
The real pcAnywhere port is 5632. The value 0x0016 (hex) is 22 decimal; the value of 0x1600 (hex) is 5632 decimal. Some say that pcAnywhere had a byte-swapping bug that led to its incorrect use of port 22.
49/udp closed tacacs Login Host Protocol (TACACS)
53/udp closed domain DNS (Domain Name Service) is used for domain name resolution.
Some trojans also use this port: ADM worm, li0n, MscanWorm, MuSka52
67/udp closed dhcpserver Bootstrap protocol server. Used by DHCP servers to communicate addressing information to remote DHCP clients.
68/udp closed dhcpclient Bootstrap protocol client. Used by client machines to obtain dynamic IP addressing information from a DHCP server.
69/udp open tftp Trivial File Transfer Protocol - A less secure version of FTP, generally used in maintaining and updating systems, for configuration file transfers between LAN systems, firmware updates on routers, etc.
Many trojans also use this port: BackGate Kit, Nimda, Pasana, Storm, Storm worm, Theef...
W32.Blaster.Worm is a widely spread worm that exploits the MS DCOM RPC vulnerability described in MS Security Bulletin MS03-026. The worm allows remote access to an infected computer via ports 4444/tcp and 69/UDP, and spreads through port 135/tcp. To avoid being infected consider closing those ports.
W32.Welchia.Worm - a wildly spread worm that removes the W32.Blaster.Worm and installs a TFTP server.
79/udp closed finger Finger
Trojans that also use this port: ADM worm, Firehotcker
88/udp closed kerberos-sec KDC (Kerberos key distribution center) server.
99/udp closed metagram metagram relay, gnutella?
110/udp closed pop-3 POP3 server traffic (should be TCP only?)
111/udp closed sunrpc Provides information between Unix based systems. Port is often probed, it can be used to fingerprint the Nix OS, and to obtain information about available services. Port used with NFS, NIS, or any rpc-based service.
Trojans that use this port: ADM worm, MscanWorm
113/udp closed auth Port 113 used for Identification/Authorization service. When a client program on your end contacts a remote server for services such as POP, IMAP, SMTP, IRC, FTP, etc. that remote server sends back a query to the IDENT port 113 asking for identification from your system...
Port 113 can be probed by attackers and it poses some security concerns, but the problem with filtering/stealthing port 113 is that if legitimate requests get no response at all from port 113 queries, the connection to them (which initiated their query in the first place) will be delayed or perhaps even completely abandoned.
The simplest solution is to close, rather than filter port 113.
Some trojans also use this port: ADM worm, Alicia, Cyn, DataSpy Network X, Dosh, Gibbon, Invisible Identd Deamon, Kazimas, Taskman
119/udp closed nntp NNTP (Network News Transfer Protocol) control messages.
123/udp closed ntp Network Time Protocol (NTP)
135/udp open loc-srv Port used by Messenger Service (not MSN Messenger) and exploited in popup net send messenger spam: MSKB 330904. To stop the popups you'd need to filter port 135 at the firewall level or stop the messenger service. The service uses all the following ports: 135/tcp, 135/udp, 137/udp 138/udp, 139/tcp, 445/tcp.
137/udp open netbios-ns NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be.
NetBios services:
NETBIOS Name Service (TCP/UDP: 137)
NETBIOS Datagram Service (TCP/UDP: 138)
NETBIOS Session Service (TCP/UDP: 139)
By default, when File and Print Sharing is enabled it binds to everything, including TCP/IP (The Internet Protocol), rather than just the local network, meaning your shared resources are available over the entire Internet for reading and deletion, unless configured properly. Any machine with NetBIOS enabled and not configured properly should be considered at risk. The best protection is to turn off File and Print Sharing, or block ports 135-139 completely. If you must enable it, use the following guidelines:
1. Use strong passwords, containing non-alphanumeric characters.
2. Attach "$" at the end of your share names (the casual snooper using net view might not see them).
3. Unbind File and Print Sharing from TCP/IP and use NetBEUI instead (it's a non-routable protocol).
4. Block ports 135-139 in your router/firewall.
Keep in mind that you might still be leaking out information about your system that can be used against you (such as your computer and workgroup names) to the entire Internet, unless ports are filtered by a firewall.
