How Do I Close Port 1024?
Thread Starter
Joined: Sep 1998
Posts: 513
Likes: 0
From: Sydney, Australia
How Do I Close Port 1024?
Hoping some one can help me here.
I keep my system pretty secure - XP Home fully updated, Zone Alarm Plus, Trend Micro's PC Cillin 2003 under corporate license, fully updated, regular sccans with Pest Patrol, Adaware and Spybot S&D.
Paranoid, you might say, but so far I have not been infected with any virus and MSBlaster didn't get me
Also, as part of my routine I regularly go to www.grc.com and use his Shields Up port scan facility to make sure all is in order re the firewall. On my last visit but one all my service ports were stealthed and I was smugly satisfied that evildoers would have some difficulty getting into my system.
However in the last couple of days a Shields Up check reveals that Port 1024 is open. I don't know enough about this to be able to talk in depth, but as far as I can figure out from the info on the GRC pages, 1024 being open while I'm on broadband is a security risk. Port 135, which I believe controls access to port 1024, remains stealthed.
MSBlaster uses port 135 and I am concerned that an unsuccessful attempt by MSBlaster may have done this and I want to correct it.
I have searched for components of MSBlaster on my PC and I don't have them. My ISP told me that the trojans/adware progs Netspy, Latinus and Jade all use port 1024, but as far as I can tell I don't have those (Spybot and Pest Patrol scans come up clean.)
Questions:
Given that port 135 remains stealthed, should I be concerned?
Is there a prog or utility that I can run that will tell me which running program or process opens port 1024 on my PC?
How can I close the port? I followed the instructions for doing that in Zonealarm, but it made no difference. (Ie, Firewall | Main | Internet Zone Security | Custom then scroll down to the list of ports to block where there is a facility to add your own, which I did.)
Smugness gone, now a little uneasy
AA
I keep my system pretty secure - XP Home fully updated, Zone Alarm Plus, Trend Micro's PC Cillin 2003 under corporate license, fully updated, regular sccans with Pest Patrol, Adaware and Spybot S&D.
Paranoid, you might say, but so far I have not been infected with any virus and MSBlaster didn't get me
Also, as part of my routine I regularly go to www.grc.com and use his Shields Up port scan facility to make sure all is in order re the firewall. On my last visit but one all my service ports were stealthed and I was smugly satisfied that evildoers would have some difficulty getting into my system.
However in the last couple of days a Shields Up check reveals that Port 1024 is open. I don't know enough about this to be able to talk in depth, but as far as I can figure out from the info on the GRC pages, 1024 being open while I'm on broadband is a security risk. Port 135, which I believe controls access to port 1024, remains stealthed.
MSBlaster uses port 135 and I am concerned that an unsuccessful attempt by MSBlaster may have done this and I want to correct it.
I have searched for components of MSBlaster on my PC and I don't have them. My ISP told me that the trojans/adware progs Netspy, Latinus and Jade all use port 1024, but as far as I can tell I don't have those (Spybot and Pest Patrol scans come up clean.)
Questions:
Given that port 135 remains stealthed, should I be concerned?
Is there a prog or utility that I can run that will tell me which running program or process opens port 1024 on my PC?
How can I close the port? I followed the instructions for doing that in Zonealarm, but it made no difference. (Ie, Firewall | Main | Internet Zone Security | Custom then scroll down to the list of ports to block where there is a facility to add your own, which I did.)
Smugness gone, now a little uneasy
AA
The Oracle
Joined: Aug 2001
Posts: 2,902
Likes: 0
From: Naples, Florida U.S.A.
Ausatco,
Here is the patch from Microsoft to close port 1024:
Microsoft Security Bulletin MS01-059
Take Care,
Richard
Here is the patch from Microsoft to close port 1024:
Microsoft Security Bulletin MS01-059
Take Care,
Richard
Thread Starter
Joined: Sep 1998
Posts: 513
Likes: 0
From: Sydney, Australia
Thanks, Richard. Unfortunately, when I ran the patch it quit when it discovered that I had SP1, saying that it was only for XP not upgraded to SP1. I presume from that that SP1 includes the fix. (Sorry, I should have said at the start that I had SP1.)
I read the article. It was mostly above my head, but I did note that it mentioned UPnP and associated ports 1900 and 5000.
GRC has a few downloadable utilities. One of them switches on and off UPnP. I've used that in the past to disable UPnP on Gibson's recommendation for security reasons. When I toggled it just now to enable UPnP it opened 5000, as you'd expect, and then closed it again when I asked it to.
