GH??>>> Ports Open in XP

[sea69]

hey,

after checking in admin tools>> component>> computer management>> system tools>> event viewer>> applications, I saw a bunch of red alerts regarding Zone Alarm.

The alerts say:

The description for Event ID ( 1 ) in Source ( True Vector Engine ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: .

This concerned me.

This morning I ran two (2) seperate Port scans (different applications) and came up with the same results. (on my own IP)

Being that unlike in win98se with ZA Pro running(where I cannot even be pinged) not only can I be pinged, but the following ports are showing OPEN:

1- port- 135 Protocol= tcp service= epmap

2- port- 389 Protocol= tcp service= ldap

3- port- 1002- no other info

4- port- 1025- no other info

5- port- 1720- no other info

6- port- 5000- no other info

why pray tell are these ports open in XP and not in win98se, and what are they doing??

why am I pingable in XP and not in win98se??

settings are the same in both OS's for ZA.

GH, anyone have thoughts?

?

edit:

upon abit more research I find the following:


port 135- The "end-point mapper". RPC services are assigned other ports dynamically. When trying to connect to a service, you go throug this mapper to discover where it is located. The process works the same as on the UNIX RPC portmapper. A big difference is that a lot of services run on top of named pipes, which don't have a specific port.

port 389- LDAP (Lightweight Directory Access Protocol) serves as an Internet phonebook. When using e-mail programs like Outlook, Eudora, and Netscape, LDAP lets you lookup people's names and find their e-mail addresses, phone numbers, and office location. Of course, this assumes that you work inside a company or university where the net administrators have setup such a server for your use.
The history of LDAP is within the X.400/X.500 international standards for e-mail. These were standards developed because things like Internet e-mail were too simple to handle all possibilities. X.400/X.500 was developed to be a more generalized service. Unfortunately, it was also so complicated that unless you were a huge corporation or government, you couldn't afford to deploy it.
LDAP is a "meet-in-the-middle" approach. It is a lightweight/simplified form of X.500 directory services. This means it is more generalized than the standard Internet services, yet simple enough that anybody can implement it.
One of the exciting things about LDAP is that it is more generalized. Think of it as a phone book that not only stores a person's phone number and e-mail, but also their picture and any other information.
LDAP clients have been built into most e-mail programs that you might use, including Microosft Outlook, Qualcomm Eudora, and Netscape Communicator. LDAP servers are part of numerous backend e-mail servers like Microsoft Exchange, Novell, and so forth.

port 1002- I can find NO information at all about this one.

port 1720- H.323 is a "standard" protocol for providing all sorts of interactive multimedia communication. It was originally designed primarily for video-conferencing, but it really consists of a complicated platform for all sorts of multimedia content. For instance, it is the most popular standard for VoIP (Voice-over-IP).


for port 5000- Windows opens this port by defect to ME.
It is "Simple Service Discover Protocol Server" (SSDPSRV.EXE) which opens this port.
To close this port, there are two solutions:
1/You uninstall the support "Universal Plug and Play"
2/or, you erase the entry "Autostart" of SSDPSRV.EXE in the base of register.

now, what to do.............


------------------
sea1_69@hotmail.com

homepage

[This message has been edited by sea69 (edited 12-30-2001).]

[Ghost_Hacker]

I don't have some of my "notes" on XP with me today, but I'll try to help.

Port 135 is the RPC port or "endpointmapper". To close this port make sure that you disable "netBios over TCP" in your network properties.(TCP/IP should be the only protocol installed). I would also disable the server and workstation services if this is a standalone computer.

Port 389 ,1720 and 1002 are used by Netmeeting to establish remote communications. You should turn off any "remote desktop or messenger" services in the "services" icon (found in "administrative tools") if you don't use netmeeting or the new XP "remote" desktop feature. I would also check that your not running ILS or "Internet Locator server".

Port 5000 is the UpnP services. Microsoft released a security advisory on
Universal Plug and Play and you should download the patch for it.( also disable this service if you don't need it) Go here for more details: http://www.microsoft.com/technet/tre...n/MS01-054.asp


Port 1025 is proably being assigned by the RPC service. ( proably being used by MStask.exe) Turning off the other services I talked about should close this port as well.