There is also a Critical Windows RPC vulnerability affecting ports 135,139 and 445, as detailed here: MS Technet Security Bulletin MS03-026
The following trojans/backdoors also use these ports: Chode, God Message worm, Msinit, Netlog, Network, Qaz, W32.HLLW.Moega.
138/udp open netbios-dgm same as port 137/udp
139/udp open netbios-ssn same as port 137/udp
143/udp closed imap2 IMAP
161/udp closed snmp Simple network management protocol (SNMP). Used by various devices and applications (including firewalls and routers) to communicate logging and management information with remote monitoring applications.
Typically, SNMP agents listen on UDP port 161, asynchronous traps are received on port 162.
162/udp closed snmptrap same as port 161/udp
194/udp closed irc Internet Relay Chat Protocol
520/udp closed route RIP (Routing Information Protocol). Routers use RIP in order to advertise routing information to each other and communicate optimal paths.
References: RFC1058 & RFC2453
546/udp closed dhcpv6-client DHCP(v6) Client
547/udp closed dhcpv6-server DHCP(v6) Server
635/udp closed mount NFS (remote filesystem access) mount service.
666/udp closed doom Used by the game Doom (ID Software), however, because of the cool connotations, this port is also used by numerous trojan horses/backdoors.
Here is a list: Attack FTP, Back Construction, BLA trojan, Cain & Abel, NokNok, Satans Back Door - SBD, ServU, Shadow Phyre, th3r1pp3rz (the rippers).
Backdoor.FTP_Ana.C - backdoor trojan, 03.2003. Affects all current Windows versions.
Backdoor.Checkesp - backdoor trojan, 06.2003. Affects all current Windows versions.
Backdoor.Private - backdoor trojan, 05.2003. Affects all current Windows versions.
1025/udp closed blackjack Ports > 1024 are designated for dynamic allocation by Windows. When programs ask for the "next available" socket, they usually get sequential ports starting at 1025.
1026/udp closed unknown same as port 1025/udp
1027/udp closed unknown same as port 1025/udp
1028/udp closed ms-lsa same as port 1025/udp
1029/udp closed unknown same as port 1025/udp
1122/udp closed unknown Trojans that use this port: Last 2000, Singularity (Backdoor.Singu)
Port is also IANA registered for: availant-mgr
1433/udp closed ms-sql-s Microsoft SQL Server.
Vulnerabilities: Check CERT advisories CA-2002-22 - multiple vulnerabilities, CA-2003-04 MS SQL Server Worm.
1434/udp closed ms-sql-m same as port 1433/udp
1723/udp closed unknown PPTP virtual private network (VPN)
1772/udp closed unknown Backdoor.Netcontrole - remote access trojan, 06.2002. Affects all current Windows versions.
port is also registered with IANA for: EssWeb Gateway
1863/udp closed unknown Port used by MSN Messenger
1900/udp closed UPnP IANA registered by Microsoft for SSDP (Simple Service Discovery Protocol).
UPnP discovery/SSDP, is a service that runs by default on WinXP, and creates an immediately exploitable security vulnerability for any network-connected system. Filtering this port proactively prevents XP systems from being remotely compromised by malicious worms or intruders.
See UPnP vulnerabilities (port 5000).
2049/udp closed nfs Network File System (NFS) - remote filesystem access. (RFC 1813)
2140/udp closed unknown Some trojans use this port: Deep Throat, Foreplay, The Invasor
3150/udp closed unknown Netmike assessor administrator port.
Some trojans that also use this port: The Invasor (TCP), Deep Throat, Foreplay (UDP), Mini Backlash (UDP).
