Jump to content

Recommended Posts

Hello.. I'm sorry if this has been asked a million times (it probably has) but I've been searching for a long time and nothing I've found has been of much help.

 

On my computer there are process(es) always listening on port 135 and 1025. These are the only ports that show up as open on the GRC "full port scan" besides port 80 when my firewall is off.

 

How can I find out exactly what is listening on these ports? And how can I prevent it from listening on these ports without messing up my system?

 

I've heard that Windows RPC listens on port 135 and ending that process isn't really an option for me.. and I have no clue what is using port 1025.. I've heard that it varies a lot..

 

So how can I prevent my computer from listening on these ports?

 

 

And possibly find out why it is listening on them/what it is doing with them? (this isn't all that important though, the main issue is just getting it to stop doing this)

 

Any help would be very very appreciated.

 

 

This is on 64bit XP SP2.

 

 

Oh and one more little question.. not all that important but it would be nice.. is there a way to make it so that my computer doesn't say port 80 is open unless a VALID http request is being made to it? I think this would prevent most port scans from finding it open maybe.

Link to comment
https://forums.phpfreaks.com/topic/75835-solved-port-135-and-1025/
Share on other sites

No, he's not "just flat out trolling." He's asking you those questions because you'd have to be an idiot to follow those links and not see that the information they give you is exactly what you're looking for, so he's giving you the benefit of the doubt. The very first links provided by Google when you search for "port 135" and "port 1025" lead you to the GRC's info pages on the ports - a rather reputable source, I'd say.

 

Have you tried using a firewall? If not, try the Windows firewall, see if it's any good.

 

Note: The unfortunate thing about ports > 1024 is that there isn't really any "official" association between a port number and a service, so you can't really be sure what's listening on port 1025, unless Windows has added a way to tell you the applications that have network connections.

I've been searching for a long time
k? Meaning that.. that's right.. that I searched!

 

nothing I've found has been of much help.
Meaning that the results do not solve my problem..

 

 

how can I prevent it from listening on these ports without messing up my system?
That rules out killing the RPC process, which is the only way mentioned to make it stop listening on that port. If you know of a search that describes how to do this without messing up RPC and thus my computer, please do share it.

 

 

I've heard that Windows RPC listens on port 135 and ending that process isn't really an option for me..
k? So in other words I searched and what I found basically says that I need to kill the RPC process to make it stop trying to listen on port 135.. and as I've already said, I'm not going to do that, since it will make a lot of stuff stop working.

 

 

and I have no clue what is using port 1025.. I've heard that it varies a lot..
That's all I've found out about the ports around 1025 and 1024 and 1026 etc etc.. that they vary.. I know that.. I found that out by searching.. I want to know how to find out what is listening on it though. And how to make it stop listening on it without breaking said program.

 

 

Oh and one more little question.. not all that important but it would be nice.. is there a way to make it so that my computer doesn't say port 80 is open unless a VALID http request is being made to it? I think this would prevent most port scans from finding it open maybe.
And I'm definitely sure that I've never seen any search results that hint at answering this one.

 

 

 

So ya, if you don't want to come across as a sarcastic troll that is playing dumb.. then try to read and/or comprehend what you read (no offense)

And if you STILL find a way to misinterpret what I am saying even when I have spelled it out this much.. then forget it.. I'm sorry but I don't know of any simpler/more straight forward ways to put it, and will just wait for (hopefully) someone to come along that understands what I am saying. It shouldn't be that hard to understand..

Oh and one more little question.. not all that important but it would be nice.. is there a way to make it so that my computer doesn't say port 80 is open unless a VALID http request is being made to it? I think this would prevent most port scans from finding it open maybe.
And I'm definitely sure that I've never seen any search results that hint at answering this one.

 

This would require some very tricky firewalling - and to be honest, I'm not sure that your web server would even work properly with such a rule in place. I wouldn't be surprised at all if the first thing a browser does before sending the HTTP request is check if the port is open.

Run

netstat -abo

as an admin.

 

-a shows all connection and associated ports.

-b shows which executable file that is associated to the connections.

-o shows the PID of the process associated to the connections.

 

I guess that'll give you the answers you need.

Run

netstat -abo

as an admin.

 

-a shows all connection and associated ports.

-b shows which executable file that is associated to the connections.

-o shows the PID of the process associated to the connections.

