Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I need help interpreting my port scan results


  • Please log in to reply
5 replies to this topic

#1 Zedmond

Zedmond

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 04 December 2015 - 11:35 PM

I'm new to network/port scanning and could use some help with which ports are okay and which are't.

 

I used Nirsofts Currports to do the scan. Here are some of the scan results: (I'd simply post the results  but I'm not sure if that safe or not so at this point i'm not going to.)

 

  • 54 total ports with 3 remote.(my rdp is disabled??)
  • They range in states blank, listening, time wait, or established.
  • There are 11 unknown TCP processes with both a local ports (64458+ )and a remote port (80, 443, or 5000) they are HTTP
  • There are many local port names

 

Any guidance will be appreciated! Thanks



BC AdBot (Login to Remove)

 


#2 technonymous

technonymous

  • Members
  • 2,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 05 December 2015 - 12:28 AM

The blank and listening ports are, local network, and windows services. The time_wait is a port that is in the process of closing down. Established are ports that are open and actively sending data through your apps. port 80 is http, 443 is https, port 5000 again is for something else. All are completely normal till something looks abnormal. Especially with Established connections coming from programs you're not running.


Edited by technonymous, 05 December 2015 - 12:40 AM.


#3 Zedmond

Zedmond
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 05 December 2015 - 12:39 AM

The blank and listening ports are routing, local network, and windows services. The time_wait is a port that is in the process of closing down. Established are ports that are open and actively sending data through your apps. port 80 is http, 443 is https, port 5000 again is for something else. All are completely normal till something looks abnormal. Especially with Established connections coming from programs you're not running.

Thank you that was helpful.

 

I guess my mission will be to learn what looks abnormal or not. To me it looks abnormal now, but that may just be due to my lack of understanding! There is just so much informtion, different ip's, etc that when couple with the warning signs my pc is showing covince me something is not right.



#4 technonymous

technonymous

  • Members
  • 2,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 05 December 2015 - 12:42 AM

You can see what Process ID (PID) and service or program .exe the ports are associated with by running netstat commands.



#5 Zedmond

Zedmond
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 05 December 2015 - 12:54 AM

You can see what Process ID (PID) and service or program .exe the ports are associated with by running netstat commands.

 

Netstat command is just a command line entry correct?

 

Here is all the info Currports provides on each process: Hopefully this is sufficient.

Process Name, Process ID, Protocol, Local Port, Local Port Name, Local Address, Remote Port, Remote Port Name, Remote Address, Remote Host Name, State, Process Path, Product Name, File Description, File Version, Company, Process Created On, User Name, Process Services, Process Attributes, Added On, Module, Filename, Remote IP Country, Window Title


Edited by Zedmond, 05 December 2015 - 12:58 AM.


#6 technonymous

technonymous

  • Members
  • 2,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 05 December 2015 - 01:19 AM

Yes, correct, but cmd must be a elevated to administrator before you can use the more advance parameters. Like netstat -fbo will show Established connections only, PID, FQDN/IP, Protocol, exe or service.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users