byUsers

Port Scanning & Probing

Steve Gibson’s site

What you should know when BlackIce, ZoneAlarm or similar software screams ‘ATTACK’.

Recently there has been a lot of concern about port probes (more commonly called port scans) being carried out against PC’s. Although the techniques used in port scanning are not new, there has been a recent rise in the number of people carrying out such scans and consequently an increase in concern about them.

Some facts to be aware of :

1. The scan itself does not endanger your machine in any way. A genuine port scan is a series of connection attempts made to a series of ports on your machine for the purpose of determining which services are available on it. This can take a significant amount of time, therefore probes against one or two specific ports are much more common. Ports commonly scanned for malicious purposes include the following :

   • 21 - FTP. Also home to the ‘tiny-ftp’ Trojan.
   • 23 - Telnet. Potential security risk for Unix boxes.
   • 137 - 137 - 139 are home of Net Bios. Look here for open shares.
   • 138 - Also home to some very old holes in.
   • 139 - Windows Networking, long since patched.
   • 1080 - Socks Proxies (Wingate). (AB)Used for connection spoofing.
   • 1234 - Common Trojan Port.
   • 12345 - Common Trojan Port.
   • 31337 - Common Trojan Port.

   There are many, many others these are just the most common. The important thing to remember is that unless the service is running, the scan will not report a successful connection to that port.

2. Attackers can only connect to ports which have an active service associated with them. For most windows boxes that means only 137,138 & 139 will be active by default. Programs can open other ports (this is what trojans do) for their own use, the security of your machine is then dependent how much you trust that program. For example, you may choose to run a web server locally which will open port 80. If the web server is well written, connections to port 80 will be secure and only data intended to be publicly available (web pages) will be transmitted by it. If however there is a bug in the web server software, other data may be transmitted which was not intended for transmission. Some programs (like Netbus, Back Orifice, Sub 7 etc.) are trojans which open a port and then use it to allow a remote user to gain access to anything on your system. These (obviously) should be avoided.

   Remember - No service = No problem.

3. You can see which ports are listening for connections (and who, if anyone is connected to them) by issuing the command netstat -a from a DOS prompt. It will list all open ports , the address of any connected user and the status of the port. You should be able to account for all the ports shown as ‘LISTENING’. Be especially wary of any 137,138 or 139 entries - they mean netbios is listening over TCP/IP and you may potentially have open shares on your system. Also, be aware that if you have been browsing the web, using news or mail (in fact ANY TCP/IP service) you may see some ports marked as CLOSE_WAIT, this is normal and nothing to be concerned about.

   Hopefully this will shed some light on what is actually happening when BlackIce, Zone Alarm or the like screams ‘ATTACK’ and why it’s (usually) nothing to be worried about. Yes, these people should be reported to their ISP’s abuse dept., it’s usually against the ISP’s Terms of Service to conduct scans against other machines without the owner’s permission but it’s not normally cause for panic.

Top