Why is this port open (and vulnerable?)?

I ran a “Security Scan” on a site called SpeedGuide.net to be told that my port 8080/tcp (Service: http-proxy) is open and unfiltered. It also showed port 53/udp (Status: “filtered?”) (Service: domain) and port 67/udp (Status: “filtered?”) (Service: dhcps) as open.

Why is this? I confess I am ignorant about these matters, but the first (port 8080) item, especially, seems alarming.

I ran the “Leak Tests” on the Comodo site and when I told the firewall to deny the attempts, in each case got a message that the “page cannot be displayed” and that the “page is currently unavailable”. I had expected to be taken to a page on the Comodo site telling me that my system had passed the test. What’s going on here?

I’d be grateful for some help and education.

Thanks!

Port 8080 is a common inbound port for proxies on a LAN.

If you are doing an online scan (like ShieldsUp at www.grc.com) the port scanner is actually testing the first reportable device on the requesting IP address. If there’s a proxy server or a router between you and the internet, then this is the device that the scanner is testing, not your actual PC. If you’re behind a router, the only way to get something like ShieldsUp to test the ports on your PC is to forward all ports on your router to your PC.

Hope this helps,
Ewen :slight_smile:

Thanks Ewen, but I have no proxy server (I don’t think) or router.

Anything else (e.g., some application) you can think of which would account for the open port 8080? Can Comodo firewall software give me this information? If there is no such legitimate application to cause the open port 8080, what can I do to close that port?

What about ports 53 and 67, as described in my initial post?

Symantec says in its literature that it’s best to have all unused ports ‘stealthed’ as opposed to simply closed. What do you think about that?

Was the reponse I got when running the “Leak Tests” from the Comodo site a good response (i.e., “pass”) – please see my initial post.

Thanks again!

LOL. Not being able to see the pages means that you actually passed, not failed.

If the firewall had leaked, the text you typed would have been sent to the Comodo site and it would then have generated a page containing the text. It didn’t leak and therefore you can’t see the page with your text in it.

It can seem a bit backwards, but if you didn’t see the text you typed on a Comodo generated page, then the firewall did its job and prevented the text being sent.

Stealth V Closed? The jury’s still out on this one. Personally, I used to think that having all ports stealthed was required, but I’m changing my view on this.

If you don’t have a firewall and all your prots are closed, anyone trying to contact you will get a “Port unreachable” or “Host unreachable” message. The person attempting access would, hopefully, move on and try another IP address.

OTH, if you do have a firewall and all ports are stealthed, anyone attempting to contact you get nothing, no responding message at all. To the bad guys, this is a dead giveaway that there is a firewall at that IP adress, therefore the IP address is valid and there is a PC at the other end. This could then lead them to try and find a vulnerability.

Currently, I think that as long as there are no unnecessarily Open ports, you’re OK. Stealthed or Closed, attempted access is blocked, but being Stealthed CAN provide clues and provoke further action.

You can test if your ISP is providing access via a proxy by creating a block rule for port 808 and moving it to the top if the rules (rules are read form the top downwards). If your internet access dies, then there is a proxy somewhere in your communication chain. DNS and DHCP are ususally allowed by the default rules.

Can you please post a screenshot of your Network Monitor rules.

Hope this helps,
Ewen :slight_smile:

Actually, both would probably lead to the same result: The bad guys just move on. I work for a security testing company who gets paid by vendors to completely assess their products for any kind of exploit at all, among various other things, and one of the others is “Trend Reporting”. Meaning, we see what is the most used exploit and which things are most likely to be probed to try and find an exploit. The results showed that with both of them, 87% moved on. Considering the staggering number of people who have absolutely no firewalls at all, not even the craptastic Windows Firewall, it would be much faster to them to just find one they can easily exploit rather then waste their time with someone who obviously does have a firewall.

Thanks for that.

In your opinion, am I correct in telling people that Closed and Stealthed are both OK and 100% stealthed isn’t really required. Just as long as your firewall is properly configured.

Ewen :slight_smile:

Yes, both of them are 100% fine, as long as all the ports are closed.

Thought so. Thanks for confirming.

