Ports 25, 110 and 143 are open with Comodo v3

First, I apologize by my bad english language. :-TD

I have installed COMODO v3 and Avast! v4. The PC is connected directly to internet with a modem DSL USB. I do not have a hardware router installed. The GRC report is

GRC Port Authority Report created on UTC: 2008-10-12 at 06:52:05
Results from scan of ports: 0-1055

3 Ports Open
1 Ports Closed

1052 Ports Stealth

1056 Ports Tested

Ports found to be OPEN were: 25, 110, 143 ???
The port found to be CLOSED was: 113
Other than what is listed above, all ports are STEALTH.
TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.

I have played with the rules but nothing changes. How to stealth this 4 ports?
Can you help me?

Looks like you have Avast email engine active, can you try to “pause” this and scan again ?
Seen this before in combination with Avast.

• 25 = SMTP for sending email
• 110 = POP mailbox receive email
• 143 = IMAP mailbox receive email

Hi Ronny
Yes i “pause” all Avast resident but the ports stay opened. The avast deep scan and the comodo scan reports are Ok. i tryed with others internet ports scan with the same resut. i have not any proxy.
Thanks for your repply

Did you run the stealth port wizard ? and can you tell me what’s in your global rules for the firewall

(Firewall, Advanced, Network Security Policy, 2nd tab Global Rules).

On the last time I run: “Block all incoming conmections - Stealth my ports to everyone”
The global rules now are four, in this order:

Allow IP Out From IP Any To IP Any Where Protocol Is Any
Allow ICMP In From IP Any To IP Any Were ICMP Message Is FRAGMENTATION NEEDED
Allow ICMP In From IP Any To IP Any Were ICMP Message Is TIME EXEEDED
Block And Log IP In From IP Any To IP Any Where Protocol Is Any

In this morning, the GRC test result are the same
Port 25, 110, and 143: Open
Port 113: Closed
The rest of the port: Stealth

In previous configuration there is only one rule, block all in ICMP message ECHO REQUEST

Can you open a command-box (start, run, cmd [enter]). and type

netstat -an

See if those ports are even listening on your system ?
It should look like this.

TCP 0.0.0.0:25 0.0.0.0:0 LISTENING
TCP a.b.c.d:110 0.0.0.0:0 LISTENING

where a.b.c.d. is your local ip address.

No, I can not see those ports. I found this:

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 127.0.0.1:12080 0.0.0.0:0 LISTENING Avast
TCP 127.0.0.1:12119 0.0.0.0:0 LISTENING Avast
UDP 0.0.0.0:445 :
UDP 127.0.0.1:123 : NTP Windows
UDP XXX.XXX.XXX.XXX:123 : NTP (My dinamic IP) Windows

TCP 127.0.0.1:12025 0.0.0.0:0 LISTENING Avast
TCP 127.0.0.1:12110 0.0.0.0:0 LISTENING Avast
TCP 127.0.0.1:12143 0.0.0.0:0 LISTENING Avast

Notice the 12… is avast behavior, to make sure this is avast, can you temporarily set all avast services to manual, reboot and test again ? (start, run, services.msc [enter]).

Hello Ronny, here the result of the test

1- All Avast services in manual and stoped. Inet connection off.
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 :
UDP 127.0.0.1:123 :

2- All Avast services in manual and stoped. Inet connection on.
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 :
UDP 127.0.0.1:123 :
UDP a.b.c.d:123 :

(edit: ronny, better to not post your external ip)

3- GRC Test run from Opera browser
GRC Port Authority Report created on UTC:
2008-10-15 at 18:50:50

Results from scan of ports:
0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000

   3 Ports Open
   1 Ports Closed
  22 Ports Stealth

  26 Ports Tested

Ports found to be OPEN were: 25, 110, 143

The port found to be CLOSED was: 113

Other than what is listed above,
all ports are STEALTH.

TruStealth: FAILED

• NOT all tested ports were STEALTH,
• NO unsolicited packets were received,
• NO Ping reply (ICMP Echo) was received.

Your DSL modem seems to be answering the GRC inquiries with responses that it is open for mail inputs. Check your manual and see what control inputs are available.

While most likely it is the modem, I’m curious as to the make and model of the modem. The ports 25, 110, and 143 (SMTP, POP3, and IMAP4) make no sense for a modem. These ports could be open for forwarding, maybe. Then the question is, ar there live ports to forward to? The netstat report says no. A definitive test would be a telnet connection to see if there is a connection, or a timeout.

My modem is a very simple adsl provided by my ISP. My question is, because the firewall not hidden these ports and the port 113 is closed?. Is possible a Trojan?. The deep scan of Avast an the scan of comodo no report anything

Those ports are really listening on the 200. address and they are not responding normal to pop using telnet so there is something strange going on here. I can hardly believe that modem would open these ports by default.

Maybe UPNP did this ?

Have you ran a anti-rootkit scanner like GMER ?

Is this a modem, or a NAT/router? With netstat reporting a live Internet address, it’s a simple modem. Which means the ports being scanned are on the PC itself. Which means that UPnP isn’t doing anything either.

Just to confirm the wiring, it’s something like this:

Internet ----- modem ----- PC

Where modem is a simple modem, and not a NAT/router, so the PC is getting an Internet IP address directly.
and
GRC is reporting ports open on that IP address assigned to the PC.

If telnet to port 110 (POP3) didn’t connect, what about the other ports? As a cross check on the GRC report, would it be possible to do a full nmap scan, with a fingerprint report? The newest nmap release does very good services reporting.

I was so free to try this but even Nmap could not fingerprint these services.
I can telnet to the 110 and 143 port but i’m unable to test the 25 because of my provider.

Thanks to all by your time and thanks to all by the aid

My wiring is:

ISP-----line----modem----usb----PC
Where:
Line: Telephonic line
Modem: ADSL USB, model: Amigo CA-80U from Conexant, isn’t a router/NAT, is un very economic modem

My IP is provided by my ISP in dynamic mode.

I used telnet with the following result

• BYE [ALERT] Cannot connect to IMAP server a.b.c.c (a.b.c.d:143), connect error 10061
  Se ha perdido la conexi

Are you running some sort of antispam software or anything other that could do something with email ?

I running only Avast!

My previous post lost these lines, sorry

• BYE [ALERT] Cannot connect to IMAP server a.b.c.d (a.b.c.d:143), connect error 10061
  Lost the connection with the host

-ERR Cannot connect to POP server a.b.c.d (a.b.c.d:110), connect error 10061
Lost the connection with the host

421 Cannot connect to SMTP server a.b.c.d (a.b.c.d:25), connect error 10061
Lost the connection with the host

I have disabled all the services related to UPNP and NETBIOS. I executed GMER and I do not find anything or at least it does not report.

what tool are you using to connect ?

I tested you public address this morning and i got connections on 110 and 143 could not test 25 because of my provider, you are testing on your “local” host i assume ?

Yes, I use telnet to my “local” host. I cannot understand because these ports are open and because comodo cannot hide them as to the other ports. For the moment Comodo is blocking all the intents of connection to the port 25. Where is the problem?

I don’t recognize the messages you posted i get:

C:>telnet localhost 25
Connecting To localhost…Could not open connection to the host, on port 25: Connect failed

Never seen those, *BYE [ALERT], ERR, 421 and the normal windows telnet does not translate to these POP server /SMTP Server things.

What’s your OS version ? and what telnet.exe are you using ?