How do you close ports?

You know, I have just encountered a similar problem, by different means. I
accidentally opened my telnet port in cmd and http port somehow. I found this
out by doing the symantec security scan. As with networm, I have no clue how
to get these ports closed and stealthed or whatever! I have done scans with
norton and spyware s&d, and I have taken a passive look for processes running
that would have these ports open. So far, I managed to close the telnet port
in cmd again, but i did the scan with symantec and it still says its open...

Do i understand this correctly in that these ports are only open because
some process or program is using them?

These conisistently open ports has brought on an onslaught of hack attemps,
the ones I know about being blocked by norton. Should I try and find these
programs keeping my ports open?

- telnet open
- http open
- ping open

Thanks




"networm" wrote:

Hi all,

Somebody remotely in another part of the world sent me email complaining I
have a "backdoor-g-1" trojan connecting to his computer. using port 1243...
I've also run Norton Security check from their website and found the
following port open along with the 1243 port...

PORT STATE SERVICE
80/tcp open http
443/tcp open https

Since Norton Antivirus and Norton Security Check did not find any virus...
or anything else. Perhaps there is nothing I can do and I can just close the
ports...

Suspciously, these ports should not open...

Now what shall I do? And how can I close the ports on XP sp2?

Thanks a lot!

Ports don't exist all by themselves. They exist and "listen" in response to
running Applications that use them.

If the Telnet Service is running,...the Telnet port will be open
If IIS is running,...the http port (80, 443, and possibly SMTP, FTP, and
NNTP) would be open.

Shutdown and disable the Telnet Service and IIS's Services (more than one)
then those ports will "go away". It is a universal principle,...don't run
anything you don't want people to connect to.

"twentytwospoons" wrote in message
...
These conisistently open ports has brought on an onslaught of hack
attemps,

That depends,...if you live in the world of paranoia,...everything will look
like a "hack attempt" and you will see "hack attempts" under every rock and
around every corner, and most of them won't be real but will just be
misinterpretations of what is really happening.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------

Alright, that helps. I don't completely understand how ports and services and
stuff like that work, especially when I don't even recall starting those
programs. And I only call them "hack attempts" because they never used to
occur prior to these ports suddenly being open. Either way, I think I can fix
my problem with the confirmed knowledge in my mind that the ports are in use
by running applications, not that they are just little open stomata in my
firewall, as I previously thought.

Thanks


"Phillip Windell" wrote:

Ports don't exist all by themselves. They exist and "listen" in response to
running Applications that use them.

If the Telnet Service is running,...the Telnet port will be open
If IIS is running,...the http port (80, 443, and possibly SMTP, FTP, and
NNTP) would be open.

Shutdown and disable the Telnet Service and IIS's Services (more than one)
then those ports will "go away". It is a universal principle,...don't run
anything you don't want people to connect to.

"twentytwospoons" wrote in message
...
These conisistently open ports has brought on an onslaught of hack
attemps,

That depends,...if you live in the world of paranoia,...everything will look
like a "hack attempt" and you will see "hack attempts" under every rock and
around every corner, and most of them won't be real but will just be
misinterpretations of what is really happening.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------

"twentytwospoons" wrote in message
...
Alright, that helps. I don't completely understand how ports and services
and
stuff like that work,

"Ports" are *imaginary* anyway. They are not some tangible object that
exists. "Ports" are nothing but Layer4 Addresses,..just like IP#s are
Layer3 Addresses. The OS's Networking subsystem simply opens the packet and
examines the Layer4 Address and then askes the question, "Is there a running
application associated with this address?", if the answer is yes it passes
the packet up through the OSI Layers to the Application assuming there are
no contrary ACLs ,...if the answer is no, or if contrary ACLs exist, the
packet is dropped.

Layer3 Addresses (IP#s) in the Network Portion find the Subnet
Layer3 Addresses (IP#s) in the Host Portion find the MAC Address via ARP
Layer2 Addresses (MAC Address) finds the individual Host
Layer4 Addresses (Ports) find the Application running on the Host

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------

In article , "Phillip Windell" @.
wrote:
"twentytwospoons" wrote in message
...
Alright, that helps. I don't completely understand how ports and services
and
stuff like that work,

"Ports" are *imaginary* anyway. They are not some tangible object that
exists. "Ports" are nothing but Layer4 Addresses,..just like IP#s are
Layer3 Addresses.
...