I cannot see what's happening to 1900, but 1024 remains open all the time. Here's what Gibson's port scanner says about 1024 when it found it open on my PC:-
You can try it for yourself (if you haven't already) at https://grc.com/x/ne.dll?rh1dkyd2 Just go to the bottom of the page and click in turn Common Ports and All Service Ports and se your results for yourself.
Edited to add:-
You may not be able to go directly to that page using the above link for security reasons. If necessary navigate from Gibson's Shields Up page at https://grc.com/x/ne.dll?bh0bkyd2. Use the ports links in the Shields Up Services table halfway down the page.
End of edit
Of the first 1056 Internet ports, the only one I have open is 1024. It used to be "stealthed" - ie invisible to the outside world. Its changed status to "open" worries me.
Cheers
AA
I read the article. It was mostly above my head, but I did note that it mentioned UPnP and associated ports 1900 and 5000.
GRC has a few downloadable utilities. One of them switches on and off UPnP. I've used that in the past to disable UPnP on Gibson's recommendation for security reasons. When I toggled it just now to enable UPnP it opened 5000, as you'd expect, and then closed it again when I asked it to.
I cannot see what's happening to 1900, but 1024 remains open all the time. Here's what Gibson's port scanner says about 1024 when it found it open on my PC:-
One or more unspecified Distributed COM (DCOM) services are opened by Windows. The exact port(s) opened can change, since queries to port 135 are used to determine which services are operating where. As is the rule for all exposed Internet services, you should arrange to close this port to external access so that potential current and future security or privacy exploits can not succeed against your system.
Edited to add:-
You may not be able to go directly to that page using the above link for security reasons. If necessary navigate from Gibson's Shields Up page at https://grc.com/x/ne.dll?bh0bkyd2. Use the ports links in the Shields Up Services table halfway down the page.
End of edit
Of the first 1056 Internet ports, the only one I have open is 1024. It used to be "stealthed" - ie invisible to the outside world. Its changed status to "open" worries me.
Cheers
AA
Last edited by Ausatco; 20th August 2003 at 20:01.
Joined: Jan 2002
Posts: 146
Likes: 0
From: ---------->
you could use TCP/IP filtering
start > settings > network connections
right click your internet connection
double click TCP/IP
click advanced then the options tab
click select tcp/ip filtering and select properties
enter the relevant settings here
start > settings > network connections
right click your internet connection
double click TCP/IP
click advanced then the options tab
click select tcp/ip filtering and select properties
enter the relevant settings here
Ecce Homo! Loquitur...
Joined: Jul 2000
Aviation Qualifications: Spotter
Posts: 24,629
Likes: 7,337
From: Peripatetic
You can enable/disable ports directly in the properties of your network card even before they get to the firewall. Be careful you don't disable ports you might need. TCP/IP filtering.
The Oracle
Joined: Aug 2001
Posts: 2,902
Likes: 0
From: Naples, Florida U.S.A.
Ausatco,
If you are worried, you could get a Router (Hardware Firewall) or go with:
McAfee Firewall (Software Firewall)
Take Care,
Richard
If you are worried, you could get a Router (Hardware Firewall) or go with:
McAfee Firewall (Software Firewall)
Take Care,
Richard
Joined: Aug 2003
Posts: 12
Likes: 0
From: London
SysInternals produce a great many useful tools. TCPView displays all the ports your system is listening on, and the processes that are responsible:
http://www.sysinternals.com/ntw2k/source/tcpview.shtml
http://www.sysinternals.com/ntw2k/source/tcpview.shtml
Plastic PPRuNer
Joined: Sep 2000
Posts: 1,902
Likes: 0
From: Rochechouart, France
If you've got an old doorstop 386/486 hanging around there are several free microdistributions of UNIX/Linux that run off a stiffy (unpack themselves into 8MB RAM) and replace expensive dedicated routers/firewalls.
I'm playing with FREESCO ( http://www.freesco.org/ ) right now on an old 486 box, it looks really neat and easy to configure.
Watch this space.....
I'm playing with FREESCO ( http://www.freesco.org/ ) right now on an old 486 box, it looks really neat and easy to configure.
Watch this space.....
Joined: Mar 2002
Posts: 448
Likes: 0
From: London, UK
If you've got an old doorstop 386/486 hanging around there are several free microdistributions of UNIX/Linux that run off a stiffy (unpack themselves into 8MB RAM) and replace expensive dedicated routers/firewalls.
They also seem to be more reliable/predictable than the so-called software one built into Windoze products.
I'm playing with FREESCO ( http://www.freesco.org/ ) right now on an old 486 box, it looks really neat and easy to configure.
Watch this space...
Watch this space...
