Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Why is my Firewall "leaky"


  • Please log in to reply
25 replies to this topic

#1 infectednow

infectednow

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 19 April 2014 - 12:50 AM

A couple weeks back, I clicked on a link in an email (I know, pretty dumb, but it was from a Russian blonde I know, but I digress). If you want the link, I still have it. Anyway, I worked with a guy at Cyber Tech Help and he thought he got rid of whatever malware I got from that click. My first sign of a problem was a popup from Microsoft Security Essentials warning of malware that needed to be cleaned, only I don't have Microsoft Security Essentials installed. Anyway, like I said, he thinks he "got it", but here is the rub: I have a firewall in my router/modem set to "stealth" and have a Comodo Firewall installed on the machine. It doesn't seem to matter what I do, when run the port scan at www.grc.com, it shows that port 443 is Open. Previous attempts to "stealth" the machine used Windows 7 Firewall and Zone Alarm Firewall. The result was the same in each case.

 

The good folks at Geek Buddies told me the port had to be open to communicate and that I didn't understand what the scan was telling me... Despite what that technician said, I believe that the GRC report says that my computer is acting like a server, just sitting there waiting for anybody to connect to port 443. That port, at the very least, should be Closed, and with the firewalls in place, it should be invisible (stealth). Just to try to validate my concern, I asked my son to run the same GRC scan and he said that all 1056 ports on his system show as being "stealth" as expected.

 

It gets even better, I found a really great video on YouTube that explains how to close or open a port in Windows 7 https://www.youtube.com/watch?v=cbFiWeeMUDI I followed those steps to close port 443 and ran the GRC scan again. Still open.  

 

So... What's the verdict? Do I have some sort of malware holding that port open right through two firewalls? Should my router and/or personal firewall be able to hide the port from being probed? Or is my Geek Buddy right and I have nothing to be concerned with?



BC AdBot (Login to Remove)

 


#2 Animal

Animal

    Bleepin' Animinion


  • Members
  • 35,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:09:02 PM

Posted 19 April 2014 - 09:04 PM

Https protocol and many games use port 443. As well as some malware. It's a legitimate port than can be open, and it can be misused by malware.

http://www.speedguide.net/port.php?port=443

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+


#3 infectednow

infectednow
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 20 April 2014 - 12:05 AM

Hey, thanks for the reference to www.speedguide.net  That will come in handy. I knew port 443 was for HTTPS, but not all the details speedguide provides. I had just wiped  my hard drive (as in wrote zeros to it) and had installed nothing but Win 7, firewall and antivirus software, so it's none of the suspects, at least not on my computer.

 

But here is an update: I was poking around in my C1000Z ZyXEL DSL Modem/Router and found a DMZ function where I could put one or more of my LAN computers outside the Router firewall. When I put ANY ONE of my LAN computers in the DMZ, port 443 went stealth on ALL devices on my network! I presume this is true because at that point they were all depending on the Comodo firewall. This tells me that it's the Router that is advertising my 443 Port as being open at my IP address. I'm less concerned about it now than I was, but still, I'd just as soon not have anybody even know that somebody is home at this particular IP address unless I want them to know.

 

So, my next question is: Does anybody have a C1000Z ZyXEL DSL Modem/Router that you can run the www.grc.com Shields Up!  'Scan All Service Ports' and report back to let me know whether your Port 443 is being reported Open or Stealth by your C1000Z ZyXEL DSL Modem/Router? I would appreciate the effort (and it would probably be worth knowing the results for yourself, too!)



