Port 1028 in Win XP Pro - do I need an external router?

Hello,

I am running a single computer, Compaq Presario R4025CA, with a broadband (cable) connection under Win XP Pro. I just use the XP firewall.

When I go to grc.com and use their ShieldsUp, they tell me that my port 1028 is wide open. I am concerned about intrusions. I can't find any way to close this port under Win XP. Is there one?

Do I need to get a hardware firewall (router)?

I tried comodo firewall a couple of years ago but it drove me to distraction, and I'm not sure that it ever really did what I wanted it to do.

Any suggestions greatly appreciated.

Thank you, Mary

Reply to
Mary Sunshine
Loading thread data ...

Mary, what are you Windows XP Firewall rules set as? Do you have an exception for that port?

I personally do not fully trust software firewalls 100%. I keep Windows Firewall on in addition to a NAT router in my home office.

Sam Hays, MCSE, MCSA

Reply to
gsamuelhays

Why? Because the broken application on a sharlatan's website tells you some nonsense?

DCE-RPC bindings?

No. Why do you think so?

Well, I can assure that it didn't.

Reply to
Sebastian G.

Recheck using some other firewall test.

For example, you can use

formatting link
To check port 1028, select custom scan, and for your IP from this header command should look something like this

-sS -sU -P0 -p 1028 66.102.80.103

Router is a good idea.

Reply to
alf

Thanks! I went there and got this:

Scan Result

Nmap Options: -sS -sU -P0 -p 1028 66.102.80.103

Starting Nmap 4.11 (

formatting link
) at 2007-08-31

19:16 Central Europe Daylight Time Interesting ports on cbl-66-102-80-103.wtccommunications.ca (66.102.80.103): PORT STATE SERVICE 1028/tcp open unknown 1028/udp open|filtered ms-lsa

Nmap finished: 1 IP address (1 host up) scanned in 2.922 seconds

So apparently it really is open.

I haven't made an exception for any ports in my Win XP firewall settings: only for the internet apps that I use regularly.

If I get a router, will my port 1028 then show as closed?

Thank you!

Mary

Reply to
Mary Sunshine

Mary Sunshine wrote: ...

If the port isn't forwarded and if the port is not open on router built in firewall it should be closed.

But you should investigate what is behind TCP 1028.

Open command prompt and run: netstat -ano Note a PID number on a TCP

1028 connection. Then check in a task manager, by checking PID, what process is opening that port.
Reply to
alf

Thank you!

I did that and got:

Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.

C:\\Documents and Settings\\Mary Sxxxxxx>netstat -ano

Active Connections

Proto Local Address Foreign Address State PID TCP 0.0.0.0:25 0.0.0.0:0 LISTENING

164 TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 164 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1384 TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 164 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 164 TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING 1500 TCP 0.0.0.0:1801 0.0.0.0:0 LISTENING 1500 TCP 0.0.0.0:2103 0.0.0.0:0 LISTENING 1500 TCP 0.0.0.0:2105 0.0.0.0:0 LISTENING 1500 TCP 0.0.0.0:2107 0.0.0.0:0 LISTENING 1500 TCP 66.102.80.103:139 0.0.0.0:0 LISTENING 4 TCP 66.102.80.103:1105 72.14.203.104:80 ESTABLISHED 3532 TCP 66.102.80.103:1158 64.233.187.104:80 ESTABLISHED 3532 TCP 66.102.80.103:1159 64.233.167.147:80 ESTABLISHED 3532 TCP 66.102.80.103:1160 64.233.179.99:80 ESTABLISHED 3532 TCP 66.102.80.103:1161 64.233.179.99:80 ESTABLISHED 3532 TCP 66.102.80.103:1162 64.233.179.99:80 ESTABLISHED 3532 TCP 66.102.80.103:1164 64.233.179.99:80 ESTABLISHED 3532 TCP 66.102.80.103:1165 64.233.179.99:80 ESTABLISHED 3532 TCP 66.102.80.103:1166 64.233.179.99:80 ESTABLISHED 3532 TCP 66.102.80.103:1167 64.233.179.99:80 ESTABLISHED 3532 TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING 2924 TCP 127.0.0.1:1035 127.0.0.1:1036 ESTABLISHED 3532 TCP 127.0.0.1:1036 127.0.0.1:1035 ESTABLISHED 3532 TCP 127.0.0.1:1037 127.0.0.1:1038 ESTABLISHED 3532 TCP 127.0.0.1:1038 127.0.0.1:1037 ESTABLISHED 3532 UDP 0.0.0.0:161 *:* 948 UDP 0.0.0.0:445 *:* 4 UDP 0.0.0.0:500 *:* 1100 UDP 0.0.0.0:1027 *:* 1500 UDP 0.0.0.0:1039 *:* 1576 UDP 0.0.0.0:3456 *:* 164 UDP 0.0.0.0:3527 *:* 1500 UDP 0.0.0.0:4500 *:* 1100 UDP 66.102.80.103:123 *:* 1520 UDP 66.102.80.103:137 *:* 4 UDP 66.102.80.103:138 *:* 4 UDP 66.102.80.103:1900 *:* 1620 UDP 127.0.0.1:123 *:* 1520 UDP 127.0.0.1:1900 *:* 1620

I don't see port 1028 showing up here.

So, what now?

Mary

Reply to
Mary Sunshine

Thanks. Can I find that in Control Panel?

Mary

Reply to
Mary Sunshine

Check in task manager what process have PID 1500.

Reply to
alf

Hmmm .... it's mqsvc.exe

I googled it up, and most results so far *seem* to think that the process is safe, and also that it can be disabled if desired.

Heh ... what would you do in my position, then (given that you would suddenly find yourself to be an ignoramus about all this stuff) ?

:-)

Mary

Reply to
Mary Sunshine

If it is located in C:\\Windows\\System32 than it is Windows legal file, and if we ignore process infection than it is probably not a malware.

I would disable it, and retest a firewall.

Reply to
alf

Nice to follow this thread and see someone getting genuine help, rather than having sarcasm heaped on them!

Jim Ford

Reply to
Jim Ford

Thank you kindly. I will do that!

Mary

Reply to
Mary Sunshine

Not at all.

Now will you please search the MS Knowledge base for the registry settings and the rpccfg.exe tool.

Reply to
Sebastian G.

And the result is ....

PORT STATE SERVICE

1028/tcp filtered unknown 1028/udp open|filtered ms-lsa

Also, now the netstat command shows no process running on port 1028.

And FWIW, grc.com says I'm good.

Thanks!

Reply to
Mary Sunshine

Agree with you JIm, more of @lf like collegues would be nice in the world.

Reply to
Otto Sykora

Better forget GRC, and better forget ShieldsUp.

Yours, VB.

Reply to
Volker Birk

Try to scan from internal. You may get scan results which include information about your provider's network, if they're modifying something on the line.

If so, this is very strange. What do Microsoft support say?

Unsure.

Yours, VB.

Reply to
Volker Birk

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.