Download FPORT to map ports back to the programs that opened them.

As for ZA....I didn't think ZA worked with XP.



[This message has been edited by Ghost_Hacker (edited 12-30-2001).]

[John0904]

Might want to check out this site for more information....
Unplug n' Pray

[Ghost_Hacker]

Ok Sea....True Vector Engine is the main part of ZA. ZA is currently not working or filtering packets on your system. You should try upgrading ZA if possible. You can also try starting ZA after XP has started up.

Good Luck

[This message has been edited by Ghost_Hacker (edited 12-30-2001).]

[sea69]

thanks GH (and everyone else who takes the time to read or reply)

There are ALLOT of setings here.>>>>>>>>>>>& gt;
>>>>>>>

Distributed Link Tracking??

do I want to disable RPC ??

note: this OS is FAT32 not NTFS.. (yet)

thinking of changing that.

------------------
sea1_69@hotmail.com

homepage


[This message has been edited by sea69 (edited 12-30-2001).]

[YODA74]

GH & Sea I had trouble with ZA'S true vector when i would shut it off and then start windows ME and then reintroduse Za after,it would not initialize ZA back unless i started both a the same time.(windows and ZA) not sure if it would be the same in XP or not though? Basically i have to let ZA Start at boot or it will not work unless i do a shutdown restart.

------------------
Treading,Troden,Trails
HERE

[sea69]

thanks YODA, but this is a completely different animal {{XP}}..lol

Have ZoneAlarm Pro- 2.6.357 and it says that True Vector is loaded.

------------------
sea1_69@hotmail.com

homepage




[This message has been edited by sea69 (edited 12-30-2001).]

[sea69]

GH- I got and opened F-Port.

All it did was flash a DOS (looking) box onscreen and then dissapeared.
?

------------------
sea1_69@hotmail.com

homepage




[This message has been edited by sea69 (edited 12-30-2001).]

[Rick]

Originally posted by sea69:
thanks GH (and everyone else who takes the time to read or reply)

note: this OS is FAT32 not NTFS.. (yet)

thinking of changing that.

Sea
You may want to check some of the review sites on XP before you change to NTFS
Even on my little system Fat32 is faster than NTFS

Also I've found that the Windows Update page has not been allowing me to download anything if you have seen this same problem here is a link that works better.
http://www.microsoft.com/downloads/search.asp?

[This message has been edited by Rick (edited 12-30-2001).]

[sea69]

thanks Rick!

I will definetly check that out, my friend says it is faster w/ NTFS... lol

(run from the same machine with dual hard drives, one FAT32 and one NTFS)


It is after all the Native environment for this OS.

I seldom look before I leap though.. heh

the updates seems to be working ok here..but thanks for the link just in case.




------------------
sea1_69@hotmail.com

homepage


[This message has been edited by sea69 (edited 12-30-2001).]

[Ghost_Hacker]

Sea, no you don't want to disable RPC. If you do the "protected storage" service won't start and you need that to run XP. (or NT for that matter.)Disabling "netbios over TCP" will shut off the Window's RPC port of 135. ( I would also disable the "server" and "workstation" services if you don't share files or connect to another Windows computer.)


For Fport place it (the 2 files that make up "fport") in the root of your "C" drive. Then open a command prompt and type "fport" (C:\fport). After a second or so all the programs that have opened ports will be listed.


Distributed Link Tracking....Keeps track of Linked objects in Word, Excel and other Office documents, so you proably won't want to turn that off.


Don't forget this site : http://www.blkviper.com/WinXP/servicecfg.htm it list all the services and what they do in XP.


Also Yoda's tip is a good one. I have read that some ZA problems are caused by when ZA starts (during bootup or after). So you might want to play around with it. Just remember that if you can ping your computer with ZA "on" then the True vector service isn't running as it should.




[This message has been edited by Ghost_Hacker (edited 12-30-2001).]

[iisbob]

After i answered your email sea; i headed over to GRC and let him try his shields/port scans-got a better review using XP's built in than i ever have with ZA!

Of course i've disabled practically all the above mentioned services ( see GH's explanation above )-i'm apalled that MS doesn't ever give any good explanation of these services for the average user.