#4 Animal

Animal

    Bleepin' Animinion


  • Members
  • 35,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:09:02 PM

Posted 20 April 2014 - 06:29 PM

You're welcome regarding the information. Unfortunately I don't have the modem required to confirm your observation. Hopefully someone else does and they will reply.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+


#5 infectednow

infectednow
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 20 April 2014 - 07:01 PM

I was talking to my son about this issue, and when I told him I thought it was the modem/router, not my computer, he said the router was probably configured by the phone company with port locked 443 open so that they can do remote diagnostics in case you ever call them with a problem. This is all making sense now. I don't like having that port open, but I guess that's why I have a firewall behind the firewall. Thanks again.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,070 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:02 AM

Posted 22 April 2014 - 08:58 PM

Ports 80 and 443 are ports most likely to be open for outgoing connections for various reasons to include...

Windows Product Activation uses the following ports:
80 - HTTP
443 - HTTPS

Ports That Are Used by Windows Product Activation
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 infectednow

infectednow
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 23 April 2014 - 09:03 PM

quietman7,

I believe you are right in that those ports are used for the purposes you list. However, I also don't believe they need to ever be "open" to send data to Microsoft or anywhere else. Microsoft's Port 80 and 443 have to be open to accept your "call", but you don't have to have your port open to make that call, and once you have reached out to their server, they can come right back over that closed and secure channel to respond.



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 AM

Posted 26 April 2014 - 12:56 PM

If Shields Up is reporting that port 443 is open, then it is open on your Zyxel router.

 

There can be several reasons for that. It could be a remote management port, like your son suggested. Have you tried connecting to that port, to see what it is?

You can ask your son to do it. Lookup your Public IP address, for example with a site like http://whatismyipaddress.com/

Say your Public IP address is 1.2.3.4. Then ask your son to remotely connect to port 443 on your Public IP address.

He can do this by opening a browser and visit this URL: https://1.2.3.4

(you replace 1.2.3.4 with your Public IP address). Pay attention to type in https, not http.

 

It is also possible for a router to do port forwarding. This means that a router has an open port, and when a connection is made to that port,

then the router forwards the connection to your machine. For this to work, a port has to be open on your machine too.

 

You can check if port 443 is open on your machine by running Microsoft Sysinternals' program TcpView.

Run TcpView, and look at all entries with "LISTENING" under the "State" column header. For these entries, check if the "Local Port" is 443.

 

FYI:

a TCP port can have 2 states: open or closed.

When a port is open, it accepts incoming connections, and when a port is closed, it refuses incoming connections.

When an incoming connection is made to an open port on your machine, then your machine will send data back to acknowledge that the port is open and to establish a connection.

When an incoming connection is made to a closed port on your machine, then your machine will send data back to indicate that the port is closed, and no connection will be established.

 

So in both cases, data is send back to the initiator of the connection.

When a firewall is in place, it will prevent data being send back when a port is closed.

Since no data is send back, the initiator of the connection can not use this information alone to determine if your machine is present.

That is why some call such ports stealth or filtered.


Edited by Didier Stevens, 26 April 2014 - 12:58 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 AM

Posted 26 April 2014 - 01:23 PM

Ports 80 and 443 are ports most likely to be open for outgoing connections for various reasons to include...
 

Windows Product Activation uses the following ports:
80 - HTTP
443 - HTTPS

Ports That Are Used by Windows Product Activation

 

 

quietman7, the ports listed in this KB article are remote ports, not local ports.

 

A TCP connection is characterized by 4 elements: local address, local port, remote address and remote port.

In this context, local means your machine, remote means the server you are connecting to.

The Windows Product Activation servers are listening for incoming connections: they have ports 80 and 443 open.

When your machine is accessing these servers, it will create TCP connections to these servers with remote ports 80 and/or 443.

Your machine will not open local ports 80 and/or 443. Your machine will use high numbered ports for the local ports, for example starting at 49152.

 

Local ports of a TCP connection are not considered to be open. They will not accept new, incoming connections.

 

When I connect to the BC website, my machine will establish a TCP connection like this:

192.168.1.1:49152 -> 141.101.113.117:80

local address:local port -> remote address:remote port

 

My Windows 7 machine will use port 49152 for its first connection. Then it will use 49153 for its second connection, and so on...

It will never use port 80 or 443 as a local port.

