Ports 12345, 20034, 31337, & 137 are open.. I think this means trouble

[ohif]

Thanks to many in this forum I have a couple access control lists up and running and only allowing ports and services in that I want coming in. I was just testing this today from a site called scan.sygate.com. I ran a few scans and I was impressed at how tight my network has become after the access lists. But when I ran a UDP scan, I was amazed that ports 137(netbios-ns), 12345 (trojan port for netbus), 20034(anouther trojan port), 31337(back orifice port) were listening. And I'm sure it's not a coincidence that ever since I installed a IDS I have been receiving alerts about the netbus trojan and the ports are listening. I have e-trust virus protection on every system and a rule to block the netbus traffic but the ports are still open. What can I do to stop this??? I sceduled a full system scan on every system over the weekend. How are these ports open? I have them blocked comming in. They must be going out? Can anyone help me? Thanks

 

[pansophic]

UDP scans are notoriously inaccurate because UDP traffic is the first traffic to be dropped, and the scanners consider a non-response to be "open."

Run a scanner like nmap or nessus locally, and then look at the results. I would guess that you will get substantially different results.

I wouldn't sweat it too much unless you run the scanner locally and get the same results.


pansophic

 

[SgtB]

Well, even if you block access at the perimeter, the hosts will still be listening. No external user will be able to access them due to the filtering, but the host will still listen. If you truly believe one of your hosts has a trojan, then you need to do some research on the specific trojans.
Like pansophic says, don't trust the udp scans. I personally don't trust any web-based scanner. Nmap and nessus are free tools, that are much more accurate. Try those on the suspect machines, and see what you get.

I'll see your DMCA and raise you a First Amendment.

http://www.anti-dmca.org