Re: Do I need these services listening?

From: Gerald Vogt (vogt_at_spamcop.net)
Date: 03/15/05 

Date: Tue, 15 Mar 2005 09:37:25 +0900

rodlinkowitz@whale-mail.com wrote:
> No. I simply have an email program, like most people. I have
> a very simple LAN setup, really. DSL Modem, Netgear rp614 router, and a
> second computer connected via Ethernet cable to the first computer
> (which hosts the modem and router). I was saying the second computer
> was not physically connected to the DSL modem, but of course, it is
> connected to the router via the cable. It isn't that the online
> scanners find open ports. I'm secure according to the online scanners.
> Its the software scanners that have found the prevoiusly mentioned
> ports open.

O.K. I think now I start to understand. Is there a particular reason for
this strange setup? Is it right that you have two ethernet/LAN cards in
your first computer?

I try to describe how I think you should set it up: You connect the dsl
modem to the WAN port of the Netgear and connect each computer to the
Netgear. There is no direct connection between the computers but all the
traffic goes through the netgear which then will provide the internet
connection to both and will also exchange the traffic between both
computers. (The Netgear includes a switch which does exactly that).

As far as I understand the Netgear webpage you can easily setup the
router to connect to the internet through your DSL line. Most likely,
you have to configure PPPoE in the router, enter the connection
information of your ISP and you are done. Both computers run inside the
local network behind the Netgear with private IPs. The Netgear gets the
dynamic IP address of your ISP. The Netgear does address translation so
that your computers with private IPs can communicate with the internet
with public IPs. The endpoint on your side for the internet is always
the Netgear with the dynamic IP address of your ISP.

I would highly recommend to change the setup in this way as your setting
is really strange. I try to guess your setup: you have connected the DSL
modem to a LAN port of your netgear. This way all you have is a switch.
Obviously you can only connect one device to the DSL line so you
connected computer 1 to a second LAN port of the Netgear. Computer 1 has
a setup dial-up/DSL network connection which you connect when you want
internet. Computer 2 is connected to the second LAN card in computer 1.
Computer 1 has Internet Connection sharing. This way computer 2 gets the
private IP address from computer 1 and computer 1 has the public dynamic
IP address on the card to the internet and a private one on the card to
computer 2. I guess, that you had this setup earlier and bought the
Netgear later... Anyway, if I am correct the Netgear in this kind of
setup is next to useless because all you bascially use is the switch.
The "firewall", NAT router and other security features of the Netgear
are only between the WAN port and the LAN ports. The WAN is usually the
internet and the LAN is your local network. Between those the netgear
does the filtering.

I hope I guessed correct and you can confirm your setup or point out
where it differs. Again, please change the setup in the way I wrote
earlier unless there is a important reason why you did it the way you
did it. (I cannot think of one now...)

> I ran more software scanning programs today, using my ISP's dynamic IP
> address instead of the private IP address on the secondary computer in
> my LAN (the one that does not
> have the modem).

You should not be able to scan a private IP address because no scanner
can find it. A private IP address is usually drop at any router in
between. That's why they are private. You can only scan the public
address. If you scan from computer 2 all you should be able to scan
under normal circumstances is computer 1 which has the public IP
address. Can you elaborate which "software scanning programs" you used?
When I usually think of port scanners I think of some online service
that scans your ports like grc.com which you have mentioned somewhere
else. These online scanners give you a fairly accurate look how it looks
from the internet. These online scans are the only really interesting
ones as any software which you would install locally to scan your
computer can mostly give you look from the inside which is different.

So what is relevant is the reports of a external online scanner.

> The results were similar, all saying ports 25 and 110
> were open, and most saying 135, 139 and 445 were open. Port monitors
> show these ports as listening, but the big question in my mind is, is
> the internet able to 'hear' them, or is it only the local network?

O.K. At this time I don't worry about the 135, 139, 445 which are normal
to be open under normal circumstances. I worry more about the 25 and 110
which is a SMTP server and POP server. Both, you say, you don't run but
only use the normal client use. Even with your Internet Connection
Sharing in between, no computer should report open ports 25 and 110
unless it is running the servers. This does worry me in your case. Under
normal circumstances I would say that this indicates some malware on
your computer playing smtp relay or worse...