 

More information in this KB article: https://support.microsoft.com/kb/929851

 

These local ports are also called dynamic or ephemeral ports:

https://en.wikipedia.org/wiki/Ephemeral_port

 

Hope this helps.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 infectednow

infectednow
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 26 April 2014 - 10:42 PM

Didier,

First of all, I really appreciate your explanation of ports and dynamic ports, etc. You have cleared up some things for me as well as some other her, I'm guessing. Thanks!

 

I did as you suggested. I was able to get my IP address from the Shields Up! scan at GRC.com. From there I used the browser on my iPhone (with WiFi turned off) to contact my router. The router opened a login page that looks just like the login page I get when I "call" the router from the LAN. This leaves the router easy to probe (just like the Shields Up! report said). Should someone figure out how to get logged into the router via that port, I'm guessing they would have complete access to the settings for the router and could disable the security. The router has "stealth" settings, which I have engaged and which are obviously compromised by the phone company using port 443 as a service port as we suspected. 

 

Would it be possible to forward the router port 443 to another port address inside the router that would not respond to a contact? If not, I'm not sure there is anything I can do about this port advertising my presence at this point.



#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 AM

Posted 27 April 2014 - 02:53 AM

So now we are sure that this is a management interface, and that port 443 is open on your router. On such routers, it's often possible to disable this on the Internet side (WAN side).

 

Forwarding inside the router is not an option.

 

First you should get information form your ISP concerning that management interface. Do they use it, and do your Terms of Service allow you to disable it?

 

FYI: this page seems to suggest that port 443 is open by default on your type of router:

http://internethelp.centurylink.com/internethelp/modem-c1000z-adv-remote-gui.html


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 infectednow

infectednow
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 27 April 2014 - 03:46 PM

Didier,

I had already found that help page. Since forwarding that port to somewhere on the router is out (and I don't want to forward it to my PC), eliminating port 443 as a remote access point is about all I've got left. I've played around with the remote access settings. It doesn't matter what port I put in the remote port access (blank or otherwise), the router either won't accept the input or appears to accept it, but when I go back and check, the value has reverted back to remote access port 443, even when remote access is disabled. I'm not sure why the router insists on having a port assigned when remote access is disabled, but it does. It seems as if it is either hard wired or at least set up in the firmware to keep 443 open no matter what.

 

I looked through the CenturyLink website and read the TOS and their Acceptable Use Policy, but there is nothing there that alludes to them having access to my router (I say "my" router because I bought it). Thinking back, I know they do access routers, because when I first got the service, I complained that the speed wasn't as advertised. The tech connected to my router (asked me for the password on the bottom of the router) and ran some diagnostics. They found a problem in a switch near my house. Anyway, this means that the default setting for the router was "Enabled". I, at least have changed it to "Disabled", so that if I try to connect to it from the WAN side, it says my ID or password is bad. If I enable it, I can get right in and do everything I can do from the LAN side. I will contact them during the week (closed weekends), but I think I probably already know more than virtually anybody I'll be able to get on the phone (which isn't saying much).

 

I think I am stuck with an open port 443 advertising my whereabouts, but at least the port (and entire router) is NOW inaccessible, even with the correct password. I think that's the best I am going to get and that is probably good enough.

 

Thanks again for your help. If I learn anything new from CenturyLink, I'll pass it along.



#13 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 AM

Posted 27 April 2014 - 05:28 PM

So if you disable the Remote GUI, port 443 is still open?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#14 infectednow

infectednow
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 27 April 2014 - 07:18 PM

Yes, there is nothing I can do to cause the router to show the port as closed or not respond to queries (stealth). If I change port numbers and save as disabled, when I go back to check if the router saved it, the router has changed whatever I put in back to 443.

#15 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 AM

Posted 28 April 2014 - 09:29 AM

OK, and if you enable the Remote GUI and change the port, does that work? Or are you still stuck on port 443?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users