5000/udp closed UPnP Universal Plug and Pray - "Universal Plug and Play (UPnP) is an architecture that supports peer-to-peer Plug and Play functionality for network devices." MSKB - Universal PnP
UPnP discovery/SSDP, is a service that runs by default on WinXP, and creates an immediately exploitable security vulnerability for any network-connected system. Filtering this port proactively prevents XP systems from being remotely compromised by malicious worms or intruders. Here is a list of some known vulnerabilities with UPnP:
MS Security Bulletin MS01-054
MS Security Bulletin MS01-059
UPnP Vulnerabilities
Also, the following Trojan Horses use port 5000: Back Door Setup, Blazer5, Bubbel, ICKiller, Ra1d, Sockets des Troie
5190/udp closed aol ICQ, AIM (AOL Instant Messenger)
5191/udp closed aol-1 same as port 5190/udp
5192/udp closed aol-2 same as port 5190/udp
5193/udp closed aol-3 same as port 5190/udp
5631/udp closed unknown PC-Anywhere sends UDP ping looking for a server on ports 22 and 5632. If it doesn't know the server address, it will ping the entire subnet to find one !.
If you're running PC-Anywhere, make sure that you assign exact IP addresses of the systems that will be using it in the configuration, to avoid PC-Anywhere scanning an entire IP range looking for "your target system" and essentially advertising the service to every potential intruder in your IP block.
5632/udp closed pcanywherestat same as port 5631/udp
5678/udp closed unknown Port used by Linksys (and other) Cable/DSL Routers Remote Administration
Vulnerable systems: Linksys Cable/DSL version 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31)
Immune systems: Linksys Cable/DSL versions prior to 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31)
6257/udp closed unknown port used by WinMX p2p sharing software.
6665/udp closed unknown IRC (Internet Relay Chat)
Many trojans/backdoors also use these ports: Dark Connection Inside, Dark FTP, Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan, Vampire.
Backdoor.IRC.Flood.
6666/udp closed unknown same as port 6665/udp
6667/udp closed unknown same as port 6665/udp
6668/udp closed unknown same as port 6665/udp
6669/udp closed unknown same as port 6665/udp
7788/udp closed unknown Trojans that use this port: Last 2000, Singularity (Backdoor.Singu)
10067/udp closed unknown Portal of Doom (coded in Visual Basic, 03.1999) is a popular remote access trojan that uses ports 3700/tcp, 9872-9875/tcp, 10067/udp, 10167/udp.
10167/udp closed unknown same as port 10067/udp
27374/udp closed unknown SubSeven Trojan horse (TCP). Also used as a backdoor port left behind by exploit scripts, such as those in the Ramen worm. While some scans for this port may be due to SubSeven, others may be looking for a remote shell.
Some other trojan horses/backdoors that use this port: Bad Blood, Ramen, Seeker, SubSeven (many versions), Ttfloader
31337/udp closed BackOrifice This port number means "elite" in hacker/cracker spelling (3=E, 1=L, 7=T) and because of the special meaning is often used for interesting stuff... Many backdoors/trojans run on this port, the most notable being Back Orifice.
Here are some others that run on the same port: Back Fire, Baron Night, Beeone, BO client, BO Facil, BO spy, BO2, cron / crontab, Freak88, Freak2k, icmp_pipe.c, Sockdmini
31789/udp closed unknown Windows Hack'a'Tack trojan
31790/udp closed unknown same as port 31789/udp
Total scanned ports: 339
Open ports: 5
Closed ports: 63
Filtered ports: 271
5 open ports found on your system !
SG Security Scan complete in: 41.009 sec.
328725 systems tested since 03.25.2003.
SG Security Scan engine v1.04, 06.25.2003.
(The 271 ports scanned but not shown below are in state: filtered)
Port Status Service Description
11/udp closed systat system / active users information.
13/udp closed daytime Daytime service (RFC 867) - responds with the current time of day. Different machines respond with slightly different date/time format, so port can be used to fingerprint machines.
