Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

blocking ports


  • Please log in to reply
9 replies to this topic

#1 perplex

perplex

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 08 February 2009 - 06:05 PM

Can someone tell me how to block some of the virtual ports on my computer? If anyone could help it would be much appreciated. :thumbsup:

BC AdBot (Login to Remove)

 


#2 E-Mu

E-Mu

    Bleepin' Psychopomp


  • Members
  • 1,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:33 PM

Posted 09 February 2009 - 07:36 AM

Hi,

Can you explain a little bit more please and then we may be able to help.
~ E-Mu ~

"Emu, You Moo, We All Moo for Emu!" <-- Thanks to Animal

"If at first you don't succeed; call it version 1.0"


#3 perplex

perplex
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 09 February 2009 - 10:15 AM

Thanks for replying, sorry, I was a bit vague there wasn't I?

Basically I've got Windows Vista Home Premium (32 bit) running and when I run netstat -an from the command prompt there's usually at least 3 or 4 cases of established activity on port numbers upwards of 49000. According to the tutorial I read on this forum these are ones to watch out for as they are not commonly used for anything specific and are therefore a potential threat. Maybe someone accessing my computer using a trojan?

Often the IP 127.0.0.1 shows up under both local and foreign address in the same line, which I don't understand. Is this normal? When I do a search for my IP on Google it's totally different from that. Also, at the moment I don't see how a local address can be identical to a foreign address. I don't even know what the states "LISTENING" and "TIME-WAIT" are supposed to mean.

As you can no doubt tell I'm not well educated in this side of computing, so I don't fully understand how to read and interpret the information from netstat, let alone what to do about it if there is someone trying to attack my machine. All I can do is get IPs and hostnames, and do a traceroute or look up the IP on the web, which gives varying results. I do however find all this very fascinating so I'm hoping to learn a few tricks from yourselves who obviously know more about it than I do.

Hope that makes sense, any help you can offer would be much appreciated.

Thanks again.

#4 E-Mu

E-Mu

    Bleepin' Psychopomp


  • Members
  • 1,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:33 PM

Posted 09 February 2009 - 10:51 AM

Ok lets see,

Have a look at this Wiki Page. Basically Loopback is using the IPAddress 127.0.0.1. - This is fine as far as i can see.

After running netstat -an, right-click, click Select All and then press Enter

In the reply text box, right click & click Paste ---> this should copy the results of netstat -an into your reply.

Edited by Emu1616, 09 February 2009 - 10:58 AM.

~ E-Mu ~

"Emu, You Moo, We All Moo for Emu!" <-- Thanks to Animal

"If at first you don't succeed; call it version 1.0"


#5 perplex

perplex
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 09 February 2009 - 12:02 PM

Thanks, here are the results I'm getting, these are fairly typical of the results I usually get:


Microsoft Windows [Version 6.0.6000]
Copyright © 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>netstat -an

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING
TCP 127.0.0.1:49158 0.0.0.0:0 LISTENING
TCP 127.0.0.1:49254 127.0.0.1:49255 ESTABLISHED
TCP 127.0.0.1:49255 127.0.0.1:49254 ESTABLISHED
TCP 127.0.0.1:49256 127.0.0.1:49257 ESTABLISHED
TCP 127.0.0.1:49257 127.0.0.1:49256 ESTABLISHED
TCP 192.168.1.2:139 0.0.0.0:0 LISTENING
TCP 192.168.1.2:49295 92.122.209.161:80 ESTABLISHED
TCP 192.168.1.2:49325 92.122.209.56:80 ESTABLISHED
TCP 192.168.1.2:49326 92.122.127.10:80 ESTABLISHED
TCP [::]:135 [::]:0 LISTENING
TCP [::]:445 [::]:0 LISTENING
TCP [::]:49152 [::]:0 LISTENING
TCP [::]:49153 [::]:0 LISTENING
TCP [::]:49154 [::]:0 LISTENING
TCP [::]:49155 [::]:0 LISTENING
TCP [::]:49156 [::]:0 LISTENING
TCP [::]:49157 [::]:0 LISTENING
TCP [::1]:49159 [::]:0 LISTENING
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:5355 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:49964 *:*
UDP 192.168.1.2:137 *:*
UDP 192.168.1.2:138 *:*
UDP 192.168.1.2:1900 *:*
UDP 192.168.1.2:49963 *:*
UDP [::]:500 *:*
UDP [::]:5355 *:*
UDP [::1]:1900 *:*
UDP [::1]:49961 *:*
UDP [fe80::34db:2a1f:3f57:fefd%10]:1900 *:*
UDP [fe80::34db:2a1f:3f57:fefd%10]:49962 *:*
UDP [fe80::8069:56ad:f7f6:15a6%8]:1900 *:*
UDP [fe80::8069:56ad:f7f6:15a6%8]:49960 *:*

