Results 1 to 7 of 7

Thread: At a loss with open ports with router

  1. #1
    New Member
    Join Date
    Oct 2002

    Question At a loss with open ports with router

    I am at a loss! I run two computers off a D-Link DI-604 router,with cable modem. I also have Norton Internet Security on both computers with Win98 as os. I ran SG's security scan and it showed 49 open ports. Before I hooked up the router I showed pretty much everything stealthed. Is there an easy way (for computer illiterates like me) to set up this router to stealth itself or use Norton Internet security to stealth the router itself. It seems to me that NIS is useless at this point.

  2. #2
    Elite Member TonyT's Avatar
    Join Date
    Jan 2000
    Fairfax, VA
    post the list of open ports
    No one has any right to force data on you
    and command you to believe it or else.
    If it is not true for you, it isn't true.


  3. #3
    New Member
    Join Date
    Oct 2002
    I Just did a copy/paste from the SG's security scanner thanks

    13/udp open daytime Daytime service (RFC 867) - responds with the current time of day. Different machines respond with slightly different date/time format, so port can be used to fingerprint machines.
    19/udp open chargen Generates and replies with a character when queried. Should be disabled if there is no specific need for it. Source for potential attacks.
    20/udp open ftp-data
    21/udp open ftp FSP/FTP
    22/udp open ssh Old verson of PC-Anywhere.
    49/udp open tacacs Login Host Protocol (TACACS)
    53/udp open domain DNS (Domain Name Service) is used for domain name resolution.
    67/udp open dhcpserver Bootstrap protocol server. Used by DHCP servers to communicate addressing information to remote DHCP clients.
    68/udp open dhcpclient Bootstrap protocol client. Used by client machines to obtain dynamic IP addressing information from a DHCP server.
    69/udp open tftp Trivial File Transfer Protocol - A less secure version of FTP, generally used in maintaining and updating systems, for configuration file transfers between LAN systems, firmware updates on routers, etc.
    79/udp open finger Finger
    88/udp open kerberos-sec KDC (Kerberos key distribution center) server.
    99/udp open metagram metagram relay, gnutella?
    110/udp open pop-3 POP3 server traffic (should be TCP only?)
    111/udp open sunrpc Provides information between Unix based systems. Port is often probed, it can be used to fingerprint the Nix OS, and to obtain information about available services.

    Also NFS, NIS, or any rpc-based service.
    113/tcp closed auth Port 113 used for Identification/Authorization service. When a client program on your end contacts a remote server for services such as POP, IMAP, SMTP, IRC, FTP, etc. that remote server sends back a query to the IDENT port 113 asking for identification from your system...

    Port 113 can be probed by attackers and it poses some security concerns, but the problem with filtering/stealthing port 113 is that if legitimate requests get no response at all from port 113 queries, the connection to them (which initiated their query in the first place) will be delayed or perhaps even completely abandoned.

    The simplest solution is to close, rather than filter port 113.
    113/udp open auth same as port 113/tcp
    119/udp open nntp NNTP (Network News Transfer Protocol) control messages.
    123/udp open ntp Network Time Protocol (NTP)
    143/udp open imap2 IMAP
    161/udp open snmp Simple network management protocol (SNMP). Used by various devices and applications (including firewalls and routers) to communicate logging and management information with remote monitoring applications.

    Typically, SNMP agents listen on UDP port 161, asynchronous traps are received on port 162.
    162/udp open snmptrap same as port 161/udp
    194/udp open irc Internet Relay Chat Protocol
    635/udp open mount NFS (remote filesystem access) mount service.
    666/udp open doom Used by the game Doom (ID Software), however, because of the cool connotations, this port is also used by numerous trojan horses/backdoors. Here is a list: Attack FTP, Back Construction, BLA trojan, Cain & Abel, NokNok, Satans Back Door - SBD, ServU, Shadow Phyre, th3r1pp3rz (the rippers)
    1025/udp open blackjack Ports > 1024 are designated for dynamic allocation by Windows. When programs ask for the "next available" socket, they usually get sequential ports starting at 1025.
    1026/udp open unknown same as port 1025/udp
    1027/udp open unknown same as port 1025/udp
    1028/udp open ms-lsa same as port 1025/udp
    1029/udp open unknown same as port 1025/udp
    1723/udp open unknown PPTP virtual private network (VPN)

    1863/udp open unknown Port used by MSN Messenger
    2049/udp open nfs Network File System (NFS) - remote filesystem access. (RFC 1813)
    3150/udp open unknown Netmike assessor administrator port.