Phillip, I don't think that your explanation means a whole hill of beans to
the OP here. :-)

Ports are a way into the system, and they are opened when an application
requests for them to be opened.

A firewall can be told to refuse to pass packets to a port that an application
has opened.

Since the OP is on XP SP2, he can use the wonderful new netstat options:

netstat -abon netstat.txt

You'll get an output file, netstat.txt, that shows exactly what program is
listening on exactly which port. [Your local end of the port is listed under
"Local Address", after the ':']

Once you know the executables and DLLs that have requested this port to be
opened, you can close the programs.

You should expect, though, that any firewall you put in will detect incoming
"hack attempts", or connection requests, on various ports. It's just the
nature of the beast. My firewall logs all kinds of connection requests to a
bunch of ports that I _don't_ have open. It just means there's a bunch of
rude idiots out there.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | .
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

"Alun Jones" wrote in message
...
In article , "Phillip Windell" @.
wrote:
"twentytwospoons" wrote in message
...
Alright, that helps. I don't completely understand how ports and
services
and
stuff like that work,

"Ports" are *imaginary* anyway. They are not some tangible object that
exists. "Ports" are nothing but Layer4 Addresses,..just like IP#s are
Layer3 Addresses.
..

Phillip, I don't think that your explanation means a whole hill of beans
to
the OP here. :-)

Probably so,...it is just one of those misconceptions that "grates" on me
after a while, and so sometimes I just have to "spout".. :-) I'm sure my
little explaination probably isn't perfect in every detail either, but it is
close enough.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------

Phillip Windell wrote:
"Alun Jones" wrote in message
...
In article , "Phillip Windell" @.
wrote:
"twentytwospoons" wrote in message
...
Alright, that helps. I don't completely understand how ports and
services
and
stuff like that work,
"Ports" are *imaginary* anyway. They are not some tangible object that
exists. "Ports" are nothing but Layer4 Addresses,..just like IP#s are
Layer3 Addresses.
..

Phillip, I don't think that your explanation means a whole hill of beans
to
the OP here. :-)

Probably so,...it is just one of those misconceptions that "grates" on me
after a while, and so sometimes I just have to "spout".. :-) I'm sure my
little explaination probably isn't perfect in every detail either, but it is
close enough.


True. I usually give an analogy instead of the technical description
though. I figure, if the person really wants to understand the concept
of Networking and the OSI model, they'll do some research. The average
PC users (at least the ones I know) don't care about that.

Usually, I tell them to imagine their computer as a building with 65,532
doors. Without a firewall, all of the doors are open, and anyone can
walk in or out. The firewall does two things. It hides the doors from
the people on the outside (except for whatever doors are supposed to be
open) and acts like a traffic cop asking you whether this program is
allowed to open a door or not. Also, as part of being a traffic cop, it
asks you if something on the outside should be allowed to enter through
one of your open doors (in some firewalls, at least).

That usually works well enough to convince them to get and keep an
updated firewall.

--
Patrick Dickey
http://www.pats-computer-solutions.com
Smile.. someone out there cares deeply for you.

"Patrick Dickey" wrote in message
...
Usually, I tell them to imagine their computer as a building with 65,532
doors. Without a firewall, all of the doors are open, and anyone can
walk in or out. The firewall does two things. It hides the doors from
the people on the outside (except for whatever doors are supposed to be
open) and acts like a traffic cop asking you whether this program is
allowed to open a door or not. Also, as part of being a traffic cop, it
asks you if something on the outside should be allowed to enter through
one of your open doors (in some firewalls, at least).

But that is the misconception I want to avoid. The Application associated
with the port is like the "room" associated with the "door". You can't have
a door without the "room" on the other side of the door. If you have no
"room" then you have no "door". So unless the machine has 65,532
Applications running on it all using a different port,...then you don't have
65,532 ports on the machine and you don't need a firewall to cover what
isn't there, because the reality of it is that you don't actually connect to
ports,...you connect to *Applications*,...the port is just the "address"
used to associate the packet to the Application. Yes, true, you have
*potentially* 65,532 ports,...but without the Application associated with
the port, it means nothing.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------