Ports 25, 110 and 143 are open with Comodo v3

I use winxp. That message was in answer to the command c: >telnet localhost 143

can you do the following, open a command-box and make sure your in c:\

dir telnet.* /s

your output is not the WinXP default.

Directorio de C:\WINDOWS\system32

14/04/2008 07:49 77.824 telnet.exe
1 archivos 77.824 bytes

Directorio de C:\WINDOWS\system32\dllcache

14/04/2008 07:49 77.824 telnet.exe
1 archivos 77.824 bytes

The format on these messages is RFC standard error codes for the respective servers. Meaning these are live code responses from something running. And if that something isn’t showing up in the netstat report, then there is a problem somewhere.

The “error code 10061” might be informative, if we could figure out what kind of server package is producing it. I’ll do some digging to see what I can find.

A google search is turning up this product: The Dude, at http://www.mikrotik.com/thedude.php There is a reference on the mikrotik forums to these same server reply messages. See mikrotik forum topic imap4 service? - MikroTik

Is this product installed/running/present on the PC?

Never I have installed that program. Did not it know that to exist. I do not have an internal network. That error appears when I do a telnet to my host name while I am connected to internet.

Off-line the error is: Being connected to …No can be opened the connection to the host one, in port 143: Error in the connection

Having had a few moments to sit down and properly read thru the mikrotik forum topic, it seems the RFC style error message is coming from the anti-virus scanner. It’s apparently common code. It also means that there is some kind of live socket in place, else the anti-virus scanner wouldn’t “connect”. That matches the nmap scan results.

The end result, is that the ports are there, and open. But they’re not running the expected SMTP, POP3, IMAP4 protocols. They’re doing something else.

Since these are not showing up in the netstat report, and there are 4 email-oriented standard ports “active”, I would rate this as very highly suspect. A Wireshark capture might be informative (downloaded from www.wireshark.org), but the more immediate concern would be to find out what is running. The rootkit checks would be a good place to start. GMER, Blacklight, SysInternals, and any other such malware scanner would do at this point.

For CFP, check the setting Firewall → Advanced, Attack Detection Settings, the Miscellaneous tab, and at the bottom is a checkbox for “Monitor other NDIS protocols”. Mark that checkbox and Apply. This might catch some inbound traffic to those ports, and put some IP addresses into the CFP log.

Interesting ports on dialup99-xxxxxxxxxxx (200.xx.xx.xx):

PORT STATE SERVICE VERSION
25/tcp open smtp?
110/tcp open pop3?
113/tcp closed auth
143/tcp open imap?

I would rate this highly suspicious, as these do not show up in the netstat they are either “hidden” on your system or there is some sort of “transparent” device between you and the rest of the internet, do you know other people with the same Provider do they have the same result when scanning ?