    Some trojans that also use this port: The Invasor (TCP), Deep Throat (UDP), Foreplay (UDP), Mini Backlash (UDP)
    5000/udp open UPnP Universal Plug and Pray - "Universal Plug and Play (UPnP) is an architecture that supports peer-to-peer Plug and Play functionality for network devices." MSKB - Universal PnP

    UPnP should be disabled unless necessary, here is a list of some known vulnerabilities with it:
    MS Security Bulletin MS01-054
    MS Security Bulletin MS01-059
    UPnP Vulnerabilities

    Also, the following Trojan Horses use port 5000: Back Door Setup, Blazer5, Bubbel, ICKiller, Ra1d, Sockets des Troie
    5631/udp open unknown PC-Anywhere sends UDP ping looking for a server on ports 22 and 5632. If it doesn't know the server address, it will ping the entire subnet to find one !.

    If you're running PC-Anywhere, make sure that you assign exact IP addresses of the systems that will be using it in the configuration, to avoid PC-Anywhere scanning an entire IP range looking for "your target system" and essentially advertising the service to every potential intruder in your IP block.
    5632/udp open pcanywherestat same as port 5631/udp
    5678/udp open unknown Port used by Linksys (and other) Cable/DSL Routers Remote Administration

    Vulnerable systems: Linksys Cable/DSL version 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31)
    Immune systems: Linksys Cable/DSL versions prior to 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31)

    6665/udp open unknown IRC (Internet Relay Chat)

    Many trojans/backdoors also use these ports: Dark Connection Inside, Dark FTP, Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan, Vampire.
    6666/udp open unknown same as port 6665/udp
    6667/udp open unknown same as port 6665/udp
    6668/udp open unknown same as port 6665/udp
    6669/udp open unknown same as port 6665/udp
    27374/udp open unknown SubSeven Trojan horse (TCP). Also used as a backdoor port left behind by exploit scripts, such as those in the Ramen worm. While some scans for this port may be due to SubSeven, others may be looking for a remote shell.

    Some other trojan horses/backdoors that use this port: Bad Blood, Ramen, Seeker, SubSeven (many versions), Ttfloader
    31337/udp open BackOrifice This port number means "elite" in hacker/cracker spelling (3=E, 1=L, 7=T) and because of the special meaning is often used for interesting stuff... Many backdoors/trojans run on this port, the most notable being Back Orifice.

    Here are some others that run on the same port: Back Fire, Baron Night, Beeone, BO client, BO Facil, BO spy, BO2, cron / crontab, Freak88, Freak2k, icmp_pipe.c, Sockdmini
    31789/udp open unknown Windows Hack'a'Tack trojan
    31790/udp open unknown same as port 31789/udp
    Total scanned ports: 121
    Open ports: 46
    Closed ports: 1
    Filtered ports: 74

  4. #4
    New Member
    Join Date
    Oct 2002


    I forgot to mention the reason all this started was a virus that Norton picked up a virus that I can only assume came through Yahoo IM. Norton has no info that is helpful about this file/virus.

    Date: 6/6/03, Time: 18:45:56, TSanford on TSAN2
    The file
    is infected with the Backdoor.Lolok.B virus.
    Unable to repair this file.

    I quarantined and deleted but just wondered what else and what might have been taken from my computer.....

  5. #5
    Disciple of Doom SeedOfChaos's Avatar
    Join Date
    Apr 2000
    Comfortably Numb
    I'd suggest that you try a firewall that allows you to control which programs can access the web and which can't. In case you have trojan horses, they might try to "report home", which of course would make you aware of their presence as the firewall asks for the permission.

    Also, I suggest you try more than one virus scanner. Often enough, there is malicious code that is detected by one but not by others, due to delays in updates. Some scanners aren't really reliable at all.

  6. #6
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Somewhere along the shoreline in New England
    Can you reset the router back to default settings? Did you open/forward all those ports on the router for some reason? By default, NAT routers come with all ports closed, it's up to the end user to open/forward them.

    Is web admin from the WAN side enabled on the router for some reason? Did you change your routers default admin password? (hopefully so).
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  7. #7
    New Member
    Join Date
    Oct 2002
    I did upgrade firmware to the latest version. As far as I know all settings are factory. I haven't messed around with the firewall or anyother settings except password. As far as web adminstration, it can only be accessed from main computer. I have remote adminstration disabled. I did not see any settings for remote adminstration from wan side.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts