Now that I have finally tackled my Home Network problems (thanks to everyone here), I have a new, and perhaps more urgent problem.

I found out by using the SHIELD'S UP website just now that my port #80 (http) is open. That's not good. Before with only my DSL modem, I was always operating in stealth mode. But since I've added the router to the equation for my home network, that port is open. Any idea how I can fix that?

Yes, I know--close the port--but how?

What's the make/model of the router? They usually contain an internal configuration screen that allows you to change the settings including closing ports. You have to access them via ip address in your browser. They are usually something like 192.168.1.1

Turn on the hardware firewall per the instructions HeadachesAbounds just gave you.
Also use a software firewall on the PCs on the LAN as well, this controls what leaks out to the Internet, should something like a Trojan get on a PC.

Try this scanner http://scan.sygatetech.com/ .
A lot of people really do not like grc.com since they feel that it is not that reliable

Hope this helps

Are you running any kind of web server? That will keep port 80 open. If you're not, you really should determine what is keeping that port open.

Now I'm pissed. For the third time now, I've written a long reply only to be sent to the You are Not Authorized to View this page screen and had my post deleted. Why is this happening? I know I was logged in when I started typing my reply.

Anyway, here is a much shorter version:

Thanks for all your help, guys. I went to the link that riskreversal recommended, and here is a summary of my results:

Port 80 Open--possible trojans are Executor, RingZero
Port 113 Closed, but still vulnerable and visible
Port 8080 (Web Proxy) Open--possible trojan RingZero

I have a Siemens SE105 DSL/cable wireless router. I do not have the ability to open and close ports, or at least not that I've been able to find on my configuration screens. I do know I need to get these ports closed, though. Any ideas?

Oh yeah, I forgot to mention that my router's firewall is already activated. I will download a software firewall if anyone can recommend a real good free one--otherwise I'll download Zone Alarm.

Port 113 (ident) is normal to appear closed and not stealthed. You can stealth it by forwarding to an unused IP address. The other two 80 and 8080 should be stealthed by your router.

For free firewalls I recommend either Kerio (slightly more complicated to configure) or Sygate (easy to configure).


I would also recommend running security scans to eliminate any possible infection. Update your Anti Virus and run a full scan, run an online scan at TrendMicro's Housecall, run Spybot S&D, AdAware6, and possibly post a HiJackThis log.

Thanks Malcore. Just a couple quick questions if you don't mind.

Should I just accept the fact that my router does not support port opening/closing, or from your experience are all routers capable of this (some just more difficult to configure than others)? If so, will a software firewall (say Sygate, for example) allow me to close these two ports? I will download Sygate tomorrow either way.

Also:
I downloaded Spybot S&D tonight, and I successfully fixed 53 problems!!!--one was actually called CommonHijacker. What is a HijackThis log? As far as the Virus Scan, I'm going to do a full scan right now as I'm off to bed (4:30 am here). Thanks for the help everyone.

Most home NAT routers won't have a configuration for actually closing ports. Ports can be forwarded. I would be concerned that those two ports are open.

HiJackThis is a widely used program for checking system, registry and startup entries. You can download it here (http://www.spywareinfo.com/~merijn/downloads.html). Put it in it's own folder, run it, press scan, then press save log, then copy and paste the entire log into a post here ( maybe a new thread in Applications and Security). Many here are quite good at analyzing these logs and can give you some advice if any steps need to be taken.

Don't worry about not being able to close ports with your router's configuration settings. I can't do that on my D-Link router either. Just need to find out why those ports are open.

You could also post what you find when doing this: Start > Run | type cmd > Enter | in the window type netstat -an , maybe we can see how and why those ports are open.

Also download and scan with Adaware free (http://www.lavasoftusa.com/software/adaware/)

You can also try a trojan scanner:

TDS-3 30 day trial (http://tds.diamondcs.com.au/index.php?page=download)

TrojanHunter 30 day trial (http://www.trojanhunter.com/)

or

A Squared free (http://www.emsisoft.com/en/software/free/)

Make sure to update all before scanning.


Edit- definitely get Sygate. With a software friewall, you can block applications from using/opening ports. Important to have even if using a router with a NAT firewall.

One other thing I thought of is to check if Remote Management is enabled or disabled. If it is enabled, it allows a pc not on your LAN to access the router's configuration using a web browser, thus opening port 80 or 8080. Check it in advanced configuration, System Menu > Remote Management. Make sure it is disabled.

You might want to make sure WEP is now enabled also.

Edit-If I enable Remote Management on my router, the scan at sygate reports port 8080 open, port 113 closed and port 80 closed. If I disable it again, it reports all as blocked (or stealth). This could just be why you're seeing these ports open. Make sure Remote Management is disabled.

