Ports Tests - New User [Resolved]

panic:
I’ve run the tests and the nestat_log 3 different times. The UDP connections remain the same and the TCP changed with each log. None of the ports mentioned above in the tests are in the netstat_log. Does this make any sense? Thanks.
Pat

Can you cut and paste the netstat log file, along with the online test results.

I’d believe the netstat results as these are the direct outputof an operating system utility running locally. There can be no real confusion on what its reading.

ewen

Okay. Will send them shortly.

Netstat_log:

Active Connections

Proto Local Address Foreign Address State
TCP PAT:epmap PAT:0 LISTENING
TCP PAT:microsoft-ds PAT:0 LISTENING
TCP PAT:1025 PAT:0 LISTENING
TCP PAT:1029 PAT:0 LISTENING
TCP PAT:4406 localhost:4407 ESTABLISHED
TCP PAT:4407 localhost:4406 ESTABLISHED
TCP PAT:4420 localhost:4421 ESTABLISHED
TCP PAT:4421 localhost:4420 ESTABLISHED
TCP PAT:netbios-ssn PAT:0 LISTENING
TCP PAT:4634 pop3.nettally.com:pop3 TIME_WAIT
UDP PAT:microsoft-ds :
UDP PAT:isakmp :
UDP PAT:1348 :
UDP PAT:4500 :
UDP PAT:ntp :
UDP PAT:1900 :
UDP PAT:ntp :
UDP PAT:netbios-ns :
UDP PAT:netbios-dgm :
UDP PAT:1900 :

Quick Test:
We have scanned your system for open ports and for ports visible to others on the Internet. As a rule an open port means your computer is vulnerable to attacks by crackers. They gain access to your computer and its files through these open ports.
Danger!

Danger!
The test found open port(s) on your system: 21
The test also found visible port(s) on your system: 23, 80, 135, 137, 138, 139, 1080, 3128

Recommendation:
It is urgent that you install personal firewall software. PC Flank recommends Outpost Firewall Pro.

If you have already installed and are using a firewall, check if it is set to make all the ports of your computer closed and invisible (hidden). If you have any problems adjusting your firewall, get help from the firewall developer. If the firewall is correctly set but fails this test, replace the firewall software and redo this test.

Trojan horse check

The test scanned your system to find signs of a Trojan. If a Trojan horse is on your computer a cracker can access your system’s files and your personal data.
At Risk!

Warning!
The test found visible ports on your system: 27374, 12345, 1243, 31337, 12348.
The following Trojans use these ports: SubSeven, NetBus, SubSeven, Back Orifice, BioNet
Although these ports are visible, they are not open, so your system is not infected. However, having visible ports on your system means your computer can be “seen” over the Internet. This makes it very easy for skillful intruders to explore your system.

Recommendation:
Install personal firewall software and use an anti-Trojan program. Anti-trojans to consider are: The Cleaner, PestPatrol or Tauscan.

If you have a firewall, check if it is set to make all your computer ports invisible (hidden). If it is, then it failed miserably. Replace it and redo this test.
Browser privacy check

The test checked if your web browser reveals any private information while you visit Web sites. Usually such information is: the last site visited, your locale and who your Internet Service Provider is.
Danger!

Danger!
While visiting web sites your browser reveals private information about you and your computer. It sends information about previous sites you have visited. It may also save special cookies on your hard drive that have the purpose of directing advertising or finding out your habits while web surfing.

Recommendation:
We advise you to get personal firewall software. If you already have a firewall program adjust it to block the distribution of such information.

TCP Connect Scanning:
TCP CONNECT scanning (scanned in 1 seconds)

We have scanned your computer’ ports used by the most widespread trojan horses. Here is the description of possible ports’ statuses:

“Stealthed” (by a firewall) -Means that your computer is invisible to others on the Internet and protected by a firewall or other similiar software;
“Closed” (non-stealthed) - means that this port is closed, but your computer is visible to others on the Internet that can be potentially dangerous;
“Open” - Means that this port is ready to establish (or has already established) a connection with remote address. It also means that your computer is vulnerable to attacks and could have been already hacked or infected by a trojan/backdoor;
Port: Status Service Description
23 closed TELNET Telnet is used to remotely create a shell (dos prompt)
80 closed HTTP HTTP web services publish web pages
135 closed RPC Remote Procedure Call (RPC) is used in client/server applications based on MS Windows operating systems
137 closed NETBIOS Name Service NetBios is used to share files through your Network Neighborhood
138 closed NETBIOS Datagram Service NetBios is used to share files through your Network Neighborhood
139 closed NETBIOS Session Service NetBios is used to share files through your Network Neighborhood
1080 closed SOCKS PROXY Socks Proxy is an internet proxy service
1243 closed SubSeven SubSeven is one of the most widespread trojans
3128 closed Masters Paradise and RingZero Trojan horses
12345 closed NetBus NetBus is one of the most widespread trojans
12348 closed BioNet BioNet is one of the most widespread trojan
27374 closed SubSeven SubSeven is one of the most widespread trojans
31337 closed Back Orifice Back Orifice is one of the most widespread trojans
21 open FTP File Transfer Protocol is used to transfer files between computers

Recommendation:

It is urgent that you install personal firewall software. PC Flank recommends Outpost Firewall Pro.