So this big rukus about the ports “being closed but are still seen” is currently not as dire as what many are making it out to be? I noticed many going toward stealth in fear a seen port can be accessed\opened. Although I always assumed with the right security in place it would remain closed unless opened from the inside\PC itself or port knocking. I have run accross others who say their firewall failed because not stealthed and the ports were seen. So going by your confirmation to Ewen, this is basically a croc,and both are fine.

I do ask though, with the above mentioned, about port knocking, if there are no ports to scan and generate the connection attempt, wouldn’t stealth be much better then?

Thanks for any info ,

Paul

It is long, hard, and really not worth opening a port. Though, yes, any dedicated hacked could right a program to get past EVERY firewall, many of which forcibly hold a port shut, for most, as said above, it is really just easier to get those with no firewall. However, a recently discovered Windows exploit affecting all versions of Windows 95-Vista has made it so that using a relatively simple ping with a slightly different method of probing reveals exactly what type of firewall you have, so they’d be able to tell if you have, say, Outpost or Filseclabs Firewall and use an appropriate exploit to gain access to your computer, so stealthing or not it makes no difference. Your computer could have all ports Sleathed but the ping would still come back with a firewall. The only firewalls it doesn’t seem to affect are Comodo and Jetico, because of the way they’re built, specifically in the “Block a program until otherwise allowed” region. It would come up asking if you want to allow (IP of Prober) access to your computer.
(V)

Seriously though, it affects every firewall we tested (a number range of 34000+). We pride ourselves in having found it. ^^
We’re working on mass-mailing every single firewall vendor we could find. But if you have Comodo, which you probably do, or Jetico, no need to worry.
However, the fact that the firewall testing just finished this morning makes it probable that no one is using it yet, making this long-winded ramble insignificant, so, back to the subject at hand:

Yes. Stealthing and Closing have no different value. Just as long as they’re not open.

Hi again, thanks for the info. I saw a couple of vulnerabilities as you mentioned and one by rootkit which did almost exactly what you described. BTW, …
(B) I will have no other firewall. :wink: So once again, CFP and Jetico stand out and Norton securities and ZA are making the big bucks fooling others into thinking bloat is protection. I suppose they get any more bloated and nothing WILL get through, lol.

Anyway, thanks for clearing that up and thanks to Ewen for asking in the first place as I wondered the same.

Paul

They’re like having a heart attack from eating too much:
You keep getting more and more fat (Bloated), your arteries (Internet/Computer) slowly clog up, you start more and more to ignore it (The warnings), and then eventually you keel over in pain (Have a hacker get in), go to a doctor (Add/Remove Programs) and have your arteries (The firewall) unclogged (Uninstalled). Now you think that food (Firewalls) are bad and you starve yourself (Don’t install another one) and you die of malnutrition (Your PC get’s taken over).
(:SAD)

ROFL! Exactly! :wink:

Paul

On a completely irrelevant note,

busts a dance move

http://img403.imageshack.us/img403/941/dancesp57450bm9.gif

(J)

Well, that beats the analogy I was going to use - wife - mistress - wallet, but either way you end up dead! LOL

That brings new meaning to the smiley (S)…

I wonder whether this site is reliable. after reading your post I also did a test. Seems OK, but they say I have three (telnet) port 23 (tcp), one open and two filtered (stealthed). Shields Up on the other hand gives me a clean bill of health and clearly states port 23 is stealthed.
I switched from router to dial up for the tests to prevent the router being scanned.
Is there any explanation for this anomaly ?

Thanks all.

Per panic’s suggestion, I created a new rule (in top position) to block TCP in/out of port 8080. No problem with internet connection.

I am sorry, but I don’t seem able to get a screen shot. I looked at Help for MS Windows, and tried hitting . Also tried + . Nothing happens. When I right-click within the message I’m composing for this forum, the ‘paste’ option is greyed out, so I guess there is nothing on my clipboard? Can someone help me with this?

Also, what about the scan result for the other two ports (showed as “filtereed?”), as mentioned in my initial post.

I tried the same port probing test that seems to be inaccurate.

It revealed a lot of ports open for me - after directly probing the ports from another computer myself, they are still stealthed.

Either they’re trying to scam someone into buying something of their’s or they just suck.

Hi panic,

Well I figured how to get the screen shot of the Rules I’ve got set up. I hope I’ve successfully attached it below.

Your comments?

Thanks Ewen and Quwen.

[attachment deleted by admin]