Very concerned

[ovi]

I own 2 computers: 1 runing Windows XP and one Linux (Fedora Core) from the linux machine I have scan my windows machine ports and I got this results:

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-30 15:05 EEST
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on ovi (xx.xx.62.66):
(The 1658 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE VERSION
80/tcp open http?
443/tcp open https?
1025/tcp open msrpc Microsoft Windows msrpc
5000/tcp open upnp Microsoft Windows UPnP
5101/tcp open admdog?
Device type: general purpose
Running: Microsoft Windows 95/98/ME|NT/2K/XP
OS details: Microsoft Windows Millennium Edition (Me), Windows 2000 Pro or Advanced Server, or Windows XP, Microsoft Windows 2000 SP3, Microsoft Windows XP SP1
Nmap finished: 1 IP address (1 host up) scanned in 77.043 seconds

So you can see this ports are opened:
1025/tcp open msrpc Microsoft Windows msrpc
5000/tcp open upnp Microsoft Windows UPnP

I could not close this ports from any firewall runing on the windows machine. At the moment I run Sygate Personal Firewall. I have close that port even incoming than outgoing without success.

Now came the best part from the linux machine I try to conect to the windows machine trough that ports and surprise. The connection was ok. I could not done nothing bad but I am convinced that if I have the proper exploit I could done something bad.
Here is the log for the connection:

[root@dell ~]# telnet xx.xx.62.66 1025
Trying xx.xx.62.66...
Connected to xx.xx.62.66 (82.77.62.66).
Escape character is '^]'.


[root@dell ~]# telnet xx.xx.62.66 5000
Trying xx.xx.62.66...
Connected to xx.xx.62.66 (82.77.62.66).
Escape character is '^]'.


[root@dell ~]# telnet xx.xx.62.66 5101
Trying xx.xx.62.66...
Connected to xx.xx.62.66 (82.77.62.66).
Escape character is '^]'.

So you can see the connection was done

I am sure that everyone that run Win XP have this problem.

Can anyone advise?

Ovi

 

[ovi]

Hmmm

Look what I found regarding the 1025 port:

Port 1025

Name:
blackjack
Purpose:
network blackjack
Description:
Microsoft operating systems tend to allocate one or more unsuspected, publicly exposed services (probably DCOM, but who knows) among the first handful of ports immediately above the end of the service port range (1024+).
Related Ports:
1024, 1026, 1027, 1028, 1029, 1030



Background and Additional Information:

The most distressing aspect of this, is that these service ports are wide open to the external Internet. If Microsoft wants to allow DCOM services and clients operating within a single machine to inter-operate, that's fine. But in that case the DCOM service ports should be "locally bound" so that they are not wide open and flapping in the Internet breeze. This is trivial to do, but Microsoft doesn't bother. Or, if there might be some reason to have DCOM used within a local area network, DCOM traffic could be generated with packets having their TTL (time to live) set down to one or two. This would allow DCOM packets complete local freedom, but they would expire immediately after crossing one or two router hops. The point is, there are many things Microsoft could easily do if they had any true concern for, or understanding of, Internet security.

Who knows what known or unknown, discovered or yet to be discovered vulnerabilities already exist those exposed servers and services? This is PRECISELY the situation which hit end users who didn't realize they were running a personal version of Microsoft's IIS web server when the Code Red and Nimda worms hit them and installed backdoor Trojans in their systems. And it's IDENTICAL to the situation when the SQL Slammer worm ripped across the Internet and tens of thousands of innocent end users discovered, to their total surprise, that some other software (Here's an off-site link to SQL-installing applications.) had silently installed Microsoft's insecure and now exploited SQL server into their machines, and that server had silently opened their ports 1433 and 1434 to the entire Internet.

If you are reading this page because our port analysis has revealed that you have open ports lying between 1024 and 1030, it would certainly be in your best interests to configure your personal firewall to block incoming connection requests (TCP SYN packets) to those low-numbered ports.

Unfortunately, since Windows initially initiates outgoing connections from this same low-numbered port range (as the first ports it uses immediately after booting), you may need to be careful with the configuration of your firewall rules. Otherwise you may find that the first several outbound connection attempts made by Windows will fail because returning traffic has been blocked at your firewall. However, any good stateful personal firewall, such as Zone Alarm and probably others, ought to block these low-numbered ports automatically. And, of course, placing any network behind a NAT router provides extremely good hardware firewall protection for your system(s).

Trojan Sightings: Fraggle Rock, md5 Backdoor, NetSpy, Remote Storm

 

[ovi]

Very tired

I feel very tired and nervous about this problem. In weekend I will pass on Linux.

Ovi