C:\Windows\system32>

#6 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:08:33 AM

Posted 09 February 2009 - 01:34 PM

Considering the port numbers both in loopback (127.0.0.1) and established connections, it might be java.exe.
Some service is running on your computer keeping the connections alive (Established) and willing to accept connections from outside (Listening).

Port 1900 can be shut down by stopping SSPD and uPnP services.

Port 5355 - I don't know, but wikipedia does
http://en.wikipedia.org/wiki/LLMNR
Looks like multicast which is unlikely to be needed.

Ports 135, 137-139 run by windows services usually for filesharing. If you have a LAN, permit those connections for the LAN computers. Never for external, web, IPs. If you don't have a LAN, shut off NetBIOS in the TCP properties of the network connections.

Your established external connections are to Akamai.
Akamai servers are used by lots of companies to give you updates to software
inetnum: 92.122.0.0 - 92.123.255.255
netname: EU-AKAMAI-20071113
descr: Akamai Technologies

Run netstat again, but this time include which process owns the connections. It'll help the next, better qualified, helper other than me. Command is "netstat -ano" without the quotes of course.

Closing virtual ports- in the firewalls as well as shut down unnecessary services
http://www.blackviper.com/
and
http://www.theeldergeek.com/

#7 E-Mu

E-Mu

    Bleepin' Psychopomp


  • Members
  • 1,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:33 PM

Posted 09 February 2009 - 01:42 PM

Hi,

Listening means that the port is listening (waiting) for an incoming connection requests such as Remote Desktop Connection etc.

The foreign address is the address of the machine your are connecting to.
E.g - TCP 127.0.0.1 - 127.0.0.1 = is a loopback
If no address showing then there is no connection on the port.

In Vista, Microsoft changed the listening ports to 49152 - 49157.

In the Command Prompt if you use the command netstat -o you should get a list of services using these ports. These should show as Windows Services and will be fine.


In regards to blocking these 'Virtual Ports' you will need to allow them to remain open. IF you DID want to block them, I have not yet found a way of doing this, i don't think it is possible as they are used by Windows Services.


Put this together with the info provided by tos226 and i think it covers all the active ports.....

Ohhhh my head hurts now :thumbsup: but i hope it helps somehow
~ E-Mu ~

"Emu, You Moo, We All Moo for Emu!" <-- Thanks to Animal

"If at first you don't succeed; call it version 1.0"


#8 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:08:33 AM

Posted 09 February 2009 - 01:57 PM

My head hurts too!

perplex,
To explore and learn - google is your answer.
But for starters, here are few classic, old, but still relevant, wonderful tutorials
http://www.wilderssecurity.com/showthread.php?t=142036
http://www.wilderssecurity.com/showthread.php?t=24415

#9 perplex

perplex
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 09 February 2009 - 02:19 PM

Thanks very much to both of you for your help, let me assure you my head's been bursting over this for weeks now, I've been trying google but I could never seem to find simple answers to any of those questions. Now I'm pretty sure of what everything means in netstat so it should make researching this type of thing easier in future. I really do appreciate it, got to go and do stuff now but I'll check those links out later and see if I can start messing about with my ports.

Thanks again. :thumbsup:

#10 E-Mu

E-Mu

    Bleepin' Psychopomp


  • Members
  • 1,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:33 PM

Posted 09 February 2009 - 02:28 PM

A quick note on Google searches

If i searched TCP 127.0.0.1:49254 127.0.0.1:49255 ESTABLISHED i get two results which mean nothing.

However if i search Port 49254 and i get 16,200 results. A bit of reading finds results.

So try omitting different parts of the search and eventually you should sound something that sounds related to what your looking for :thumbsup:
~ E-Mu ~

"Emu, You Moo, We All Moo for Emu!" <-- Thanks to Animal

"If at first you don't succeed; call it version 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users