I have checked, and my remote management (this is the same as remote desktop, right?) is disabled already. I also have password protected my configuration screens for my router. I ran the netstat –n command, and here are the results: BTW, Abhören means ‘listening’ under the Status column.

Oh man--this 20KB attachment limit is killing me--I can't even attach the screenshot to let you all see it. Here are the highlights:


TCP
0.0.0.0:135
0.0.0.0:445
0.0.0.0:1025
0.0.0.0:1029
0.0.0.0:5000
127.00.1:1030
192.168,1.226:139
192.168.2.226:16641

They ALL have 0.0.0.0:0 for remote address. All UDP addresses are showing *:*

I didn't mean remote desktop in your Windows settings. I meant Remote Management in your router's settings. Go to the advanced settings of your router configuration, or find the System Menu for your router and find the setting for Remote Managemaent. Set it to disabled.

I'm almost certain this is the problem. Nothing in Windows is opening port 80 or 8080, so it must be your router has Remote Management enabled.

I use this tiny utility to check for open ports and which application is using that port...

Active Ports (http://www.download.com/3000-2085-10062969.html?part=65960&subj=dlpage&tag=button)

Active Ports - easy to use tool for Windows NT/2000/XP that enables you to monitor all open TCP/IP and UDP ports on the local computer. Active Ports maps ports to the owning application so you can watch which process has opened which port. It also displays a local and remote IP address for each connection and allows you to terminate the owning process. Active Ports can help you to detect trojans and other malicious programs.

Argggghhhhh! I was really hoping that was the problem, too, Malcore, but Remote Management is not enabled within my router configurations. Checkbox not checked, unfortunately. I will try the link that rahulkothari posted and see what I can find out.

You know what really doesn't make sense to me:

I did the same internet port scan before I installed the router and I was in total stealth mode on all ports. That was protection from my ISP and/or my DSL modem, I take it. So i can't figure out for the life of me how adding a firewall on the LAN side of the DSL modem (signal still hitting DSL modem first) can increase my vulnerability. I know one thing, I really need to solve this problem. The more I read up on it, the more scared I get!!!

Hi again. I used the Active Ports tool that rahulkothari recommended, and here is the exported log file:
(It's all Greek to me)

Unknown 0 192.168.2.226 1138 204.17.24.75 993 TIME_WAIT TCP
Unknown 0 192.168.2.226 1137 204.17.24.156 563 TIME_WAIT TCP
Unknown 0 192.168.2.226 1136 204.17.24.75 993 TIME_WAIT TCP
Unknown 0 192.168.2.226 1135 208.36.123.44 110 TIME_WAIT TCP
Unknown 0 127.0.0.1 1134 127.0.0.1 1031 TIME_WAIT TCP
Unknown 0 127.0.0.1 1132 127.0.0.1 1031 TIME_WAIT TCP
System 4 192.168.2.226 138 LISTEN UDP
System 4 192.168.2.226 137 LISTEN UDP
System 4 0.0.0.0 445 LISTEN UDP
System 4 192.168.2.226 139 LISTEN TCP
System 4 0.0.0.0 1032 LISTEN TCP
System 4 0.0.0.0 445 LISTEN TCP
lsass.exe 608 0.0.0.0 500 LISTEN UDP C:\WINDOWS\system32\lsass.exe
svchost.exe 788 0.0.0.0 135 LISTEN TCP C:\WINDOWS\system32\svchost.exe
svchost.exe 856 0.0.0.0 1025 LISTEN TCP C:\WINDOWS\System32\svchost.exe
svchost.exe 980 0.0.0.0 1058 LISTEN UDP C:\WINDOWS\System32\svchost.exe
svchost.exe 980 0.0.0.0 1026 LISTEN UDP C:\WINDOWS\System32\svchost.exe
svchost.exe 1036 192.168.2.226 1900 LISTEN UDP C:\WINDOWS\System32\svchost.exe
svchost.exe 1036 0.0.0.0 5000 LISTEN TCP C:\WINDOWS\System32\svchost.exe
ccApp.exe 1912 127.0.0.1 1031 LISTEN TCP C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
msmsgs.exe 3208 192.168.2.226 18165 LISTEN UDP C:\Programme\Messenger\msmsgs.exe
msmsgs.exe 3208 192.168.2.226 16154 LISTEN UDP C:\Programme\Messenger\msmsgs.exe
msmsgs.exe 3208 0.0.0.0 1123 LISTEN UDP C:\Programme\Messenger\msmsgs.exe
msmsgs.exe 3208 192.168.2.226 7973 LISTEN TCP C:\Programme\Messenger\msmsgs.exe

Well, it doesn't look like anything is accessing or listening on Port 80 from within Windows. It must be a setting on your router that is causing this. You more than likely came up stealth prior to the router because you had XP's ICF enabled and now you don't.

