Re: Open Ports on 2003 Server (No firewall)

From: Steven L Umbach (n9rou_at_N0sPaM-comcast.net)
Date: 08/24/04 

Date: Tue, 24 Aug 2004 11:54:20 -0500

Yikes. If you selected to open those ports to the internet and those
settings were applied you should be able to gain access. It does not sound
like that happened if all those servcies failed though the firewall has been
activated obviously. Someone is going to have to get physical access to it
to check and change the settings. -- Steve

"Bruce Vander Werf" <brucev2@hotmail.com> wrote in message
news:hqhmi0l5kit0nr9ok39fiih0pid7sbfo23@4ax.com...
> Steven,
>
> Thanks for your response.
>
> This is a co-located box that we access via Remote Desktop. I did turn
> on the firewall last night, and I checked the FTp, Web Server and
> Remote Desktop boxes in the firewall setup. Unfortunately, I am not
> able to get into the box at all now. Remote Desktop does not work,
> HTTP and FTP do not work, and I can't even ping the box. Any idea what
> might have happened?
>
> --Bruce
>
> On Mon, 23 Aug 2004 22:17:10 -0500, "Steven L Umbach"
> <n9rou@nospam-comcast.net> wrote:
>
> >You really need to be using a firewall. Windows 2003 has a built in
firewall and you
> >can configure it to allow authorized ports to be open for inbound access
though I
> >prefer a perimeter firewall at least and preferably one that can also
restrict
> >outbound access to only authorized ports. Port 445 is a huge security
hole and is
> >used for file and print sharing. I suggest you disable file and print
sharing on the
> >network adapter connected to the internet.
> >
> >The above 1024 ports that do not have specific applications using them
can be used
> >for a variety of reasons which may or may not be legitimate. I suggest
you down load
> >these free tools from SysInternals - TCPView, Process Explorer, and
Autoruns which
> >can help you identify what processes and executables are using those
ports. Process
> >Explorer is very helpful in that if you look at the properties of the
process it will
> >show what application and services are associated with the process.
Autoruns lists
> >various places on the computer where a process is started at startup or
logon and you
> >should check for rouge processes. While there is nothing wrong with
investigating
> >what is going on as a learning process you really should consider
rebuilding your
> >computer if you believe it is compromised and take steps including a
firewall to
> >protect from further attacks. --- Steve
> >
> >"Bruce Vander Werf" <bvanderw-news5021@mailblocks.com > wrote in message
> >news:fd9li0d207kl7mf056fci95ajo9hcvm5qr@4ax.com...
> >> We have been having some problems with a hacker on a new 2003 Server.
> >> The server is not behind any type of firewall - it has a direct
> >> connection to the Internet.
> >>
> >> The following ports appear to be open:
> >>
> >> 21: FTP
> >> 80: HTTP
> >> 445: Microsoft-DS, SMB over TCP
> >> 1025: network blackjack, System V R3 listener (uucp)
> >> 1026: MSTASK/Remote Login Network Terminal, nterm
> >> 1027:
> >> 1028:
> >> 1030: BBN IAD
> >> 1031: InetInfo, BBN IAD
> >> 1032: InetInfo, BBN IAD
> >> 3306: MySQL
> >> 3389: MS Terminal Server
> >> 13782: VERTIAS NetBackup
> >>
> >> The program names are what is being reported to us by a couple of
> >> different port scanners.
> >>
> >> Of these, we know FTP, HTTP, MySQL, and MS Terminal Server (Remote
> >> Desktop) are installed. Veritias NetBackup is also installed.
> >>
> >> What I don't know about are 445, 1025-1028, and 1030-1032. Can someone
> >> shed some light on what is listening on these ports and why they might
> >> need to be open?
> >>
> >> FWIW, it appears the hacker is using this box to store files.
>

Relevant Pages

  • Re: Webserver, DMZ, ports questions
    ... Internet accesible services like SMTP have a seperate ... DMZ or a third interface in the firewall. ... As far as source / destination ports goes. ... from the internet to my web server, ...
    (Focus-Microsoft)
  • Re: can not see IIS webpage from other machine
    ... It seems that you have a firewall enabled on the machine running IIS. ... Both machines work fine on browsing> Internet. ... The Web site> might be experiencing technical difficulties, or you may need to adjust> your browser settings. ... > To check your connection settings, click the Tools menu, and then click> Internet Options. ...
    (microsoft.public.inetserver.iis)
  • Re: statefull inspection FW and hackers
    ... Stateful inspection can be best understood with security zones/level. ... most of the firewall dont allow anything to come from low ... This would mean that if internal user accesses internet ... In turn that will give to the attacker a way to understand what ports ...
    (Security-Basics)
  • Re: XP Less Secure than 98 for Sharing Files
    ... Ever tried chasing up settings ... > that and/or your firewall supports it) or running with no firewall. ... If you have TCP/IP loaded at all, regardless of NetBEUI, and have Internet ...
    (microsoft.public.windowsxp.security_admin)
  • Re: FIREWALL- worth the effort ?
    ... I only use internet intermitently and "pull the plug out" ... Do you have a home Cable/DSL Router? ... forward any ports from the outside world to your Macthrough ... The other function of a firewall is to prevent out bound ...
    (comp.sys.mac.system)