 

I guess that'll give you the answers you need.

Thanks :)

 

I still don't know how to make the programs stop listening on these ports though without making the programs stop working though..

 

And the command scrolls way off the page so that it doesn't show most of the stuff..

  TCP    none:http              r2d2.satgate.net:60424  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              r2d2.satgate.net:39574  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              r2d2.satgate.net:55438  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              r2d2.satgate.net:38088  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              85.195.164.175:1320    CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              85.195.164.175:1319    CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              vip32.ign.cz:45206     CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              hp4gamers.de:49009     CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              hp4gamers.de:48862     CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              86-39-156-1.tactics.be:58218  CLOSE_WAIT      25
64
  [lighttpd.exe]

  TCP    none:http              86-39-156-1.tactics.be:58207  CLOSE_WAIT      25
64
  [lighttpd.exe]

  TCP    none:http              87-248-174-36.starnet.md:52528  CLOSE_WAIT
2564
  [lighttpd.exe]

  TCP    none:http              ip-89-102-129-76.karneval.cz:3841  CLOSE_WAIT
   2564
  [lighttpd.exe]

  TCP    none:http              euro.radiohost.pl:34527  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              euro.radiohost.pl:34517  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              adsl-105-1.globonet.hu:14932  CLOSE_WAIT      25
64
  [lighttpd.exe]

  TCP    none:http              adsl-105-1.globonet.hu:16169  CLOSE_WAIT      25
64
  [lighttpd.exe]

  TCP    none:http              adsl-105-1.globonet.hu:13638  CLOSE_WAIT      25
64
  [lighttpd.exe]

  TCP    none:http              adsl-105-1.globonet.hu:13868  CLOSE_WAIT      25
64
  [lighttpd.exe]

  TCP    none:http              adsl-105-1.globonet.hu:25007  CLOSE_WAIT      25
64
  [lighttpd.exe]

  TCP    none:http              adsl-105-1.globonet.hu:19835  CLOSE_WAIT      25
64
  [lighttpd.exe]

  TCP    none:http              proxy.gcn.ua:50309     CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              proxy.gcn.ua:51340     CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              proxy.gcn.ua:49792     CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              18-85-113-92.pool.ukrtel.net:59926  CLOSE_WAIT
    2564
  [lighttpd.exe]

  TCP    none:http              18-85-113-92.pool.ukrtel.net:59927  CLOSE_WAIT
    2564
  [lighttpd.exe]

  TCP    none:http              18-85-113-92.pool.ukrtel.net:59924  CLOSE_WAIT
    2564
  [lighttpd.exe]

  TCP    none:http              jessica.w3.org:57581   CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              websauce.net:43421     CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              w3cache.polsl.pl:50723  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              h73n199.biveg.ru:62577  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              h73n199.biveg.ru:62355  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              195.205.214.163:47263  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              195.205.214.163:47270  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              hbzphp.deep-thoughts.com:2156  CLOSE_WAIT      2
564
  [lighttpd.exe]

  TCP    none:http              mail.iab.com.ar:60640  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              mail.iab.com.ar:46855  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              mail.iab.com.ar:60594  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              202-45-102-164-static.spacecentre.com.au:52674
CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              202-45-102-164-static.spacecentre.com.au:52669
CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              psf-p2.singnet.com.sg:59071  CLOSE_WAIT      256
4
  [lighttpd.exe]

  TCP    none:http              psf-p2.singnet.com.sg:34200  CLOSE_WAIT      256
4
  [lighttpd.exe]

  TCP    none:http              psf-p2.singnet.com.sg:55953  CLOSE_WAIT      256
4
  [lighttpd.exe]

