Re: Clarification-Win2k Netstat sockets interpretation

---

• From: warf <warf@xxxxxxxxxxx>
• Date: Sun, 04 Feb 2007 21:39:06 GMT

---

Sebastian Gottschalk wrote:

warf wrote:

Even when I have 'SERVER', FILE PRINT SHARING, REMOTE ACCESS services disabled I still see NETBUI ports 136,137,138,139,445 'listening in TCPVIEW and S&D Processes???

Well, why don't you take a look at <http://ntsvcfg.de/ntsvcfg_eng.html>?

I did...twice, even emailed the admin [very nice guy] who said they only
have Deutsch pages linked for the near future. It is exactly what I need though.

I ask becasue in an effort to disable all 'REmote access' I ineveitably loose DNS Lookup or something that can't be restored short of an OS REPAIR install...

Then why don't you read before acting?

Vida Supra...

and that gets tiring..."wipe and rebuild"

Nonsense. It's trivial to backup and restore the service configuration.

Correct me if I am wrong [like I have to offer...grin]:new versions mal-executables are very stealthy 'and sticky' visa vi code-melt,MBR partition hiding, kernal level misdirection of detection...ad naus.

FOR EG...while updating my firwall a newly discovered file infecting virus [with no known repair method to date] slid in with the update TCP

traffic and settled in the Winnt\internetlogs\ZA as J.S-LAME and was flagged during the subsequent bit level scan.
So...to what extent, if any, my files were compromised or if it had even yet been executed is unknown. SO....i take your oft 'suggested' advice and WIPE then REBUILD.

Are you suggestion you were remiss for that advice?

I accepted you earstwhile advice re rebuiling and:
I acted atavisticly and installed Win2000 on a spare laptop with no useful data just so I could do a better job of noting changes AND rebuild in far less time time than with my XP macine.
Then istill have to install,SP4,ZA,Ethereal,TCPview,Spybot,Adaware, Dlink router setup,all the Ibuddie drivers for NICard THEN...disable a dozenservices,remove FILE&PRINT SHARING, T-BIRD,FIREFOX and configure the Dlink WLan [killit!] enable the Dlink WAN, clone the Mac address, set the lame software defaults to block mobile code, not save any ..DAT,HST...nor cookies web-bugs and like ilk....then fight for an hour to find which services I accidently disabled with names like "REMOTE ACCESS...REMOTE DESKTOP...DNS...DHCP...TCP/NETBUI..." and so on and on.

All because i lost my innocense reading how the boys at PHRAK get their
jollies!

SO>>>>>>>maybe it's easy for you but for pleabs like me playing with the
bigleagers in kids gear [actually, irroicly the inverse is more likely!]
it is hard not to add to the problem by naivley being a server for malcode and redirection and providing safe haven for code that should be nuked.

but DHCP fails because NETBUI is innactivated If I disable it in SERVices.msc

Very strange.

I thought so as well... and that is becasue I am not even sure of what I don't know yet.[as I grin weakly and apologeticly for inflicting my carcass on you ...sycophantly groveling for pearls of info.] Most webpages on the subject say disable DNSlookup [or is it DNSserver?] and DHCP if acting as a client only. My
inability to connect

My ISP provides no filtering for us...Straight to the pipe [backbone] with our cable modems. A report on Eastlink.ca indicates a problem with an "open DNS server" and they require DHCP for IP aquisition...which is 'maybe' why the actions of my service.msc changes are not immediate???

With Ethereal in 'promiscuous mode' it is incredible [to me] how much broadcasting and icmp traffic there is at any one moment. Fr,Israel,Cn,Ru,USA...and how much is lost/misdirected and how much is actively seeking vulerable IP addresses is unknown to me but this is a fact:
Twice, while connecting my computer to the internet via an ethernetcable
and W2k [no firewall] I had a bogus popup before I could even pop in the
ZA CD....as though there is near constant broadcasting seeking open unprotected servers to compromise.

Help?
Warf.
..
.

---

• References:
  • Re: Win2k Netstat sockets interpretation
    • From: warf

• Prev by Date: Re: Google Picasa & Photo Sharing
• Next by Date: Re: Google Picasa & Photo Sharing
• Previous by thread: Re: Win2k Netstat sockets interpretation
• Next by thread: Re: Clarification-Win2k Netstat sockets interpretation
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Failed Login Attempts-Non Existent Accounts ... Jeff ... > the server is properly hardened in that unnecessary services are disabled. ... If you have file and print sharing ports exposed to the internet ... > you deny the IP address at your firewall device it should not degrade the ... (microsoft.public.windows.server.security) Re: Sysvol Access ... Yes the File and Print sharing is enabled. ... the Sysvol folder from my workstation and server that is ... The host is also working as a print server. ... >on the first card in the binding order. ... (microsoft.public.windows.server.active_directory) Re: can block specific IP from firewall ... I could block either all traffic or just file and print sharing from the ... The server is just a file server so the IP would not need to ... Are you talking about the "Windows Firewall / Internet Connection ... (microsoft.public.windows.server.general) Re: Windows 2003 Event ID 2505 - duplicate name ... "Jim" wrote in message ... File and Print sharing is enabled. ... The server is ... an all encompassing File and Print, application and DC server as we are a ... (microsoft.public.windows.server.general) Dynamic IP and DNS management ... hosted by a 3rd party who also hosts the website and mail server. ... internal domain and use remote access services? ... over the domain name myself using a dynamic dns service and then just forward ... (microsoft.public.win2000.dns)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)