Why are some of my ports appearing in a port scan?
Hi folks. I'm confused. Every now and again, I use Shields UP! at grc.com to check that there's unexpectedly open ports on my system. I checked last night and I found 2 open ports, 5 closed ports and all the rest were "stealth" ports. The 2 open ports I was expecting. Stealth ports mean simply that they don't reply in any shape or form to the outside world. I expect, and usually get, all my ports except for the two open ones to appear as "stealthy". I don't understand why I'm now getting 5 closed ports showing up. I have a cable modem that's configured to do NAT for me. It has 3 port forwarding rules, each for single tcp ports. (One of these rules is outside the range usually scanned for by SheildsUp, that's why it's not included in the count of open ports) I don't forward any port ranges. I don't have a DMZ. UPnP is disabled. The ports that are appearing as closed are: 135, 137, 138, 139, 445 I turned off my server's smbd service and rescanned, and I got 135, 137, 138, 445 i.e. port 139 disappeared. So it does seem that services running on the server directly affect ports that are being shown as closed on the router, despite there being no port forwarding rule for them to get past the router onto the server. 135 DCOM Service Control Manager 137 NetBIOS Name Service 138 NETBIOS Datagram Service 139 NETBIOS Session Service 445 Microsoft Directory Services I've just used NetScan on my mobile, (whilst not connected to wifi), and scanning my public IP address I got two expected ports open, and also 80 HTTP 110 POP 143 Internet Message Access I tried with a different mobile app (Port Scan) and I got 1 of the expected ports listed as open, and 80 HTTP 110 POP 143 Internet Message Access 8080 Alternate HTTP I tried with an on-line port scanner, http://nmap.online-domain-tools.com/, and I got only the two expected ports open. I've just tried rerunning GRC's Shields up and now it reports the two expected open ports and also just 137 and 138 as closed. I'm rather confused as to what's going on. Anyone got any ideas? Regards Steve
On 21/05/13 11:29, steve-alug@hst.me.uk wrote:
Every now and again, I use Shields UP! at grc.com to check that there's unexpectedly open ports on my system. I checked last night and I found 2 open ports, 5 closed ports and all the rest were "stealth" ports. The 2 open ports I was expecting. Stealth ports mean simply that they don't reply in any shape or form to the outside world. I expect, and usually get, all my ports except for the two open ones to appear as "stealthy".
I don't understand why I'm now getting 5 closed ports showing up.
[]
I don't forward any port ranges. I don't have a DMZ. UPnP is disabled.
The ports that are appearing as closed are: 135, 137, 138, 139, 445
Solved. It's my ISP. They started blocking these ports for everyone. So rather than them getting to my router and being ignored, and thus showing up as "stealth mode" on GRC's port scan, the ISP causes them to be explicitly blocked somewhere - thus they show up as "closed" ports on GRC's port scan. My mind is put at rest - it's not a misconfiguration on my part! Phew. Steve
On 5 June 2013 11:41, <steve-ALUG@hst.me.uk> wrote:
The ports that are appearing as closed are: 135, 137, 138, 139, 445
Solved. It's my ISP. They started blocking these ports for everyone.
Interesting that the ports they've had to block are all standard Windows ports (mostly for file sharing). Surely most home users are sitting behind a router that wouldn't be forwarding these anyway, so I wonder what is the reason for having to block them? Are people opening ports on their routers to allow file sharing, or is there another reason why this would be enough of a vulnerability to justify blocking ISP-wide? -- Mark Rogers // More Solutions Ltd (Peterborough Office) // 0844 251 1450 Registered in England (0456 0902) @ 13 Clarke Rd, Milton Keynes, MK1 1LG
On Wed, 5 Jun 2013 13:57:59 +0100 Mark Rogers <mark@quarella.co.uk> allegedly wrote:
On 5 June 2013 11:41, <steve-ALUG@hst.me.uk> wrote:
The ports that are appearing as closed are: 135, 137, 138, 139, 445
Solved. It's my ISP. They started blocking these ports for everyone.
Interesting that the ports they've had to block are all standard Windows ports (mostly for file sharing).
Surely most home users are sitting behind a router that wouldn't be forwarding these anyway, so I wonder what is the reason for having to block them? Are people opening ports on their routers to allow file sharing, or is there another reason why this would be enough of a vulnerability to justify blocking ISP-wide?
Mark It depends on /where/ in their infrastructure they are blocking them. Those ports have been used by (some) worms in the past and many ISPs choose to block the ports at their upstream routers. Unfortunately they often forget to block closer to some of their infrastructure and I have seen lots of (potentially hostile) scanning activity on those ports on VMs hosted at cheap providers (Thrust, I'm looking at you). Mick --------------------------------------------------------------------- blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 ---------------------------------------------------------------------
On 05/06/13 13:57, Mark Rogers wrote:
On 5 June 2013 11:41, <steve-ALUG@hst.me.uk> wrote:
The ports that are appearing as closed are: 135, 137, 138, 139, 445 Solved. It's my ISP. They started blocking these ports for everyone. Interesting that the ports they've had to block are all standard Windows ports (mostly for file sharing).
Surely most home users are sitting behind a router that wouldn't be forwarding these anyway, so I wonder what is the reason for having to block them? Are people opening ports on their routers to allow file sharing, or is there another reason why this would be enough of a vulnerability to justify blocking ISP-wide?
Those ports were used by particularly virulent viruses or trojan horses so many ISPs have blocked them. The potential threat is still out there on older machines, but I don't get why my ISP recently started blocking those ports. I found a thread that said they were blocked, and that they soon will be unblocked, but I have yet to find out why the change. I wonder if it's related to the UPnP vulnerability I posted about elsewhere. That vunerability has made me wonder what some manufacturers have been doing with their routers, so I wouldn't rule out anything ATM! Steve
On 05/06/13 18:39, steve-ALUG@hst.me.uk wrote: []
but I don't get why my ISP recently started blocking those ports. I found a thread that said they were blocked, and that they soon will be unblocked, but I have yet to find out why the change. []
Aha! Security Now podcast ~397 says that Shields Up port scan is now reporting if there is any response from the port at all (on various protocols) and not just a port closed message from me. My ISP is blocking these ports and publicising it, and always has been. GRC now detects this blocking, whereas previously it didn't. That explains it. Steve
participants (4)
-
Mark Rogers -
mick -
steve-ALUG@hst.me.uk -
steve-alug@hst.me.uk