19/udp closed chargen Generates and replies with a character when queried. Should be disabled if there is no specific need for it. Source for potential attacks.
20/udp closed ftp-data
21/udp closed ftp FSP/FTP
22/udp closed ssh Old verson of pcAnywhere uses port 22/udp (no relation to ssh and port 22/tcp).
The real pcAnywhere port is 5632. The value 0x0016 (hex) is 22 decimal; the value of 0x1600 (hex) is 5632 decimal. Some say that pcAnywhere had a byte-swapping bug that led to its incorrect use of port 22.
49/udp closed tacacs Login Host Protocol (TACACS)
53/udp closed domain DNS (Domain Name Service) is used for domain name resolution.
Some trojans also use this port: ADM worm, li0n, MscanWorm, MuSka52
67/udp closed dhcpserver Bootstrap protocol server. Used by DHCP servers to communicate addressing information to remote DHCP clients.
68/udp closed dhcpclient Bootstrap protocol client. Used by client machines to obtain dynamic IP addressing information from a DHCP server.
69/udp open tftp Trivial File Transfer Protocol - A less secure version of FTP, generally used in maintaining and updating systems, for configuration file transfers between LAN systems, firmware updates on routers, etc.
Many trojans also use this port: BackGate Kit, Nimda, Pasana, Storm, Storm worm, Theef...
W32.Blaster.Worm is a widely spread worm that exploits the MS DCOM RPC vulnerability described in MS Security Bulletin MS03-026. The worm allows remote access to an infected computer via ports 4444/tcp and 69/UDP, and spreads through port 135/tcp. To avoid being infected consider closing those ports.
W32.Welchia.Worm - a wildly spread worm that removes the W32.Blaster.Worm and installs a TFTP server.
79/udp closed finger Finger
Trojans that also use this port: ADM worm, Firehotcker
88/udp closed kerberos-sec KDC (Kerberos key distribution center) server.
99/udp closed metagram metagram relay, gnutella?
110/udp closed pop-3 POP3 server traffic (should be TCP only?)
111/udp closed sunrpc Provides information between Unix based systems. Port is often probed, it can be used to fingerprint the Nix OS, and to obtain information about available services. Port used with NFS, NIS, or any rpc-based service.
Trojans that use this port: ADM worm, MscanWorm
113/udp closed auth Port 113 used for Identification/Authorization service. When a client program on your end contacts a remote server for services such as POP, IMAP, SMTP, IRC, FTP, etc. that remote server sends back a query to the IDENT port 113 asking for identification from your system...
Port 113 can be probed by attackers and it poses some security concerns, but the problem with filtering/stealthing port 113 is that if legitimate requests get no response at all from port 113 queries, the connection to them (which initiated their query in the first place) will be delayed or perhaps even completely abandoned.
The simplest solution is to close, rather than filter port 113.
Some trojans also use this port: ADM worm, Alicia, Cyn, DataSpy Network X, Dosh, Gibbon, Invisible Identd Deamon, Kazimas, Taskman
119/udp closed nntp NNTP (Network News Transfer Protocol) control messages.
123/udp closed ntp Network Time Protocol (NTP)
135/udp open loc-srv Port used by Messenger Service (not MSN Messenger) and exploited in popup net send messenger spam: MSKB 330904. To stop the popups you'd need to filter port 135 at the firewall level or stop the messenger service. The service uses all the following ports: 135/tcp, 135/udp, 137/udp 138/udp, 139/tcp, 445/tcp.
137/udp open netbios-ns NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be.
