Help – my ports are being monitored!

  • October 26, 2002
  • 4 min read

The world is full of people who believe that by buying a set of tools, they will automatically acquire the skills to improve their cars, houses and other belongings. The reality is that they often cause a lot of damage, which is either left “as is” for years, or requires the work of a professional to repair.

In the wrong hands, any tool becomes anywhere from useless to positively dangerous. A scalpel may be used to perform intricate life-saving surgery. But not in my hands, and unless you’re a surgeon, probably not in yours either.

Market forces being what they are, an endless variety of online security tools and applications have sprung up over the past few years. These may act as a firewall between your system and the outside world, may protect your hard drives from viruses, and may keep your system clean of trojans or trojan horses.

One fairly common tool is some form of application that monitors the ports on your system.

Let’s take a quick step back, and make sure that we’re clear on what a port actually is. The basic idea is that your computer does not have a single “internet” channel as such. Although your connection may use one actual cable, the fact is that your computer will communicate different types of data through different outlets or ports. So, for example, your web browser will use one particular port while you surf the web. Your email software will use a different port. If you use a webcam, this may use a whole load of different ports, for video, speech, maintaining the connection and so on.

To ensure that different applications don’t conflict with each other, standardised conventions have emerged with time. For instance most web browsers will use HTTP, which uses port 80 by default, most email applications use port 25 for sending mail, and port 110 for receiving them, and most newsgroup applications will use port 119.

The problem is that different applications use many different ports. Almost all of them do so for very legitimate reasons. A very common scenario is that a person installs some form of port monitor or firewall software, which then alerts them when a certain application tries to use these ports.

At the time of writing this article, the following warning popped up:

At **:** on **/**/2002 the following communication was detected:

Protocol: TCP (Inbound)
Remote address ***.**.111.34 : 3439

A remote computer is attempting to establish a connection with your computer.

The question is, how on earth are you supposed to know what this means? And how are you supposed to understand what any similar alerts that may appear in the future mean? One way is to learn. Do a search on Google for phrases like “port monitoring”, and you’ll see there are no shortage of places to look for information. But the fact is that there’s a lot of confusing information to absorb, and it may be some time before you’re confident enough to understand the risks that may or may not be involved.

My own belief is that taking some basic preventative steps is many times more effective than floundering for a cure later. Let’s break the issue down into two basic areas. People, sites or servers trying to access your computer from outside, and software on your system that is trying to “get out” through your web connection.

I have to admit to having a very basic rule for the incoming traffic. It’s basic common sense. If I am online, and I get an alert from my firewall that XXX is trying to access port YYY on my machine I have two options. Let it, or deny it. If I’m expecting something from that person, eg an incoming voice chat, I’ll accept it. If I don’t know what it is, I’ll deny it. If I block someone or something and they need to get through, what’s the worst thing that can happen? If in doubt, keep it out.

As for the software on my system that needs to use various ports to “get out”, this is a little more complicated. I know my email software will use port 25, and I know my newsgroup reader uses 119. But last time I looked, the video conferencing software I use used a staggering number of different ports. So how can I know if the application trying to use a certain port is legitimate or not?

Simple. I let a² personal do the work for me. a² personal is a fast and reliable trojan remover which detects and deletes trojan horses. Meaning that by periodically running the software, I can be sure that my system is free of any unwanted nasties that may be performing undesired acts with my ports. This way I know my system is clean, so anything accessing the web is doing so legitimately.

Have a Great (Malware-Free) Day!

What to read next