Re: Norton Personal Firewall 2003

From: Joseph V. Morris (jvmorris@erols.com)
Date: 12/09/02 

From: "Joseph V. Morris" <jvmorris@erols.com>
Date: Mon, 9 Dec 2002 17:51:14 -0500

Ture,

Okay, back again. Inline, below ...

"Alsvik Ture" <ture@alsvik.dk> wrote in message
news:bLoI9.61546$HU.4259737@news010.worldonline.dk...
. . . .
| I'm have to explain, that the ports are open bot if i'm running the p2p
| program and if i'm not.

Well, there's a problem with some of the P2P programs and I haven't yet
seen where you've indicated exactly which one you're using, so I'll just
give an example. (I've still got 12 posts to go in this thread!)

At one point, it was possible to download 'infected' versions of KaZaA
(and I certainly hope you aren't using this one, because the RIAA is all
over it). KaZaA, in particular, went looking for an update when loaded
and it didn't just check the KaZaA homesite, it checked anyone with whom
you had established KaZaA links! It simply selected the first 'upgraded'
copy it found -- and in some cases these 'upgrades' had been 'Trojanized'.
Specifically, they incorporated Trojan Loaders. (If KaZaA is still out
there, I think this problem has now been corrected.) Unfortunately, if
you downloaded one of the 'Trojanized' copies, God only knows what is
currently installed on your machine. It's time to run a good AV program
and preferably also a good anti-Trojan program just to ensure that you
haven't been 'blessed' in the interim.

| The ports being open are the ports listed below:
| 21, 25, 80, 110 and 443.

Okay, now those indicate
1) Port 21 (nominally FTP)
2) Port 25 (nominally SMTP)
3) Port 80 (nominally HTTP, i.e., a web browser)
4) Port 110, (nominally pop3) ... and
5) Port 443 (nominally https).

I would strongly recommend that you check out just what Trojans you may
have been blessed with as a consequence. A good starting point is
available at http://www.simovits.com/trojans/trojans.html . Still, only a
good, up-to-date AV and/or AT utility is going to tell you whether you
have already hung yourself.

Now, you have PREVIOUSLY indicated in this thread that you are NOW running
1) an FTP server (Port 21),
2) an e-mail server (Ports 25 and 110), and also something you refer to as
3) a 'webmail' server (not quite sure what that is, myself), but it sure
   sounds like Ports 80 and 443 are listening.
Indeed, at some later point, I believe you indicated that you are actually
running a webserver.

Well, I gotta clue for you: If you're knowingly running ANY or ALL of the
above services and they actually WORK on the Internet, well, golly, gee
whiz, they're going to show as OPEN when you run something like GRC's
"Probe My Ports"! Maybe they weren't open when you had NPF 2002
installed, but they are DEFINITELY open now and waiting for input. This
is not rocket science; if they work and receive inputs from other IP
addresses on the Web, they're OPEN -- end of discussion. If they don't
(or didn't) work, they were CLOSED (at least). There's no way that you
can offer these services to the Internet at large and expect a site like
GRC to report them as CLOSED (and certainly not as STEALTHED).

| And the problem is that ports scans were detected before i upgraded to
| NPF2003.

Well, that probably indicates nothing more than that your NPF 2002 did not
allow unsolicited inbound communication to these services, whereas your
NPF 2003 installation DOES.

| So on www.grc.com all my ports were showed as "stealth" using NPF2002 -
but
| now they are shown as open og blocked!
| NPF2003 does not recognize the port scan!!!

I'm still waiting for some evidence to that effect. So far, I'm not sure
you know how to copy and paste NIS/NPF firewall log events into a response
here.
|
| That makes me reconsider if NPF2003 is the safety i'm looking for.
| About tht p2p-issue, i used to be able to run the same p2p program with
| NPF2002 with out having any problems. I just configured the program to
| "permit all" and open on all traffic to local ports 4661-4665.

Well, I must admit that I am beginning to wonder if NIS/NPF (any version)
is not a bit beyond your current level of comprehension -- at least, based
on the responses I've seen from you to date). If this is true, then, yes,
probably the best you can do is go back to something like ZA (free).

If you actually selected the 'Permit All' option for a P2P program, then
you most definitely need to acquire and run both a good AV and then a good
AT utility WITH UP TO DATE AV/AT SIGNATURES. Until you can establish that
you're CLEAN, (at this point) I'd have to assume that you're OWNED.

| I cannot block all other ports than 80 - because i'm running a
webserver,
| ssl mailserver, ftp-server and a remote control program. Thats what
opens
| the ports 21, 25, 80, 110, 443 and 8080. But never the less a port scan
| should block the traffic from the ip from which the scan originated.
NPF2003
| does NOT do this! WHY?

I beg your pardon? You just told me that you're running a webserver, ssl
mailserver, ftp-server, and a remote control program and you're wondering
why these ports are showing as OPEN when you run GRC's "Probe My
Ports"????? Well, dammit, if they WORK, they're OPEN!! (That's open,
like the services are running and the firewall is PERMITting them (and
more than likely not logging what it PERMITs, unless you've PERSONALLY
configured it otherwise).)

| I haven't changed any rules - - other than program rules! And i haven't
| custom-made any of the rules. They are either on permit or block.

I'm still waiting to see what the firewall rules ARE for these
applications. Until I see that response, I can't really provide any more
useful information.
. . . . 

--
Regards,
    Joseph V. Morris
    jvmorris@erols.com
    ICQ #29438199
This is a NEWSGROUP message; except for privacy reasons, please respond
therein; an e-mail COPY is always appreciated, of course.
Almost all electrons used in the creation of this message were recycled.
No electrons used in the production of this message were harmed or
mistreated in any manner.

Relevant Pages

  • OT: Trend Micro WFBS beta starting soon
    ... getting pattern updates for laptops off the LAN. ... Trend firewall, even set to High, has inbound NetBIOS ports open. ... File and Printer Sharing" and when someone chooses it, it opens inbound ...
    (microsoft.public.windows.server.sbs)
  • Re: Trend Micro WFBS beta starting soon
    ... before getting pattern updates for laptops off the LAN. ... Trend firewall, even set to High, has inbound NetBIOS ports open. ... File and Printer Sharing" and when someone chooses it, it opens inbound ...
    (microsoft.public.windows.server.sbs)
  • Re: Trend Micro WFBS beta starting soon
    ... before getting pattern updates for laptops off the LAN. ... Trend firewall, even set to High, has inbound NetBIOS ports open. ... File and Printer Sharing" and when someone chooses it, it opens inbound ...
    (microsoft.public.windows.server.sbs)
  • Re: Port forwarding/open ports?
    ... It would be nice not to have to open and close those ports over and over again in my router firewall when I need it and instead having them open all the time so it will just be to start Netmeeting when I need to collaborate and share applications. ... - These same questions above goes for the one port one can choose to have open in the router to give the best possible chances for good sound quality for Skype IP calls. ... All software opens the vulnerability window. ...
    (alt.computer.security)
  • Re: keeping only ports 21 and 80 open
    ... depending on how your configuration is in XPE... ... configuration, under TCP/IP, and setup TCP/IP filtering, to permit all, ... permit only on TCP/UDP, and IP ports. ... The only real ports I see a potentail problem with is 13 this is ...
    (microsoft.public.windowsxp.embedded)