Joined: Jul 2003
Posts: 151
Likes: 0
From: Scotland
Ausatco you say you are running Xp home and Zonealarm do you have the windows firewall switched on too?
If so you can sleep easy at night I have tested firewalls quite extensively and although the XP ver is very basic, in that you can't see who is pinging/probing you there is very little chance that you will be affected.
GRC does provide some good tools but SG has a major problem with Microsoft in general and some of his tools return false and frankly untrue data, or perhaps it could be explained to me that when I sit behind two software firewalls and a hardware firewall these tests still report that they could 'get' me. In these cases IP addresses often prove to of my hardware f/w so I sleep real good at night.
What the blaster worm has done has opened up peoples eyes to what can happen to someone who makes no use of the free windowsupdate site which can rid you of all these problems before they visit you in the first place.
Now if only some of my customers overpriced AV software could keep out sobig.abcdefg??? viruses then maybe I could go to bed...
If so you can sleep easy at night I have tested firewalls quite extensively and although the XP ver is very basic, in that you can't see who is pinging/probing you there is very little chance that you will be affected.
GRC does provide some good tools but SG has a major problem with Microsoft in general and some of his tools return false and frankly untrue data, or perhaps it could be explained to me that when I sit behind two software firewalls and a hardware firewall these tests still report that they could 'get' me. In these cases IP addresses often prove to of my hardware f/w so I sleep real good at night.
What the blaster worm has done has opened up peoples eyes to what can happen to someone who makes no use of the free windowsupdate site which can rid you of all these problems before they visit you in the first place.
Now if only some of my customers overpriced AV software could keep out sobig.abcdefg??? viruses then maybe I could go to bed...
Thread Starter
Joined: Sep 1998
Posts: 513
Likes: 0
From: Sydney, Australia
YeeeHaaa!! Success!
EGLD, ORAC, I couldn't find TCP/IP filtering in XP Home. ORAC, your MS link mentioned that you could do it in XP Pro, but did not mention Home. I fiddled around a bit but could not find a route into TCP/IP filtering - closest I got was TCP/IP properties or advanced, neither of which took me to filtering, which seems to confirm that some goodies needed by fiddlers like me aren't in Home. But thanks, 'cos I've learned a bit in the process.
Richard, you suggested McAfee software firewall, but as I have a paid-for, licensed copy of Zone Alarm I didn't want to double up in the software firewall area. But thanks for following my travails, and those of many other prooners. I like to follow your links and suggestions in this forum and note what I find out. Trouble is, my FIFO stack is full and I really struggle to retain it all, but thanks anyway.
Mac, RTFM, I've just given away an old PII box
The new owner has had a few probs, but I can't yet tell if it the H or the M in the HMI (Human-Machine-Interface) that's the problem. If I get it back I may well go that route.
F_S_D No, I don't have the XP firewall on as well, only ZA. From what I've read, one should only use one software firewall, and ZA is more comprehensive than XP built in one, or so I'm led to believe. Concur, I think SG is pushing a bit of a barrow with MS, but I love his site - lots of info that I can (mostly) understand.
Peg, You get the cigar. How would you like that, sir? Hand rolled on the tanned thigh of a dusky Cuban maiden, perhaps?
TCPView was just the tool I was after - it told me that Windows Explorer (explorer.exe) was holding port 1024 open. I removed Windows Explorer from the allowed list in Zone Alarm and re-booted. When I next opened Windows Explorer after the re-boot, ZA asked if I wanted to allow explorer to be a server. I answered "No" (I had previously answered "Yes" on the basis of info contained in the FAQ on the ZoneAlarm site.)
Lo! Port 1024 was stealthed
I guess I will find out eventually (when something doesn't work) but in the meantime can anyone tell me why Windows Explorer wants to be a server, and what is the effect of allowing/disallowing that?
Muchas Gratias to all
AA
EGLD, ORAC, I couldn't find TCP/IP filtering in XP Home. ORAC, your MS link mentioned that you could do it in XP Pro, but did not mention Home. I fiddled around a bit but could not find a route into TCP/IP filtering - closest I got was TCP/IP properties or advanced, neither of which took me to filtering, which seems to confirm that some goodies needed by fiddlers like me aren't in Home. But thanks, 'cos I've learned a bit in the process.
Richard, you suggested McAfee software firewall, but as I have a paid-for, licensed copy of Zone Alarm I didn't want to double up in the software firewall area. But thanks for following my travails, and those of many other prooners. I like to follow your links and suggestions in this forum and note what I find out. Trouble is, my FIFO stack is full and I really struggle to retain it all, but thanks anyway.