Two things to try. Set your router to "Disacard Ping from WAN". This will make your router not answer to pings from computers outside of the LAN. The setting for this on your router should be in the Firewall Menu > Intrusion Detection. Make sure SPI, RIP and Discard Ping from WAN are all checked.

If this doesn't help, try enabling Remote Management for the router, then disabling it again. Remeber for each change you make to click Apply.

I'm also assuming when you run the online scans that your router configuration window is not open.

Just to make sure we are all on the same page, which I think we are...

Your connection is as follows:

Internet connects to DSL Modem
DSL Modem connects to WiFi Router
WiFi Router connects to computers

Right?

If so, then the issue with open ports would be with the router since the issue began after the router was installed. Here's why...

When you ran the original scan, the scans were run from the scanning system to the DSL Modem, which is configured as fully open in most cases, to the connecting PC. Since nothing was open on the connecting PC it showed just that.

When you installed the router, it now receives all of the scans and therefore it must be responding to those requests. One way to test this would be to determine your external IP (try privacy.net) and then try to connect to that IP and see what comes up. For example...If your external IP is 123.456.789.000 (I know, not gonna happen) then open up your browser and type that in. This should pull up a webpage (or at least try to) if port 80 is actually open. It might also tell you exactly what is causing it to be open.

I suspect that it is some kind of remote management causing it. However, your wi-fi router should have some kind of configuration screen where you can enable/disable ports and port forwarding. If not, I would recommend getting one that does.

Malcore, I tried all of those tips you gave me. Those three check boxes were already checked, so I disabled and re-enabled remote support. I then did a quick scan, and Port 80 is still open.

I then followed HeadachesAbound's advice and entered http://myIPaddress and was shocked because I was taken directly to my router configuration logon page. Good thing I'm password protected! Anyway, if I'm being taken to my router screen, does this mean that remote management is turned on (it's not enabled on my configuration screen, I swear!), or does this have some other significance?

The only advice I'm not too enthusiastic about following is to replace my router with one that supports port forwarding. There mst be another (cheaper) solution to this problem..

Current Status:
Port 80 Open
Port 113 Closed, but vulnerable, and
Port 8080 still open...

Also, I just found this quote on the Shields Up site.

Poorly configured DSL and NAT routers sometimes expose their web-based configuration management interfaces to the Internet. If you are not running a local web server, and our tests show that port 80 is open on your machine, you will certainly want to determine what's going on. If you have a DSL or NAT router, be sure to check that its web interface is disabled on the "WAN" — wide area network (Internet) — side.

Particularly that last sentence. Does this mean it could be a problem with my DSL modem settings? I'm not really sure what this means, but I'm thinking it means to disable remote management, which has already been done in my case.

Have you tried rebooting the router after configuring and saving the settings?

My modem/router has to be rebooted for any changed settings to take effect.

Now is time to do the following:

1) Contact the tech support from the router manufacturer.

2) Contact tech support at your ISP who supplied the DSL modem.

Also note, some DSL modems have a router built in and now you have 2 routers and that can foul things up in a hurry. That's why you should check with the tech support people. Maybe there is a firmware upgrade for your router and this is a known issue.

You've run the gammut of standard replies now go to tech support and see if they can figure out what is going on.

Malcore, I tried all of those tips you gave me. Those three check boxes were already checked, so I disabled and re-enabled remote support. I then did a quick scan, and Port 80 is still open.

Disabled and re-enabled? You mean that you re-enabled then disabled right? If not then you need to disable this as it is what is most likely revealing port 80.

I then followed HeadachesAbound's advice and entered http://myIPaddress and was shocked because I was taken directly to my router configuration logon page. Good thing I'm password protected! Anyway, if I'm being taken to my router screen, does this mean that remote management is turned on (it's not enabled on my configuration screen, I swear!), or does this have some other significance?

Just means that 1 of 2 things is happening. Either remote management is enabled or there is an issue with the router. At this point I would check to see if there is a firmware update for the modem and if not then check with the tech support group for the modem manufacturer. Worst case scenario, return the modem and ask for a replacement. If they won't take it back then maybe they can tell you why it is doing what it is doing since they are the ones that sold it to you.

The only advice I'm not too enthusiastic about following is to replace my router with one that supports port forwarding.

Your router does support port forwarding. It just doesn't use that terminology. Neither does my D-Link router. My router didn't stealth port 113 (ident), just closed it. I used a feature called "Virtual Server" to set up port 113 to be forwarded to either a non-existing IP address or one very high up in the range of the DHCP server which is never used.

I have looked at the manual for your router. It does support "Virtual Server" functions, but the details are on the CD which comes with the router.

