[m8E]

I have just used the Symantec Security checker to find out if my computer had any Hacker Exposure and Trojan Horse Vulnerabilities. The check went okay and most of the results came back as good but a few came up which worried me:


TROJAN HORSE VULNERABILITY RESULTS:

1025 Unused Windows Services Block


HACKER EXPOSURE RESULTS:

ICMP Ping

23 Telnet

80 HTTP (Hypertext Transfer Protocol)


Each of these results had at the end of them a red circle with a tick in it which Symantec indicated that these were open ports in my computer and vulnerable to attacks.

Firstly can someone tell me if Symantec's Security Checker is reliable, and secondly, can someone let me know if the seemingly worrying results which the symantec security checker found are actually anything to be worried about and if so how can I deal with them?

Thanx
m8E

[m8E]

Also, when the checker says ports, does it mean actual ports that I can see at the back of my computer or does it mean other ports which I, not being particularly computer knowledgeable, would not know existed unless I opened up my computer to look inside?

[prathapml]

No amount of opening and peeking can show you the ports it refers to.
The ports mentioned here are abstract entities, theoretical ones - that only exist for networking purposes.

[m8E]

Thanks prathapml, and are these ports being open like they are worth worrying about?

[prathapml]

If you are connected to network on which hostile hackers might be a part of (like the Internet), then open ports are a cause of worry.

[phiber0ptik]

Port 80 is the standardport for a webserver, port 23 is the standardport for telnet and port 1025 for RPC (Remote Procedure Call service). If you dont run a webserver on your computer you should stop that service (probably IIS) do the same with the telnetservice, and just leave rpc alone. ( Start -> Run... -> services.msc -> [Enter] ) I suggest you to use a firewall, and run symantecs security scanner again

You can always try to connect to port 80 on your computer with telnet. Start -> Run... -> cmd -> telnet localhost 80 -> [Enter] -> [Space] -> [Enter]
This will give you an output message, something like:

"Apache/1.3.31 Server at do.not.attack.this.server Port 80"
(example from me doing the telnetthingy )

This output should say something about Apache or IIS, otherwise it could be a trojan.


PM me if you need help or something

//phiber0ptik

[m8E]

I do have a firewall but the Symantec Security checker still manages to find those four ports I mentioned all open

Also I can see now how port 80 would need to be open in order to actually use the internet so I'm less worried about that particular port being open now, although is port 80 used for anything else other than being connected with the internet?

[prathapml]

1. Port 80 is open for *INCOMING* connections. That's not correct. It should not be open at all, unless you have a HTTP server there.

2. You need no ports to be open, for outgoing connections (as in, browsing, downloading, etc.)

[m8E]

Thanks again prathapml I'm not running any kind of server just an ordinary PC. Does what you've said mean that I should be looking to close all of the 4 ports mentioned as soon as possible? If so could you let me know how to do this?

If I close off the mentioned ports is the closing off process reversable and can I still use the internet as usual i.e browsing, downloading, sending and receiving emails, registering with and logging onto websites?

[prathapml]

Yes to all

And how to close those 4 ports? Symantec Security Center may not really the best there is.... Try to block using that itself, if there's no way to do it, check out ZoneAlarm firewall (the best right now, and free to boot).

[m8E]

I've tried downloading and using ZoneAlarm firewall but somewhere in the process my Norton Firewall showed up and I blocked access to and from the ZoneAlarm website and now I don't know how to undo that because my Norton Firewall doesn't want to let me! So assuming the ZoneAlarm choice is not available in the short term until I can find a way to sort out my little mistake is there another option?

I don't know if I have a Trojan in my computer but if I did have a Trojan in my computer would this open the four ports mentioned to others even through my Norton Firewall?

I'm using Spybot S&D which isn't showing anything bad there, and I'm also using Norton Internet Security and Norton SystemWorks which is not showing up any Trojans in any scans.

prathapml do you think that Symantec/Norton are not as good as others when it comes to internet security and keeping a PC in good running order?

[prathapml]

m8E, on Jan 10 2005, 08:44 PM, said:

do you think that Symantec/Norton are not as good as others when it comes to internet security and keeping a PC in good running order?

That's a question you have to answer for yourself - because different people have different views about that.


And your PC seems badly out of condition. (j/k)
All those many anti-viruses, firewalls anti-spywares.... doesn't take one anywhere!
Ensure you have WinXPSP2, uninstall all those junk (which only slow down operations), and take a look at ZoneAlarm SecuritySuite (which has all that is needed and more!).

