Do you know what ports on your computer are open and listening? An open port means an outside process can potentially connect to your computer through that port.
Many operating systems, by default, try to be as user ready as they possibly can when first installed. Inadvertently, they make it hacker friendly as well. Having more ports open than you need is one example. Windows, especially the older versions, are guilty of this.
So, as a security precaution, you need to identify what ports are currently open, and then decide on whether they should be.
You can run a native Windows tool called netstat (a more powerful version of netstat exists on Linux). netstat is a command line tool. So, open a Windows prompt, and enter
netstat -an
Below is some sample output:
C:\tmp>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:22 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1032 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1038 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 127.0.0.1:80 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1031 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1031 127.0.0.1:1032 ESTABLISHED
TCP 127.0.0.1:1032 127.0.0.1:1031 ESTABLISHED
TCP 127.0.0.1:3306 0.0.0.0:0 LISTENING
TCP 192.168.0.41:139 0.0.0.0:0 LISTENING
TCP 192.168.0.41:1038 195.140.142.166:80 CLOSE_WAIT
TCP 192.168.0.41:1974 204.209.205.53:110 TIME_WAIT
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1025 *:*
UDP 0.0.0.0:1026 *:*
UDP 0.0.0.0:2967 *:*
UDP 0.0.0.0:38037 *:*
UDP 0.0.0.0:38293 *:*
UDP 127.0.0.1:1332 *:*
UDP 192.168.0.41:137 *:*
UDP 192.168.0.41:138 *:*
UDP 192.168.0.41:500 *:*
The details of how to use the report are beyond the scope of the blog. Suffices to say that you can identify the active ports under the Local Address column.
The port is the number after the colon, e.g, 22, 135, 445 are port numbers.
Unfortunately, netstat (Win 2000) does not tell you the process ID, the service name or the path of the executable. To obtain that kind of information, you need to download another tool: fport
Sample fport output is as follows:
C:\tmp>fport
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com
Pid Process Port Proto Path
876 ssh2master-> 22 TCP C:\Program Files\SSH Communications
Security\SSH Secure Shell Server\ssh2master.exe
1720 apache -> 80 TCP C:\PROGRA~1\EASYPH~2\Apache\apache.exe
488 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
8 System -> 139 TCP
8 System -> 445 TCP
688 lserver -> 1028 TCP C:\WINNT\System32\lserver.exe
1532 firefox -> 1031 TCP C:\Program Files\Mozilla Firefox\firefox.exe
1532 firefox -> 1032 TCP C:\Program Files\Mozilla Firefox\firefox.exe
1708 EasyPHP -> 1038 TCP C:\Program Files\EasyPHP1-8\EasyPHP.exe
1608 mysqld -> 3306 TCP C:\PROGRA~1\EASYPH~2\MySql\bin\mysqld.exe
364 termsrv -> 3389 TCP C:\WINNT\System32\termsrv.exe
8 System -> 137 UDP
8 System -> 138 UDP
8 System -> 445 UDP
264 lsass -> 500 UDP C:\WINNT\system32\lsass.exe
708 NSCTOP -> 1025 UDP C:\Program Files\SSC\NSCTOP.EXE
708 NSCTOP -> 1026 UDP C:\Program Files\SSC\NSCTOP.EXE
1328 Winamp -> 1332 UDP C:\Program Files\Winamp\Winamp.exe
624 rtvscan -> 2967 UDP C:\Program Files\NAV\rtvscan.exe
1116 MsgSys -> 38037 UDP C:\WINNT\system32\MsgSys.EXE
584 pds -> 38293 UDP C:\WINNT\system32\cba\pds.exe
It was reported that the version of netstat on Win XP SP2 does provide similar info as fport. I don't have Win XP so I can't try it out. But if you, try this:
netstat -abno
The fport or netstat report is just the first step. From the reports, you need to identify any suspicious active ports, and proceed to shut the corresponding program or Windows Service/daemon down.
No comments:
Post a Comment