If you have already installed and are using a firewall, check if it is set to make all the ports of your computer stealthed (invisible).
If you have any problems adjusting your firewall, get help from the firewall developer. If the firewal

Stealth Test:
The results of Stealth Test

We have sent following packets to TCP:1 port of your machine:

* TCP ping packet
* TCP NULL packet
* TCP FIN packet
* TCP XMAS packet
* UDP packet 

Here is the description of possible results on each sent packet:
“Stealthed” - Means that your system (firewall) has successfuly passed the test by not responding to the packet we have sent to it.
“Non-stealthed” - Means that your system (firewall) responded to the packet we have sent to it. What is more important, is that it also means that your computer is visible to others on the Internet that can be potentially dangerous.

Packet' type 		Status 	
TCP "ping" 	  	stealthed 	
TCP NULL 	  	stealthed 	
TCP FIN 	  	stealthed 	
TCP XMAS 	  	stealthed 	
UDP 	  	stealthed 	

Recommendation:

Your computer is invisible to the others on the Internet!

Trojan Test:
Results of the test

We have scanned your computer’ ports used by the most dangerous and widespread trojan horses. Here is the description of possible ports’ statuses:

“Stealthed”(by a firewall) -Means that your computer is invisible to others on the Internet and protected by a firewall or other similiar software;
“Closed” (non-stealthed) - means that this port is closed, but your computer is visible to others on the Internet that can be potentially dangerous;
“Open” - Means that this port is ready to establish (or has already established) a connection with remote address. It also means that your computer is vulnerable to attacks and could have been already hacked or infected by a trojan/backdoor;
Trojan: Port Status
GiFt 123 closed
Infector 146 closed
RTB666 623 closed
Net-Devil 901 closed
Net-Devil 902 closed
Net-Devil 903 closed
Subseven 1243 closed
Duddies Trojan 1560 closed
Duddies Trojan 2001 closed
Duddies Trojan 2002 closed
Theef 2800 closed
Theef 3000 closed
Theef 3700 closed
Optix 5151 closed
Subseven 6776 closed
Theef 7000 closed
Phoenix II 7410 closed
Ghost 9696 closed
GiFt 10100 closed
Host Control 10528 closed
Host Control 11051 closed
NetBus 12345 closed
NetBus 12346 closed
BioNet 12348 closed
BioNet 12349 closed
Host Control 15094 closed
Infector 17569 closed
NetBus 20034 closed
MoonPie 25685 closed
MoonPie 25686 closed
Subseven 27374 closed
BO 31337 closed
Infector 34763 closed
Infector 35000 closed

We have determined there are no open Trojans’ ports on your system. But following ports we scanned are non-stealthed: 123, 146, 623, 901, 902, 903, 1243, 1560, 2001, 2002, 2800, 3000, 3700, 5151, 6776, 7000, 7410, 9696, 10100, 10528, 11051, 12345, 12346, 12348, 12349, 15094, 17569, 20034, 25685, 25686, 27374, 31337, 34763, 35000.

Although these ports are non-stealthed, they are not open, so your system is not infected. However, having non-stealthed ports on your system means your computer can be “seen” over the Internet. This makes your system a potential target for remote attacks.

Recommendation:
The absence of a Trojan horse on your system does not mean this problem cannot happen, of course. Anti-virus and/or anti-Trojan (we recommend Tauscan or PestPatrol) software should be installed and used on your system. If you already use this type of software on your system, its virus definitions (virus database) should regularly be updated. If you have a firewall, check if it is set to make all your computer ports stealthed.

Well, I think that’s them. Did I forget any? Thanks.
Pat

Hey Pat,

Did you think it was strange that in the middle of the PC Flank Tests, there was one set of test results that said everything was stealthed? Hmmm…

Sorry, I should have asked before what tests you were running. There are a few oddities about the PC Flank tests, most notably the fact that is says your firewall has failed its leaktests, despite you looking at a blank Internet Explorer page, where your test results should be.