  TCP    none:http              owghosting.com:40371   CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              owghosting.com:39636   CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              owghosting.com:39639   CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              owghosting.com:40382   CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              proxy-out1.bol.bg:34885  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              proxy-out1.bol.bg:35267  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              proxy-out1.bol.bg:57284  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              proxy-out1.bol.bg:44472  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              proxy-out1.bol.bg:35626  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              proxy-out1.bol.bg:54690  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              proxy-out1.bol.bg:36045  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              proxy-out1.bol.bg:44489  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              proxy8.netis.ru:47863  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              proxy8.netis.ru:54545  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              str.bashnet.ru:41035   CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              str.bashnet.ru:41083   CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              213.226.196.173:23417  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              213.226.196.173:23414  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              213.226.196.173:23416  CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              gaja.tpnet.pl:39787    CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              ns.4nets.lv:55625      CLOSE_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              218-186-12-10.cache.maxonline.com.sg:48880  CLOS
E_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              218-186-12-10.cache.maxonline.com.sg:48525  CLOS
E_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              218-186-12-10.cache.maxonline.com.sg:29412  CLOS
E_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              218-186-12-10.cache.maxonline.com.sg:39129  CLOS
E_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              218-186-12-10.cache.maxonline.com.sg:59732  CLOS
E_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              218-186-12-10.cache.maxonline.com.sg:58161  CLOS
E_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              218-186-12-10.cache.maxonline.com.sg:13504  CLOS
E_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              218-186-12-10.cache.maxonline.com.sg:25492  CLOS
E_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              218-186-12-10.cache.maxonline.com.sg:17940  CLOS
E_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              218-186-12-10.cache.maxonline.com.sg:58516  CLOS
E_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              218-186-12-10.cache.maxonline.com.sg:43943  CLOS
E_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              218-186-12-10.cache.maxonline.com.sg:18586  CLOS
E_WAIT      2564
  [lighttpd.exe]

  TCP    none:http              218-186-12-10.cache.maxonline.com.sg:48763  CLOS
E_WAIT      2564
  [lighttpd.exe]

  TCP    none:31274             opium2.msg.vip.dcn.yahoo.com:http  TIME_WAIT
   0
  UDP    none:isakmp            *:*                                    436
  [lsass.exe]

  UDP    none:3726              *:*                                    1816
  [voicechat.exe]

  UDP    none:1059              *:*                                    792
  Dnscache
  [svchost.exe]

  UDP    none:1044              *:*                                    792
  Dnscache
  [svchost.exe]

  UDP    none:microsoft-ds      *:*                                    4
  [system]

  UDP    none:1060              *:*                                    792
  Dnscache
  [svchost.exe]

  UDP    none:1061              *:*                                    792
  Dnscache
  [svchost.exe]

  UDP    none:ipsec-msft        *:*                                    436
  [lsass.exe]

  UDP    none:8730              *:*                                    2564
  [lighttpd.exe]


C:\Documents and Settings\Administrator>

Thanks for trying to be helpful. I'm not sure how to use any of have to make these services stop listening on those ports though? I'm pretty sure that they don't NEED to be listening on them, since my computer doesn't crash if I unplug my modem.

 

So if someone could please actually try to answer my question instead of just being a smartass troll, that would be greatly appreciated ^^

Port 135 (googled and found this)

 

Name:

dcom-scm

Purpose:

DCOM Service Control Manager

Description:

Microsoft's DCOM (Distributed, i.e. networked, COM) Service Control Manager (also known as the RPC Endpoint Mapper) uses this port in a manner similar to SUN's UNIX use of port 111. The SCM server running on the user's computer opens port 135 and listens for incoming requests from clients wishing to locate the ports where DCOM services can be found on that machine.

Related Ports:

111

 

 

 

Background and Additional Information:

 

Port 135 is certainly not a port that needs to be, or should be, exposed to the Internet. Hacker tools such as "epdump" (Endpoint Dump) are able to immediately identify every DCOM-related server/service running on the user's hosting computer and match them up with known exploits against those services.

 

Any machines placed behind a NAT router (any typical residential or small business broadband IP-sharing router) will be inherently safe. And any good personal software firewall should also be able to easily block port 135 from external exposure. That's what you want.

 

In addition, many security conscious ISPs are now blocking port 135 along with the notorious "NetBIOS Trio" of ports (137-139). So even without any of your own proactive security, you may find that port 135 has been blocked and stealthed on your behalf by your ISP.

 

Going Further:  Closing port 135

 

The widespread exposure and insecurity of this port has generated a great deal of concern among PC gurus. This has resulted in several approaches to shutting down the Windows DCOM server and firmly closing port 135 once and for all. Although applications may be "DCOM enabled" or "DCOM aware", very few, if any, are actually dependent upon the presence of its services. Consequently, it is usually possible (and generally desirable if you're comfortable doing such things) to shut down DCOM and close port 135 without any ill effects. (The fewer things running in a Windows system, the fewer things to suck up RAM and slow everything else down.)