[m8E]

I have found so far that the extra things to help keep my computer clear are not slowing down my computer, it is only the Norton products which have a noticable slowing effect, but Norton have always been like that no-matter which computer I've installed their products on.

The ZoneAlarm products I am new to, have they been going for long? It seems that you are really quite enthusiastic about what they have to offer prathapml.

WinXPSP2 I have installed which I think has helped to keep my computer running better and have not had as yet any problems with it (unless it has something to do with keeping the four ports open).

[prathapml]

ZoneAlarm firewall has been around since a long time. Then they started expanding the feature list, where recently anti-virus, IM-protection, and so on... was added.
Been using SecuritySuite since quite sometime and I'd say its VERY good. (nothing else is needed for security/protection after installing ZoneAlarm SecuritySuite)

[m8E]

you're not employed by ZoneAlarm are you prathapml?! Just kidding! I've paid for my Norton Firewall and SystemWorks recently but I don't know how to fully utilise them so for now and until the year's subscription is up I will be trying to work out how to do so before buying something different like ZoneAlarm, although I will be keeping my eye on that one. In the meantime I'm still looking how to get those four ports closed off!

I've been to the Microsoft website and found http://www.microsoft.com/athome/security/s...re/default.mspx which is Antispyware from microsoft and it found things which Spybot S&D didn't and I'm thinking of converting! But still my four ports are open....

I did full virus scans, spyware scans, disk cleans and even a defrag all in safe mode but even though some threats were found and consequently removed, my four ports are still open!! Do I have to configure my firewall so that everything is blocked and all ports are closed, and then re-open all the ports one by one to see which are the offenders? (if I can figure out how to do that!)

[prathapml]

m8E, on Jan 12 2005, 03:15 AM, said:

Do I have to configure my firewall so that everything is blocked and all ports are closed, and then re-open all the ports one by one to see which are the offenders?

Don't block out "everything". Just close all ports leaving none open.
And why'd you want to re-open *ALL* the ports one-by-one? There's 65,000 of them!

[phiber0ptik]

hi m8E, I was going to send a PM til I read some new posts in here
You have antivirus, firewall and antispyware installed, thats good but do not forget to update them (norton does that auto, spybot doesnt). About your ports that are opened... your firewall, Norton Internet Security if im not mistaken, is configured so these ports that your are talking about answers on request from an outside source. This can be re-configured (ofcourse) in the preferences for Norton Internet Security. But since you dont even need these ports you can disable the services which uses these ports. Port 23 is, like I said in an earlier PM the standardport for telnet. To close this port you have to disable the Telnet Service, and port 80 is the standardport for webservers... and the only OS from windows that I know of, that have this service running from start is Windows 2000 Look for "Internet Information Service" and disable that one too. Port 1025 belongs to RPC, do not disable the RPC service tho, just make sure the rules in your firewall is configured to block incoming requests on this port. ICMP is blocked by softwarefirewalls by default I guess, but since it answered on symantecs echo-request, take a closer look in your firewalls preferences.

About that list of applications that startup when you logon... none of them will harm your computer :

Do not configure your firewall so it blocks everything, there should be a "learning"-mode, try that.

//phiber0ptik

[epic]

To disable telnet / http (80):

Go to Start -> Run -> services.msc /s -> Enter

Scroll down until you see a listing for Telnet and stop/disable the service.
Scroll down until you see a listing for IIS (Internet Information Services) and stop/disable the service.

Here is a good resource to follow up with, there should be a link there for services. I have not checked it out for ages.
http://www.blackviper.com/

[m8E]

Thanks epic, I've already tried doing that for Telnet and even though the service is showing up as being disabled the Symantec Security checker still detects it as being open, does something smell wrong there to anyone!?

Also I do not have any such service with the name of IIS or Internet Information Services actually showing in services.msc /s so I cannot disable it because it isn't there, does something smell wrong there too??

65,000 ports in my computer! blimey prathapml I didn't know there were so many, (and now risking sounding totally computer dumb) what does a computer need that many ports for?

phiber0ptik thanks for letting me know about that list more firewall tinkering and learning to do now!!

[epic]

Well, it's probably Norton (if you have updated everything). Go figure. Norton stinks...

Actually, 65,554. However, some ports are not ever used- there just there. But here is good list to work with to get a general idea.

http://www.networkso.../ports00000.htm