Port being accessed by other PCs
I recently installed a Motorola SURFboard cable modem on my PC with Windows 2000 Professional on it. I also have ZoneAlarm 3.0 as a firewall. I've recently noticed in my logs that port 1214 is being accessed by other PCs! I don't download music and recently found out that some service named Kazaa uses this port. I've blocked the port in advanced TCP/IP filtering by allowing only the bare essentials to operate. My problem is that when I run Norton Antivirus then PestPatrol, I find nothing amiss. Can you offer some suggestions?
You don't provide enough information to tell, but it's very possible that what you are seeing is attempts by others to determine if you are running Kazaa. If you are not, then their attempt would fail even if ZoneAlarm did not detect it. (Is ZoneAlarm blocking the connection attempt?) You should be aware that many Trojans can be set to use alternative ports, so simply blocking one in advanced filtering is not the answer. In addition, many server applications use a well-known or "assigned" port, while the client connecting to them uses ports above 1023. Typically a range of "ephemeral ports" (or ports used for this purpose) can be assigned or is assigned by the operating system. The server assigns a port to the connecting client. In Windows the range is 1024 through 4999. So, possibly blocking port 1214 might block a legitimate connection to some service. Two resources for more information on this process are a NecFTP Software article
, which lists port ranges for many OSes and gives a brief explanation, and Microsoft's Knowledge Base article Q196271
The point I'm making here is that simple connection attempts occur with ever-increasing frequency as more people scan each other's systems looking for possible openings, or as software, such as Kazaa brazenly looks for fellow participants. The important issue is: are they actually connecting to a service you don't want them to connect to? You can determine what ports are open or listening (meaning that someone could potentially connect to them) by running PORTQRY.EXE (you can also download this tool from this link). Netstat also provides information on listening ports and connections (at the command line enter netstat /? to see how to use netstat in Windows 2000).
If you haven't already, you should visit Kazaa to learn more about this peer-to-peer sharing program. Yes, it does listen on port 1214. You'll find that it's legitimate software that must be downloaded. As such, your antivirus scanners are not going to see it as harmful, and thus not detect it. It is also possible that you downloaded it without realizing it while obtaining some free software to be used for some other purpose. If you are running the software and do not wish to delete it, you may be able to reduce these attempts to connect to your system. Visit the Web site and read the manual -- look for information on "supernodes."
This was first published in November 2002