Re: Strange ports open

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 07/31/03


Date: Thu, 31 Jul 2003 10:51:03 -0400


I'm not 100% sure, but both NetBIOS / Windows networking and Exchange open
random port numbers in that range that wouldn't be on any list. You can
edit the registry to assign these to static, fixed port numbers of your
choosing if you prefer. For more information, search
www.microsoft.com/support for something like "exchange firewall port" for
the Exchange server information. For info on static NetBIOS ports, see
here:

http://securityadmin.info/faq.htm#firewallproblem

Using fport from www.foundstone.com/knowledge or TCPview as you have done
was the right thing to do and should give you some confidence that these are
probably not malicious. I recommend keeping a log of the ports found open
by TCPView and netstat -a so that you have something to compare with later
if there is any question about whether you've been hacked or what a new port
might be.

PS some people don't like seeing HTML formatted messages or anything but
plain text format in newsgroups.

"Arkady Karasin" <arkadykarasin@hotmail.com> wrote in message
news:#tPgp6zVDHA.1204@TK2MSFTNGP12.phx.gbl...
Yes, I mean listening. I am just scanning all my network with SuperScan and
found that my Exchange listening for those ports.
The following is a list of ports and protocols for Microsoft Windows 2000
services. Nothing about ports 1212 and 1222. I download TCPVIEW from
www.sysinternals.com and understand that port 1212 used by STORE.EXE and
1222 by EMSMTA.EXE. Also I see users connected to port 1212. The question is
why?

The following is a list of ports and protocols for Microsoft Windows 2000
services.
PortTCP/UDPService Name
42TCPWINS Replication
47TCPGRE for PPTP
53UDPDNS Name Resolution
53TCPDNS
67UDPDHCP Lease (BOOTP)
68UDPDHCP Lease
88UDPKerberos
135TCPLocation Service (RPC, RPC EP Mapper, WINS Manager, DHCP Manager, MS
DTC)
137UDPNetBIOS Name Service (Logon Sequence, Windows NT 4.0 Trusts, Windows
NT 4.0 Secure Channel, Pass Through Validation, Browsing, Printing)
137TCPWINS Registration
138UDPNetBIOS Datagram Service (Logon Sequence, Windows NT 4.0 Trusts,
Windows NT 4.0 Directory Replication, Windows NT 4.0 Secure Channel, Pass
Through Validation, NetLogon, Browsing, Printing)
139TCPNetBIOS Session Service (NBT, SMB, File Sharing, Printing, Logon
Sequence, Windows NT 4.0 Trusts, Windows NT 4.0 Directory Replication,
Windows NT 4.0 Secure Channel, Pass Through Validation, Windows NT 4.0
Administration Tools [Server Manager, User Manager, Event Viewer, Registry
Editor, Diagnostics, Performance Monitor, DNS Administrator])
389TCP/UDPLDAP
500TCP/UDPISAKMP/Oakley negotiation traffic (IPSec)
522TCPUser Location Store
636TCP/UDPLDAP (over TLS/SSL)
750UDPKerberos Authentication
750TCPKerberos Authentication
751UDPKerberos Authentication
751TCPKerberos Authentication
752UDPKerberos Password Server
753UDPKerberos User Registration Server
754TCPKerberos Slave Propagation
888TCPLogon and Environment Passing
DynamicTCPDirectory Replication
1109TCPPOP with Kerberos
1723TCPPPTP Control Channel (IP Protocol 47 - GRE)
2053TCPKerberos de-multiplexor
2105TCPKerberos encrypted login
3268 Global Catalog
3269 Global Catalog
3389RDPTerminal Services

The following is a list of ports and protocols for Microsoft Exchange 2000
Server services.
PortTCP/UDPService Name
25TCPSMTP
80TCPHTTP
102TCPMTA - X.400 over TCP/IP
110TCPPOP3
119TCPNNTP
135TCPClient/Server Communication, RPC, Exchange Administration
143TCPIMAP4
389TCPLDAP
443TCPHTTP (SSL)
465TCPSMTP (SSL)
563TCPNNTP (SSL)
636TCPLDAP (SSL)
993TCPIMAP4 (SSL)
995TCPPOP3 (SSL)
1720TCPH.323 Call Setup
1731TCPAudio Call Control
2980TCP/UDPInstant Messaging Service
DynamicTCPH.323 Call Control
DynamicUDPH.323 Call (RTP Over UDP)

"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
news:eautuArVDHA.2004@TK2MSFTNGP10.phx.gbl...
> See here:
>
> http://securityadmin.info/faq.htm#hacked
> http://securityadmin.info/faq.htm#re-secure
> http://securityadmin.info/faq.htm#harden
>
> Open meaning listening? How are you seeing them as open?
>
>
> "Arkady Karasin" <arkadykarasin@hotmail.com> wrote in message
> news:OhtL$PpVDHA.2012@TK2MSFTNGP10.phx.gbl...
> > Hi, All!
> > On my exchange 2000 server I found following ports open:
> > 1212 - lupa
> > 1222 - SNI R&D network
> >
> > On all XP machines port 5000 open.
> >
> > On ISA server open port 3011(Trusted Web).
> >
> > Somebody know why it open, and do I need it?
> >
> > Thanks.
> >
> >
>
>



Relevant Pages

  • Re: LISTENING, ESTABLISHED, CLOSE_WAIT TCP Ports & UDP Ports?
    ... properties of a process and it will show you what tcp/ip ports and services ... Beyond that I suggest you read the Windows 2003 Server Security Guide to see ...
    (microsoft.public.windows.server.security)
  • Re: Virtual Private Network - Beware its a Hackers Secret
    ... I don't think I've ever been on a Windows platform. ... > checked for open ports. ... since hackers love to install a bunch of their crap here. ... > Server, NNTP Server, SMTP Server, Web Server, SQL Server and a Virtual ...
    (comp.security.firewalls)
  • Re: Virtual Private Network - Beware its a Hackers Secret
    ... I don't think I've ever been on a Windows platform. ... > checked for open ports. ... since hackers love to install a bunch of their crap here. ... > Server, NNTP Server, SMTP Server, Web Server, SQL Server and a Virtual ...
    (alt.computer.security)
  • Re: Virtual Private Network - Beware its a Hackers Secret
    ... I don't think I've ever been on a Windows platform. ... > checked for open ports. ... since hackers love to install a bunch of their crap here. ... > Server, NNTP Server, SMTP Server, Web Server, SQL Server and a Virtual ...
    (microsoft.public.security)
  • Re: What ports to open on firewall?
    ... Internet to Marshall and Exchange should talk with DNS server that it uses. ... Internet should be opened, if DNS Server is external, then DNS ports to DNS ...
    (microsoft.public.exchange.admin)