NetBios services:
NETBIOS Name Service (TCP/UDP: 137)
NETBIOS Datagram Service (TCP/UDP: 138)
NETBIOS Session Service (TCP/UDP: 139)
By default, when File and Print Sharing is enabled it binds to everything, including TCP/IP (The Internet Protocol), rather than just the local network, meaning your shared resources are available over the entire Internet for reading and deletion, unless configured properly. Any machine with NetBIOS enabled and not configured properly should be considered at risk. The best protection is to turn off File and Print Sharing, or block ports 135-139 completely. If you must enable it, use the following guidelines:
1. Use strong passwords, containing non-alphanumeric characters.
2. Attach "$" at the end of your share names (the casual snooper using net view might not see them).
3. Unbind File and Print Sharing from TCP/IP and use NetBEUI instead (it's a non-routable protocol).
4. Block ports 135-139 in your router/firewall.
Keep in mind that you might still be leaking out information about your system that can be used against you (such as your computer and workgroup names) to the entire Internet, unless ports are filtered by a firewall.
There is also a Critical Windows RPC vulnerability affecting ports 135,139 and 445, as detailed here: MS Technet Security Bulletin MS03-026
The following trojans/backdoors also use these ports: Chode, God Message worm, Msinit, Netlog, Network, Qaz, W32.HLLW.Moega.
138/udp open netbios-dgm same as port 137/udp
139/udp open netbios-ssn same as port 137/udp
143/udp closed imap2 IMAP
161/udp closed snmp Simple network management protocol (SNMP). Used by various devices and applications (including firewalls and routers) to communicate logging and management information with remote monitoring applications.
Typically, SNMP agents listen on UDP port 161, asynchronous traps are received on port 162.
162/udp closed snmptrap same as port 161/udp
194/udp closed irc Internet Relay Chat Protocol
520/udp closed route RIP (Routing Information Protocol). Routers use RIP in order to advertise routing information to each other and communicate optimal paths.
References: RFC1058 & RFC2453
546/udp closed dhcpv6-client DHCP(v6) Client
547/udp closed dhcpv6-server DHCP(v6) Server
635/udp closed mount NFS (remote filesystem access) mount service.
666/udp closed doom Used by the game Doom (ID Software), however, because of the cool connotations, this port is also used by numerous trojan horses/backdoors.
Here is a list: Attack FTP, Back Construction, BLA trojan, Cain & Abel, NokNok, Satans Back Door - SBD, ServU, Shadow Phyre, th3r1pp3rz (the rippers).
Backdoor.FTP_Ana.C - backdoor trojan, 03.2003. Affects all current Windows versions.
Backdoor.Checkesp - backdoor trojan, 06.2003. Affects all current Windows versions.
Backdoor.Private - backdoor trojan, 05.2003. Affects all current Windows versions.
1025/udp closed blackjack Ports > 1024 are designated for dynamic allocation by Windows. When programs ask for the "next available" socket, they usually get sequential ports starting at 1025.
1026/udp closed unknown same as port 1025/udp
1027/udp closed unknown same as port 1025/udp
1028/udp closed ms-lsa same as port 1025/udp
1029/udp closed unknown same as port 1025/udp
1122/udp closed unknown Trojans that use this port: Last 2000, Singularity (Backdoor.Singu)
Port is also IANA registered for: availant-mgr
1433/udp closed ms-sql-s Microsoft SQL Server.
Vulnerabilities: Check CERT advisories CA-2002-22 - multiple vulnerabilities, CA-2003-04 MS SQL Server Worm.
1434/udp closed ms-sql-m same as port 1433/udp
1723/udp closed unknown PPTP virtual private network (VPN)
1772/udp closed unknown Backdoor.Netcontrole - remote access trojan, 06.2002. Affects all current Windows versions.
port is also registered with IANA for: EssWeb Gateway
1863/udp closed unknown Port used by MSN Messenger
1900/udp closed UPnP IANA registered by Microsoft for SSDP (Simple Service Discovery Protocol).
UPnP discovery/SSDP, is a service that runs by default on WinXP, and creates an immediately exploitable security vulnerability for any network-connected system. Filtering this port proactively prevents XP systems from being remotely compromised by malicious worms or intruders.
See UPnP vulnerabilities (port 5000).
2049/udp closed nfs Network File System (NFS) - remote filesystem access. (RFC 1813)
2140/udp closed unknown Some trojans use this port: Deep Throat, Foreplay, The Invasor
3150/udp closed unknown Netmike assessor administrator port.