Mac, RTFM, I've just given away an old PII box
The new owner has had a few probs, but I can't yet tell if it the H or the M in the HMI (Human-Machine-Interface) that's the problem. If I get it back I may well go that route.F_S_D No, I don't have the XP firewall on as well, only ZA. From what I've read, one should only use one software firewall, and ZA is more comprehensive than XP built in one, or so I'm led to believe. Concur, I think SG is pushing a bit of a barrow with MS, but I love his site - lots of info that I can (mostly) understand.
Peg, You get the cigar.
How would you like that, sir? Hand rolled on the tanned thigh of a dusky Cuban maiden, perhaps? TCPView was just the tool I was after - it told me that Windows Explorer (explorer.exe) was holding port 1024 open. I removed Windows Explorer from the allowed list in Zone Alarm and re-booted. When I next opened Windows Explorer after the re-boot, ZA asked if I wanted to allow explorer to be a server. I answered "No" (I had previously answered "Yes" on the basis of info contained in the FAQ on the ZoneAlarm site.)
Lo! Port 1024 was stealthed
I guess I will find out eventually (when something doesn't work) but in the meantime can anyone tell me why Windows Explorer wants to be a server, and what is the effect of allowing/disallowing that?
Muchas Gratias to all
AA
Last edited by Ausatco; 22nd August 2003 at 13:03.
Ecce Homo! Loquitur...
Joined: Jul 2000
Aviation Qualifications: Spotter
Posts: 24,629
Likes: 7,337
From: Peripatetic
RTFM, Seen the Mini-Box?
Or you could just buy their MediaBoxOS Kit and build your machine...
(Also see ITuner the parent company reference MediaBoxOS. They developed it and have been running it on their streaming servers for over 2 years. So it's pretty robust.)
Or you could just buy their MediaBoxOS Kit and build your machine...
(Also see ITuner the parent company reference MediaBoxOS. They developed it and have been running it on their streaming servers for over 2 years. So it's pretty robust.)
Last edited by ORAC; 22nd August 2003 at 21:51.
The Oracle
Joined: Aug 2001
Posts: 2,902
Likes: 0
From: Naples, Florida U.S.A.
Ausatco,
RTFQ - I completely missed that you are running Zone Alarm.
The reason I mentioned Mcafee's version of their Firewall is because it is one of the best I have seen in action. I was watching in real time as my brother-in-law's comp was under full attack on port 135. The Firewall worked flawlessly and gave the owner a lot of power for dealing with attacks.
Zone Alarm is an excellent program too. If you have it running and properly configured, you are safe.
Take Care,
Richard
RTFQ - I completely missed that you are running Zone Alarm.
The reason I mentioned Mcafee's version of their Firewall is because it is one of the best I have seen in action. I was watching in real time as my brother-in-law's comp was under full attack on port 135. The Firewall worked flawlessly and gave the owner a lot of power for dealing with attacks.
Zone Alarm is an excellent program too. If you have it running and properly configured, you are safe.
Take Care,
Richard
Thread Starter
Joined: Sep 1998
Posts: 513
Likes: 0
From: Sydney, Australia
No worries, Richard. I'm very happy and impressed with ZA. I recently watched, with some apprehension, my own computer being attacked and ZA deflecting the shots.
ZA has helped me answer my own question about why Windows Explorer wants to be a server. When the ZA warning window popped up because explorer.exe asked for server rights I clicked the "More Info" button.
If anyone's interested here's what came up. Click the Technical Info, Details and Hacker ID tabs for more complete info.
AA
ZA has helped me answer my own question about why Windows Explorer wants to be a server. When the ZA warning window popped up because explorer.exe asked for server rights I clicked the "More Info" button.
If anyone's interested here's what came up. Click the Technical Info, Details and Hacker ID tabs for more complete info.
AA
Thread Starter
Joined: Sep 1998
Posts: 513
Likes: 0
From: Sydney, Australia
Hey Orac,
Back on 20 Aug you wrote
A bit later I said I couldn't find TCP/IP filtering in XP Home. Well, I didn't look hard enough. It's as plain as day in the MS Technet article you linked to, dunno why I couldn't follow it then.
My solution was to have Zone Alarm not permit Windows Explorer to act as a server - explorer was keeping port 1024 open. So far there have been no known repercussions.
Thanks for trying to help an illiterate
AA
Back on 20 Aug you wrote
You can enable/disable ports directly in the properties of your network card even before they get to the firewall. Be careful you don't disable ports you might need. TCP/IP filtering.
My solution was to have Zone Alarm not permit Windows Explorer to act as a server - explorer was keeping port 1024 open. So far there have been no known repercussions.
Thanks for trying to help an illiterate
AA
Last edited by Ausatco; 7th September 2003 at 09:19.