So the first thing to check would be to verify that ports 25 and port
110 are actually open. I usually prefer to go with the standard windows
command line tools so please open a command prompt and enter

   netstat -a -o

check the output for lines which are in state "LISTENING" and which list
your computer name with port "smtp" or "pop3"/"pop" in the column for
the local address (e.g. "Compi:smtp" if your computer has the name
"Compi") if you find any of those lines write down the PID in the last
column of that line.

For each of the PIDs (for this example below 11223) you wrote down type

   tasklist /V /FI "PID eq 11223"

(with the double quotes, replace 11223 with one of your PIDs) This gives
you information about the process that is listening to that port. Also
run the previous command replacing /V with /SVC to see if it is running
services.

If you do find any LISTENING lines with netstat, you do have most likely
malware running on your computer. If this is the case, you have to deal
with that, probably the best would be a fresh setup from CD of both
computers. If you don't find anything with netstat it may be that the
malware replace the netstat program with one that does not report its
own ports. If the external online scanner show open ports 25 and 110 on
your computer directly connected to the internet then they are most
likely open. (The external online scanner does not find any open ports
anymore once you have change the setup and put the first computer behind
the netgear because the netgear is scanned then. This does not solve
your real problems, however, if you have really something running that
listens to port 25 and 110.)

So, I think this should be your first priority to find that out. You can
also try to connect to the port 25 on your computer. Type

   telnet 65.93.127.22 smtp

in a command prompt window, replacing the 65.93.127.22 with your current
dynamic IP address. If telnet can connect and shows some message of the
server, then you are running an smtp server on your computer even if you
don't know about it.

If this is the case, you have a smtp server, have the ports listening on
your computer, you have to deal with the malware problem. Write back
what you have found as I wrote above and we continue from there. If you
find something, make sure that your anti-virus and PFW is turned on on
your computer. Put them to the highest level of security. In addition, I
would recommend to temporarily turn on the XP SP2 firewall as well. As
administrator right click the network connection in the tray, click to
change the windows firewall settings. Turn the firewall on and check the
box regarding the exceptions, i.e. do not allow any exceptions. This
hopefully disables access to your computer from the outside for the
moment until you can deal with the problem.

You may also try to run various online virus scanners or programs like
Spybot or Adaware to scan your computer for irregularities.

I hope, it's just a false alarm, but please check this...

Gerald

Relevant Pages

  • Re: Tiscali ADSL Modem Convert to Netgear DG384G Wireless/Router?
    ... connection between my computer and the latter usin an Ethernet cable (all as ... per the Netgear manufacturers) instructions. ... Perhaps I did not make the setup very clear so I will try to clarify what ... The 'Tiscali' setup is via a ADSL line through a modem ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Wireless connection
    ... Just I returned the D-Link and I will try "Netgear" some of my friends ... > then right click on IntelPRO/Wireless 2200BG Network connection (local ... >> setup but I cannot get the Internet. ...
    (microsoft.public.windowsxp.network_web)
  • Re: VPN connection drops every 3 minutes
    ... System now runs for 24hours at a time and VPN is reliable enough to use. ... Seems Netgear sites and help are better than for Linksys but all I needed ... > There is one other possible change that I cannot verify easily - AOL, ... > along with all other UK ISP's have/are doubling their Broadband connection ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: Setting up Home Network w/ 2 Routers
    ... successfully got my 2Wire, Netgear, and Linksys playing nicely. ... Connected the LAN port #1 of 2Wire to the WAN port of the Netgear. ... connection type and all for me. ... If you add another router to the mix, just make sure to disable the ...
    (microsoft.public.windowsxp.network_web)
  • Re: Need To See All PCs/Notebook On My LAN
    ... >I have a network setup with a Motorola SB 5100 Cable Modem, then a Netgear ... >to the D-Link router. ... Disable and then enable the notebook's 802.11a network connection. ...
    (microsoft.public.windowsxp.network_web)