Security Basics mailing list archives
Re: Why do all of my win2sp4 machines have port 110 open?
From: Kirk Schafer <infosec-capital () rainswept com>
Date: Fri, 15 Oct 2004 01:02:08 -0500
Oh, and one last thing.With versions of NAV or SAV installed that provide worm detection, every address you scan will show ports 110 and 25, even if there isn't a computer there. You'll see phantom POP (port 110) & SMTP (port 25) everywhere you look.
You have several workarounds:
Policy changes relevant to the security station:
Since SAV/NAV is doing it, do you need antivirus there?
Do you need worm detection there? All the time?
etc. Your security station should be extremely secure anyway.
Use other tools (Antivirus or Scanner) without the issue.
I like Symantec, so I vote scanner.
NMAP security scanner does not suffer from this problem.
http://www.nmap.org (or http://www.insecure.org)
Contact vendors to ask for fix:
Symantec. Perhaps also point out that their detection seems limited.
Your security tool vendor, but, this may be a nuisance for them to fix.
etc.
Best,
Kirk
Bowes, Ronald (EST) wrote:
There's a program called FPort from www.foundstone.com which can tell you which service or program is using a port: C:\Documents and Settings\RBowes\Desktop>fport FPort v2.0 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com Pid Process Port Proto Path 1044 svchost -> 135 TCP C:\WINDOWS\system32\svchost.exe 4 System -> 139 TCP 4 System -> 445 TCP 532 rcHost -> 798 TCP C:\Program Files\CA\Unicenter Remote Control\rcHost.exe [.....] Grab that, run it, and see what's listening on TCP 110. Ron Bowes Information Protection Centre Government Of Manitoba -----Original Message-----From: waters [mailto:realized () gmail com] Sent: Tuesday, October 12, 2004 9:27 PMTo: security-basics () securityfocus com Subject: Why do all of my win2sp4 machines have port 110 open? When i telnet to that port on 110, i connect then get disconnected right away. Norton with updated def files and housecall(trendmicro) reports nothing, and no trojans were also found via the two. Is this normal? i am using a network security scanner and so far 4/34 windows machines, the only 4 it scanned so far, all have something on port 110. How can i find out whats going on? netstat and tcpview ( http://www.sysinternals.com/ntw2k/source/tcpview.shtml ) show nothing on 110 either.
-- ___________________________________________________ Kirk Schafer Infosec Capital - Your Information Security Asset 308 East Broadway Ave, PO Box 1851 Fairfield, IA 52556 641-919-1783 (mobile) http://www.infosec-capital.com
Current thread:
- Why do all of my win2sp4 machines have port 110 open? waters (Oct 13)
- Re: Why do all of my win2sp4 machines have port 110 open? waters (Oct 13)
- Re: Why do all of my win2sp4 machines have port 110 open? Steve (Oct 14)
- Re: Why do all of my win2sp4 machines have port 110 open? freeasabird_13 (Oct 15)
- <Possible follow-ups>
- RE: Why do all of my win2sp4 machines have port 110 open? Bowes, Ronald (EST) (Oct 14)
- Re: Why do all of my win2sp4 machines have port 110 open? Kirk Schafer (Oct 14)
- Re: Why do all of my win2sp4 machines have port 110 open? Kirk Schafer (Oct 15)
- Re: Why do all of my win2sp4 machines have port 110 open? Kirk Schafer (Oct 15)
- RE: Why do all of my win2sp4 machines have port 110 open? Andrew Shore (Oct 14)