Of course this doesn't mean you should only rely on XP's built in firewall, or on ZA for that matter. If an expert hacker were to get ahold of your true ip ( usually this happens when you download and install a trojan ) or were able to actively scan and catch you with a port open ( takes a loooooonnnnnnngggg time! ) then you don't have a lot to worry about.

If you're just paraniod-then disconnect your broadband modem from your pc when you're on but not surfing. Or just turn it off; ain't no hacker in the world ( or hollywood ) good enough to break into a computer when it's turned off.


note: this is unless you have a " wake on LAN " netowrk card installed and configured; even then the person would have to know your specific ip to send the proper wake up call.






------------------
iisbob
""I was gratified to be able to answer promptly, and I did. I said I didn't know."
Mark Twain

[steveo]

***Also Yoda's tip is a good one. I have read that some ZA problems are caused by when ZA starts (during bootup or after). So you might want to play around with it. Just remember that if you can ping your computer with ZA "on" then the True vector service isn't running as it should***

I'd like to sneak in on this thread for a moment.

I'm using the updated version of ZA but not the pro edition. Also using win98se and multi-proxy.

After reading about pinging my pc and True Vector I gave it a go. In dos I pinged 127.0.0.1. It read 4 packets sent, 4 recieved, data loss 0.

I then pinged my actual ip and got the same results.

Is this a good thing or a bad thing?

Sorry for butting in like this

[Reid]

Originally posted by sea69:

Have ZoneAlarm Pro- 2.6.357

I don't know if it will make a difference, but there is a newer version available:

"New and improved features in ZoneAlarm Pro version 2.6.362:
Support for AOL 7 browser
Improved operability on the XP platform
Other enhancements for improved operation"


------------------
Friends don't let friends install Windows ME

[sea69]

thanks for the reminder Reid, now up to v-2.6.362

see absolutely no difference though

heh



------------------
sea1_69@hotmail.com

homepage




[This message has been edited by sea69 (edited 01-08-2002).]

[Ghost_Hacker]

steveo

You would want to ping your computer from another one to test the firewall. You can also test some firewalls by pinging another computer and looking to see if pings are allowed out or if the replies are allowed back in. These "simply" tests work with ZA because in theory it should tell you about any ingoing/outgoing traffic.

If you don't have the resources to do that, then using the GRC site iisbob posted a link to is a good secondary way to test ZA.

[BigBlue66]

Originally posted by Reid:
"New and improved features in ZoneAlarm Pro version 2.6.362:
Support for AOL 7 browser
Improved operability on the XP platform
Other enhancements for improved operation"

So, I wasn't going crazy when I had all those problems with AOL and ZA???? I realize the Pro version is the one you pay for, but could these improvements also apply to the free version?

If so, I may give ZA another shot.

Cheers,

Big Blue 66




------------------
This space reserved for highly intelligent observations and witty remarks.

[ErnieK]

Sea
Yet again this is over my head, (I am not a wishful person, but I do wish I could find someone to teach\show me all of this. Reasons dictate I can't go to college or anyhting like that and I cannot absord the written word too easily so books are no use. I need to physically do something to learn - but I digress)
The following link will take you to site that has details of ports that are enabled in Xp by default. There are a couple of wee programs there that closes the ports involved.
http://www.collakesoftware.com/

More than likely nothing to do with your problem but might be helpful to someone.

------------------
Ernie

[Ghost_Hacker]

ErnieK Don't know if this will help you or not. But you could download "Etherreal". It's a free network sniffer that will let you watch your computer's communications. You could see ,for instance, how email is downloaded to a computer and how web pages are opened. If your interested go here to get it (make sure you also get the winPcap packet capture driver): http://www.ethereal.com/distribution/win32/

If you have Linux you can also get "hping" and "nmap". Hping will allow you to create and send IP packets. Nmap will allow you to scan other computers for open ports. By combining this with Etherreal ( there is also a Linux version of Etherreal) you can setup and then watch most types of IP traffic.


Hping can be downloaded here: http://www.hping.org/

Nmap can be downloaded here : http://www.insecure.org/nmap/


Hope this helps you some.

[ErnieK]

Thanks GH will d\load and look at the link.

------------------
Ernie