General discussion

Port 1025 Not Being Blocked By Zone Alarm

Hello Everyone,

I have a slight problem. I recently went to www.GRC.com for my usual firewall check up to see how it's working. But to my my surpise my port 1025 is open even though I have ZoneAlarm blocking incoming TCP SYN packets to ports 1025-1030 and outgoing signals from 1025.

I need some help so that I can restore my usual pristine security scan.


Additionally GRC's message had in this text
-----------------0--------------------
{blackjack

Purpose:
network blackjack}

----------------0----------------------

Specs are
Win 2k SP-4 fully updated
Zone Alarm Pro Version 5.5.062.011
Norton Anti Virus
Adaware Pro v. 6.0
Spybot Search & Destroy .

Any help would be greatly appreciated.

Discussion is locked

Follow
Reply to: Port 1025 Not Being Blocked By Zone Alarm
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: Port 1025 Not Being Blocked By Zone Alarm
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Tango, Just A Thought...

Although I'm currently on a machine with ZA "Free", check this setting...Open ZA, click on the "Firewall" tab on the left side, then choose the "Main" tab at the top. Make sure BOTH the "Internet Zone Security" and "Trusted Zone Security" settings are set to "HIGH". Then click on the "Advanced" button and UNCHECK all boxes.

Hope this helps.

Grif

- Collapse -
Still Open

Thanks for the option but I tried that and the port is still open.


I even scanned with Norton Antivirus 2004. - Nothing

Adaware Pro - Nothing

Spybot - Nothing.

I need this hole sealed.

- Collapse -
Have you (or someone else on your box)...

played any ONLINE card games?

If so that someone likely allows the use of the port.

Look through your advanced settings to see what is allowed.

- Collapse -
Read this!
- Collapse -
Curious

I may be mistaken because I didn't fully understand what I've read, but I am under the impression that ports 80 and 25 are normal internet ports (80 for surfing and 25 for email) used by most ISPs....however, some ISPs are now changing them to be 1080 and 1025 or 1880 and 1225, etc.

Could this be a normal open port for him?

TONI

- Collapse -
Curious

In response to your query when I usually get scanned by GRC the port is reported as 'stealthed' and I still get normal internet traffic so that is not the problem.

- Collapse -
Yes Toni, it could well be as...

I attempted to indicate to him when mentioning casino games which are noted for using exactly that port because it is assigned by IANA for Network Blackjack.

Attempting to teach him to fish apparently didn't work (he didn't use the clue to look for what was using the port or what was new or running that wasn't last time he checked). Port 1025 is officially assigned to network blackjack and nothing else. In fact it will be used by the first program or service that tries to establish an outgoing or internal connection after a system boot. Concerning a non-compromised, stand-alone XP System this will usually be the svchost process respectively the system process itself, more or less chosen by chance (also often used by the task scheduler rpc component).

Ports can be used by anything besides what they are normally associated with and if someone is really curious or worried they can use readily available networking tools (netstat -an comes to mind) to monitor usage although netstat doesn't identify the actual process. Fports (one of Foundstone's free tools) does ID the process. Besides Network Blackjack (what IANA assigned it to) 1025 is often used by trojans and keyloggers (here are some common ones - Fraggle Rock, md5 Backdoor, NetSpy, Remote Storm), port 1025 is, by default. It is also often the assigned port for the Active Directory logon and directory replication interface--if this was the case here though he would surely know it as he would have had to have mapped it himself.


- Collapse -
Yes Toni,

Thanks for the information. However to clarify.

1. I checked with my isp and they aren't using that particular port at the moment for internet traffic.

2. I don't have any online casino games on my computer.
never have.

3. I did a NETSTAT -an and it just tells me the port is listening and it is an active connection.*as if I don't already know that.*

4. I'm always notified if the task scheduler wants to access the internet because that.

- Collapse -
Have you (or someone else on your box)

Never play online card games.

- Collapse -
Tango, It's Probably Windows Updates...

Generally the 1025 port is used for "Remote Procedure Calls" and I believe that enabling the "Automatic Updates" for Windows Updates will keep the 1025 port open. Try turning OFF your "Automatic Updates" in the Control Panel/Automatic Updates icon and see if it stealths the port. I prefer to use the Windows Updates site manually so I don't have the problem.

Hope this helps.

Grif

- Collapse -
Tango, It's Probably Windows Updates

Well I did as you suggested but my port is still open, even though the expert rules block incoming TCP Packets to this address.

Thanks any way.

- Collapse -
Wondering if

this is a port that your particular ISP needs to have left open for its automatic antivirus/popup blocker/spam blocker updates as many ISPs are now offering these as 'extras' on their site for free to customers now. (Such as AOL, Netscape, Adelphia, etc)

TONI

- Collapse -
Problem Solved

Thanks to both of you for your help. The problem turned out to be the Task scheduler utility from Microsoft. I put it as a porgram which I will be notified about so that won't happen again.


Again thanks for your help.

- Collapse -
Good going (and fishing ;-) ...

CNET Forums

Forum Info