Re: How to shut off the ports
From: karl [x y] (jamescagney90210@excite.com)
Date: 08/21/02
- Next message: Sai Prakash: "Re: safe activeX"
- Previous message: Jeff Cochran: "Re: hiding asp string in address bar"
- In reply to: Kirby Cheng: "How to shut off the ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "karl [x y]" <jamescagney90210@excite.com> Date: Wed, 21 Aug 2002 08:45:52 -0400
"Kirby Cheng" <xicheng@iusb.edu> wrote in message
news:472f01c24866$40df5f40$a5e62ecf@tkmsftngxa07...
> Hi, everyone:
>
> Due to the security concern, our campus OIT asked us to
> shut off the ports before they will reconnect our server
> to the network.
>
> My first question is where to find the descriptions of the
> ports, and more urgently, how to shut them down. I am new
> in the profession, please provided a little bit more
> detailed information. We don't have the server resource
> kit.
>
> Second question: our server is currently a stand lone
> server, with IIS 5.0: serveces planned to run: web, ftp,
> smtp. The ports asked to be shut are :
> 7 echo, 9 discard, 13 daytime, 17 qotd. 19 chargen, 42
> nameserver, 53 named, 563 snews, 6666 irc-srv( what is
> irc?), 6667 irc, 6668 irc, 7007 afs-bos.
I'm assuming these ports are open and listening on your server. I would be
concerned with how those ports got there. Ports 563, 6666, 6667, 6668 and
7007 are not ports that come with Windows or with IIS. [IRC is a chat
program BTW.] Unless you installed extra software that uses these ports,
this could be a sign that your server has been hacked. If this is the case,
simply closing the ports is not enough. You would also need to find and
close whatever vulnerabilities exist on your machine that permitted it to be
hacked, or else a hacker will "open more ports" on your machine again in the
future.
Running a firewall is only part of a complete security plan. Patches and
configuration and third party software such as antivirus like Norton that is
set to download updates every single day are some of the other things you
really need to be sure you've done.
Download and run HFNETCHK from www.microsoft.com/security to see what
critical patches if any you are missing, apply the security checklists for
Windows and IIS from the same location, and download and run a virus scan to
see if you do indeed have a virus. This message makes me suspect the
"virus" could be Code Red and/or Nimda. If you have IIS web services
running on your computer, check your IIS web logs, you might be able to see
exactly how this was done.
Note however that once you've had an intrusion, the only way to be 100%
certain that you've removed any and all back doors that a hacker might have
installed on your system is to format and reinstall everything including
security settings and patches before putting it on the internet again.
Patching the holes that let the intruder in does not necessarily block the
other holes the intruder may have added afterwards.
Unless you want to just format the machine and reinstall everything,
probably the first step is to determine whether or not you've been hacked,
and if so, how it was done. The following tools should help you do this:
fport from
www.foundstone.com, pstools from www.sysinternals.com , trojan scanners such
as www.pestpatrol.com or www.sunbelt-software.com, a file change checker
such as the free Languard File Integrity Checker from www.gfi.com and the
books Hacking Exposed 3rd edition and/or Incident Response.
- Next message: Sai Prakash: "Re: safe activeX"
- Previous message: Jeff Cochran: "Re: hiding asp string in address bar"
- In reply to: Kirby Cheng: "How to shut off the ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