On my PC, I did the following, in this precise order;

1. Downloaded the pcflank leaktest
2. Rebooted PC
3. Ran pcflanktest.exe
4. Clicked NEXT on the intro page
5. Clicked the START INTERNET EXPLORER button
6. Internet Explorer opened and a CPF alert popped up immediately stating that Internet Explorer had opened under the control of a new paret application - pcflanktest.exe
7. I clicked DENY in the CPF dialogue
8. I entered some arbitrary text in to the PC Flank Test dialogue and clicked NEXT
9. The PC Flank Test window immediately displayed that my firewall had failed the leak test.
10. I clicked the OPEN BROWSER button in the PC Flank Test dialogue, which opened thier web site and displayed the following text;

[i]PC Flank Leaktest Results

Welcome to the PCFlank Leaktest results page.

Here are the results of your firewall handling PCFlank Leaktest. If in a table below you see the text you recently typed in while taking the test, this means your firewall has flunked it.

If your text is not shown, you either didn’t take the test, your previous IP address was different from your current one or your firewall has successfully prevented the leak of data (i.e. passed this leak test). Currently, only two commercial firewalls pass PCFlank Leaktest. These are Tiny Firewall 2005 and Outpost Firewall Pro[/i].

11. The text I had typed into the leaktest window was not on the page, despite the fact that the leaktest application window was still open, telling me that “Your firewall has failed the test”.

If, at any point, you told CPF to allow the PC Flank Test to act as a parent to IE, then yes, it would transmit the text you typed, because it would be doing EXACTLY what YOU had told it to - allow it. If, on the other hand, you clicked DENY in the CPF alert, then NO DATA LEFT YOUR PC. Simple as that - the PC Flank Test is flawed in so far as it automatically displays the text “Your firewall has failed the test”, regardless of actual activity.

Please do not rely just on PC Flank. Not that there’s anything wrong with PC Flank, but there are now a multitude of leak tests available. CPF passes them all, to the best of my knowledge, and I’m certain that someone would have yelled pretty loudly if it didn’t. If you’ve followed the CPF installation instructions correctly, you’re stealthed and you’re protected.

Hope all this helps,
Ewen

To be quite frank, this entire firewall business is strange to me. I had been using Sygate and this summer while on vacation using a cable connection, Sygate alerted me to the fact that someone was scanning my pc. Like to scare me to death as I thought I was protected. I’ve never had that happen before or since.

You know, I did that test (leaktest) a couple of times and depending on what I allowed or denied, the results were different as you pointed out.

I also ran the cpil test and CPF alerted me - that was cool.

So, I’m set right? I shouldn’t need to worry? Thanks for your help and the help from AOwL too.
Pat

Hi pbernard.
You can try to do a portscan on you computer with Superscan 4.0
Dowload it at http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/superscan.htm
Start the program and in Hostname/IP write 127.0.0.1 and then press the “play” button in bottom left.
When finished you can see what UDP and TCP ports are open if you have any.

You can download TcpView 2.4, just to look at the ports that are used at the moment.
http://www.microsoft.com/technet/sysinternals/utilities/tcpview.mspx

Hey Pat,

Don’t worry about being new to firewalls - you’re in the vast majority, but at least you’re approaching it with an investigative mindset. That is exactly the right approach to take - assume everyone is guilty until proven otherwise. This is the fundamental design philosophy behind a good firewall - keep out everything until I’m directly and explicitly told otherwise. CPF tries to provide as much information as it can on each and every alert - not all of the info will make sense at first, but if you trawl around the FAQ section of the firewall forums, you should be able to pick things up. There are a couple of primers there on internet terminology, principles of firewalls etc. Thesehave all been written by everyday users like you and me. Well worth going through.

Re. the sygate port scanning - you were protected. Sygate was merely informing you that it had detected an attempt to port scan, not that it had allowed it to occur. Their wording, however, leaves a bit to be desired.

Whether you’re set right or not depends on a few factors - the configuration of CPF (the default configuration is pretty ■■■■■■ good and will suffice for 90% of computing needs), your surfing habits and your attention span. By attention span, I mean whether you are the type of user to just blindly click the “YES” button (somehow,I don’t think you are, though ;)). If CPF alerts you to something, take the time to read the alert and try and understand what it is saying. If in doubt, click DENY, and if things goe pear shaped, reboot and learn from what happened.

The first couple of weeks can be a bit daunting, but once you get the hang of things, it’s a piece of cake.

Hope to see you around the forums and hope all this helped.

Rgds,
Ewen

Hey guys!
Thank you! I ran the Superscan and the TcpView and everything is just fine. Appreciate your time, patience and kind words. I plan to get better acquainted with CPF and will check out firewalls in general. Will stop in here frequently to keep up on the latest. Here’s to your health! :■■■■
Pat