Have a look at the CD, read how to set up a Virtual Server (very easy), and try to forward those three ports to a non-existing or never used IP address.

I enabled Virtual Server on my router, put in port 113, and an IP address that is never used. Port 113 is now stealth or blocked and not just closed.

You can try this. But I would also suggest contacting the manufacturer to find out exactly why ports 80 and 8080 are open.

Edit- and listen to what pave_spectre said, after applying changes, you must restart the router.

By restarting the router, what do you mean?

1) Unplug and Plug back in
2) Click Apply after each change (that's what I've been doing)
3) Reset to default settings (umm, I'm thinking 'no')
4) Disconnect and Connect WAN connection

or is there another trick to this?


BTW, I do see the Virtual Server function that malcore is referring to. At the moment, it is disabled, but I will enable it and try to stealth port 113. Is this technique advisable to try with Ports 80 and 8080?

So, time to read the cd to learn more about Virtual Server, configure and apply those changes, and contact Siemens tech support and the Deutsche Telekom to see if they are aware of this issue.

Almost there... Thanks for all the help so far, guys.

You should be ok forwarding those ports. The only problems I can foresee are if you wish to run a webserver (which I doubt), or maybe online messenger services like msnmessenger may not function properly. Not sure on that as I don't use them. Browser functionality will be fine. You would only be forwarding the ports incoming, not outgoing.

Try it, you can always undo it if problems arise. Good idea to get those ports blocked at least until you can get in touch with Siemens.

As for restarting the router. If it doesn't give you an option to restart after applying changes, it may not be necessary. If I click to apply changes on my router, I have an option to restart to save changes, as per image below:

Hi Malcore. I don't have a restart button for my router, but everything I've changed so far with the apply button has taken effect. I just got off the phone with Siemens technical support, and I'm not impressed. The lady "expert" told me that these ports all have to be open and that hiding them would prevent me from using the internet. When I said I would like to hide them, she said she didn't know how or why. Once I saw that the conversation was going nowhere, I hung up (cost me 1.24 € a minute to talk to this person).

Now, back to the Virtual Server option. Once again, I am impressed how Siemens can take something that should normally be easy and make it complicated. The CD that came with the router does not explain this very well at all.

So maybe you could walk me through this (please!!!):

The following text is on the configuration page for Virtual Server.

Virtual Server
You can configure the Router as a virtual server so that remote users accessing services such as the Web or FTP at your local site via public IP addresses can be automatically redirected to local servers configured with private IP addresses. In other words, depending on the requested service (TCP/UDP port number), the Router redirects the external service request to the appropriate server (located at another internal IP address).


After that there are a series of boxes that I must fill in (but with what?):

1) Private IP -- the first three parts of this field are automatically filled in and unchangeable- I tlooks like this:

192.168.2.xxx(I must fill in this number)

2) Private Port (I have to give this info)

3) Type (TCP or UDP)

4) Public Port (I have to give this info, too)

Should be easy, but not for me...yet:eek:

First, what is the range of addresses on your DHCP server? Should be something like 192.168.2.100 to 192.168.2.199?


What you want to do is enter three digits that don't exist within that range for your private IP. For example, if the DHCP server offers addresses up to 192.168.2.199 enter 200 or higher for the last three digits for personal IP.


Then enter your port numbers (try the same for both private and public, ie. 113)

for type TCP

So,

1. enter 200 or some number beyond the range of IP address pool offered by the router's DHCP server

2. 113 or 80 or 8080

3. TCP

4. 113 or 80 or 8080

Test. Easy enough to undo if problems arise.


:)

My range is from 192.168.2.2 - 192.168.2.254

I tried entering
192.168.2.255 and...

Won't let me apply changes. It's saying that my value has to be between 1 and 254. Argghhh.

Try 1.;)

Put in 1 and ... It works! My system now has a perfect True Stealth rating according to Shield's Up. Problem solved I take it! I don't use Internet Messenging, anyway, so I'm too worried if that ceases to work as a result. I can still surf at will and access my online newsgroups for school.

To be honest, I don't really understand the concept of port forwarding, but this little fiasco has motivated me to find out as much as I can about it in the near future. For now, I've bought the book "Absolute Beginner's Guide to Networking," which is as good a place to start as any.

Malcore, you are a savior, and if you are looking for work, Siemens will probably be hiring competent technical support personnel after I finish complaining about my negative experience with them today.

Thanks again, Malcore, and everyone else for your input. This site rules.
:)

Great.

Port forwarding is a simple concept really. You are telling your router to take any traffic on an incoming port and forward it to a specific IP address. Because the IP address you entered does not exist on your LAN, there is no answer, neither open nor closed, it just isn't there. Stealth!

Gald it finally worked out for you. :)

Thanks again.
EOT