Some trojans that also use this port: The Invasor (TCP), Deep Throat, Foreplay (UDP), Mini Backlash (UDP).
5000/udp closed UPnP Universal Plug and Pray - "Universal Plug and Play (UPnP) is an architecture that supports peer-to-peer Plug and Play functionality for network devices." MSKB - Universal PnP
UPnP discovery/SSDP, is a service that runs by default on WinXP, and creates an immediately exploitable security vulnerability for any network-connected system. Filtering this port proactively prevents XP systems from being remotely compromised by malicious worms or intruders. Here is a list of some known vulnerabilities with UPnP:
MS Security Bulletin MS01-054
MS Security Bulletin MS01-059
UPnP Vulnerabilities
Also, the following Trojan Horses use port 5000: Back Door Setup, Blazer5, Bubbel, ICKiller, Ra1d, Sockets des Troie
5190/udp closed aol ICQ, AIM (AOL Instant Messenger)
5191/udp closed aol-1 same as port 5190/udp
5192/udp closed aol-2 same as port 5190/udp
5193/udp closed aol-3 same as port 5190/udp
5631/udp closed unknown PC-Anywhere sends UDP ping looking for a server on ports 22 and 5632. If it doesn't know the server address, it will ping the entire subnet to find one !.
If you're running PC-Anywhere, make sure that you assign exact IP addresses of the systems that will be using it in the configuration, to avoid PC-Anywhere scanning an entire IP range looking for "your target system" and essentially advertising the service to every potential intruder in your IP block.
5632/udp closed pcanywherestat same as port 5631/udp
5678/udp closed unknown Port used by Linksys (and other) Cable/DSL Routers Remote Administration
Vulnerable systems: Linksys Cable/DSL version 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31)
Immune systems: Linksys Cable/DSL versions prior to 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31)
6257/udp closed unknown port used by WinMX p2p sharing software.
6665/udp closed unknown IRC (Internet Relay Chat)
Many trojans/backdoors also use these ports: Dark Connection Inside, Dark FTP, Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan, Vampire.
Backdoor.IRC.Flood.
6666/udp closed unknown same as port 6665/udp
6667/udp closed unknown same as port 6665/udp
6668/udp closed unknown same as port 6665/udp
6669/udp closed unknown same as port 6665/udp
7788/udp closed unknown Trojans that use this port: Last 2000, Singularity (Backdoor.Singu)
10067/udp closed unknown Portal of Doom (coded in Visual Basic, 03.1999) is a popular remote access trojan that uses ports 3700/tcp, 9872-9875/tcp, 10067/udp, 10167/udp.
10167/udp closed unknown same as port 10067/udp
27374/udp closed unknown SubSeven Trojan horse (TCP). Also used as a backdoor port left behind by exploit scripts, such as those in the Ramen worm. While some scans for this port may be due to SubSeven, others may be looking for a remote shell.
Some other trojan horses/backdoors that use this port: Bad Blood, Ramen, Seeker, SubSeven (many versions), Ttfloader
31337/udp closed BackOrifice This port number means "elite" in hacker/cracker spelling (3=E, 1=L, 7=T) and because of the special meaning is often used for interesting stuff... Many backdoors/trojans run on this port, the most notable being Back Orifice.
Here are some others that run on the same port: Back Fire, Baron Night, Beeone, BO client, BO Facil, BO spy, BO2, cron / crontab, Freak88, Freak2k, icmp_pipe.c, Sockdmini
31789/udp closed unknown Windows Hack'a'Tack trojan
31790/udp closed unknown same as port 31789/udp
Total scanned ports: 339
Open ports: 5
Closed ports: 63
Filtered ports: 271
5 open ports found on your system !
SG Security Scan complete in: 41.009 sec.
328725 systems tested since 03.25.2003.
SG Security Scan engine v1.04, 06.25.2003.