 

If you are curious about taking control of and terminating another unnecessary Windows "service", the following links will provide you with the information and instructions you'll need:

 

Port 1025: (Googled and found this)

 

Name:

blackjack

Purpose:

network blackjack

Description:

Microsoft operating systems tend to allocate one or more unsuspected, publicly exposed services (probably DCOM, but who knows) among the first handful of ports immediately above the end of the service port range (1024+).

Related Ports:

1024, 1026, 1027, 1028, 1029, 1030

 

 

 

Background and Additional Information:

 

The most distressing aspect of this, is that these service ports are wide open to the external Internet. If Microsoft wants to allow DCOM services and clients operating within a single machine to inter-operate, that's fine. But in that case the DCOM service ports should be "locally bound" so that they are not wide open and flapping in the Internet breeze. This is trivial to do, but Microsoft doesn't bother. Or, if there might be some reason to have DCOM used within a local area network, DCOM traffic could be generated with packets having their TTL (time to live) set down to one or two. This would allow DCOM packets complete local freedom, but they would expire immediately after crossing one or two router hops. The point is, there are many things Microsoft could easily do if they had any true concern for, or understanding of, Internet security.

 

Who knows what known or unknown, discovered or yet to be discovered vulnerabilities already exist those exposed servers and services? This is PRECISELY the situation which hit end users who didn't realize they were running a personal version of Microsoft's IIS web server when the Code Red and Nimda worms hit them and installed backdoor Trojans in their systems. And it's IDENTICAL to the situation when the SQL Slammer worm ripped across the Internet and tens of thousands of innocent end users discovered, to their total surprise, that some other software (Here's an off-site link to SQL-installing applications.) had silently installed Microsoft's insecure and now exploited SQL server into their machines, and that server had silently opened their ports 1433 and 1434 to the entire Internet.

 

If you are reading this page because our port analysis has revealed that you have open ports lying between 1024 and 1030, it would certainly be in your best interests to configure your personal firewall to block incoming connection requests (TCP SYN packets) to those low-numbered ports.

 

Unfortunately, since Windows initially initiates outgoing connections from this same low-numbered port range (as the first ports it uses immediately after booting), you may need to be careful with the configuration of your firewall rules. Otherwise you may find that the first several outbound connection attempts made by Windows will fail because returning traffic has been blocked at your firewall. However, any good stateful personal firewall, such as Zone Alarm and probably others, ought to block these low-numbered ports automatically. And, of course, placing any network behind a NAT router provides extremely good hardware firewall protection for your system(s).

 

Do not ask me or anyone else to explain this. We don't know **** about these ***** ports anymore than you do.

Sorry I forgot to say, I already have one.

The problem is that these services are still listening on these ports, and this can be dangerous especially if the firewall is not 100% perfect and something gets through.

So I am trying to find a way to make these services stop accepting outside connections on these ports (especially the RPC service since it controls a lot of stuff that happens in Windows)

Thank you for trying to be helpful, I really appreciate it. I'm not sure who posted the answer or where though, could you please tell me? In case you missed it, my question is how do I prevent the RPC service from trying to accept outside connections (obviously besides KILLING the RPC service). In otherwords so that it will stop trying to listen on port 135. Please forgive me for being such an idiot and being inferior to you, I just can't find where anybody has told me how to actually do this, so please tell me where, that would be very nice :)

 

Also you might want to look into www.alt.com if you like to try to insult people and put them down. This forum is not really meant for that ^^

http://www.windowsecurity.com/articles/Customizing-Windows-Firewall.html

 

there! that wasn't to fucking hard. took 2 minutes on google, and only because my internet is running slow.

 

Also, a word of caution. Both of those ports are open because of windows.  Closing them COULD stop some core windows services.  You will really just need to block them and see what happens.  Personally, I don't see what the big deal is about them being open.  Also, if you had a router you could restrict the ports that way. but don't ask us to explain that here. We don't know what router you have, and don't want to learn about it just to help.  Google is great or the manual.

Sorry I forgot to say, I already have one.

The problem is that these services are still listening on these ports, and this can be dangerous especially if the firewall is not 100% perfect and something gets through.

So I am trying to find a way to make these services stop accepting outside connections on these ports (especially the RPC service since it controls a lot of stuff that happens in Windows)

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.