open port 4567

When I run the online Symantec Security Check it shows an open port. It
says, "Security Status: At Risk! You are vulnerable to at least one form of
security threat." The details show all ports Stealth except for Port 4567.
It shows that one open. How do I close this port?

marcew
Sat Feb 17 12:41:03 CST 2007

Thanks for the reply. I used TCPview and it didn't show port 4567. Does
TCPview show an open port even if no one is listening in on it? Could it be
that it is open and vulnerable even if it isn't being used? Is file name the
name of the port or is it a program that opens that port? I can't find any
program named filename or file name. I've been trying for about 3 weeks now
to find a way to close this port.


"B. Nice" wrote:

> On Fri, 16 Feb 2007 22:21:02 -0800, marcew
> <marcew@discussions.microsoft.com> wrote:
>
> >When I run the online Symantec Security Check it shows an open port. It
> >says, "Security Status: At Risk! You are vulnerable to at least one form of
> >security threat." The details show all ports Stealth except for Port 4567.
> >It shows that one open.
>
> >How do I close this port?
>
> By removing the program that opened it.
>
> Could be "File Nail" - it's known for listening on port 4567.
>
> Use a program like TCPview to see what program opened it. It's
> probably malware and your system could be compromised.
>

marcew
Sat Feb 17 12:48:12 CST 2007

Correction. That should have been file nail or filenail.

"marcew" wrote:

> Thanks for the reply. I used TCPview and it didn't show port 4567. Does
> TCPview show an open port even if no one is listening in on it? Could it be
> that it is open and vulnerable even if it isn't being used? Is file name the
> name of the port or is it a program that opens that port? I can't find any
> program named filename or file name. I've been trying for about 3 weeks now
> to find a way to close this port.
>
>
> "B. Nice" wrote:
>
> > On Fri, 16 Feb 2007 22:21:02 -0800, marcew
> > <marcew@discussions.microsoft.com> wrote:
> >
> > >When I run the online Symantec Security Check it shows an open port. It
> > >says, "Security Status: At Risk! You are vulnerable to at least one form of
> > >security threat." The details show all ports Stealth except for Port 4567.
> > >It shows that one open.
> >
> > >How do I close this port?
> >
> > By removing the program that opened it.
> >
> > Could be "File Nail" - it's known for listening on port 4567.
> >
> > Use a program like TCPview to see what program opened it. It's
> > probably malware and your system could be compromised.
> >

marcew
Sun Feb 18 12:20:22 CST 2007

I have 3 computers networked together. I am connected through a router. One
computer is wireless and the other 2 are connected with Ethernet cables. All
3 computers show the same open port when I run the Security Check. I
suspected that it might be the router so I had my ISP check the router but
they didnâ??t find anything. It could still be the router. My ISP is Verizon
FIOS. 2 computer operating systems are XP SP2 and one is Win98SE.

When I run TCPview I donâ??t see Port 4567. The only time I see this open is
when I run the Symantec online Security Check.



"B. Nice" wrote:

> On Sat, 17 Feb 2007 10:41:03 -0800, marcew
> <marcew@discussions.microsoft.com> wrote:
>
> >Thanks for the reply. I used TCPview and it didn't show port 4567.
>
> Okay.
>
> >Does TCPview show an open port even if no one is listening in on it?
>
> I assume what you are asking is: "Is a port open also when not being
> used for connections?" - In that case, yes. "Open" means open for
> connections and should be visible when the program that opens it is
> running. The State coloumn of TCPview should tell you whether a
> connection is actually active.
>
> >Could it be that it is open and vulnerable even if it isn't being used?
>
> Again, assuming you mean: "Is a port open also when not being used for
> connections?" Then Yes. "Open" means something is there.
>
> If instead you mean: "Can a port be open and vulnerable even if not in
> use?", then no.
>
> >Is file name the name of the port or is it a program that opens that port?
>
> A program (File Nail). Ports are only numbers. However, programs like
> TCPview often translates known ports into a more understandable name.
> In TCPview you can toggle that by pressing the A on the toolbar.
> You should look for 4567 in the Local Address coloumn.
>
> >I can't find any program named filename or file name.
>
> In principle the executable can be named anything. The important thing
> is to find which one is listening on port 4567.
>
> >I've been trying for about 3 weeks now
> >to find a way to close this port.
>
> You don't actually "close" ports. Either it's open - which means a
> program is listening for incoming connections or there is nothing at
> all - which is referred to as closed.
>
> You need to do some further investigation. It does'nt have to be the
> file nail trojan that has hit you, BTW. There are more programs using
> port 4567.
>
> Worst case here is that a backdoor was installed and that a hacker
> succeeded in compromising your system bad enough to also hide the
> backdoor from you and the tools you use.
>
> BUT there could also be other much less evil explanations!
>
> When running an online scan it is'nt nescessarily your machine that is
> being scanned. It could just as well be a device like a router or
> firewall upstream ("in front of" your machine so to speak) either at
> yourself or even at your ISP. In the latter case it is of course
> difficult to do anything about it.
>
> So, are you directly connected to the internet (with a public IP
> address)? If not - how?
>
> Are you sharing an internet connection with others?
>
> What windows version are you running?
>
> /B. Nice
>
> --
> Comments I make or advice I may provide is primarily aimed at home users.
>

marcew
Sun Feb 18 17:44:10 CST 2007

I've run TCPview on all 3 computers. I don't see Port 4567 on any of them.
It's only the Symantec online Security Check that shows this port open and it
shows it open on all 3 computers.

"B. Nice" wrote:

> On Sun, 18 Feb 2007 10:20:22 -0800, marcew
> <marcew@discussions.microsoft.com> wrote:
>
> >I have 3 computers networked together. I am connected through a router. One
> >computer is wireless and the other 2 are connected with Ethernet cables. All
> >3 computers show the same open port when I run the Security Check.
>
> That makes sense. The router is most likely the device being scanned.
>
> >I suspected that it might be the router so I had my ISP check the router but
> >they didnâ??t find anything. It could still be the router. My ISP is Verizon
> >FIOS. 2 computer operating systems are XP SP2 and one is Win98SE.
>
> Have you checked all 3 computers? I suspect that the open port is
> caused by a port forward to one of these 3 computers.
>
> >When I run TCPview I donâ??t see Port 4567.
>
> Not on any of the 3 machines?
>
> >The only time I see this open is
> >when I run the Symantec online Security Check.
> >
> >
> >
> >"B. Nice" wrote:
> >
> >> On Sat, 17 Feb 2007 10:41:03 -0800, marcew
> >> <marcew@discussions.microsoft.com> wrote:
> >>
> >> >Thanks for the reply. I used TCPview and it didn't show port 4567.
> >>
> >> Okay.
> >>
> >> >Does TCPview show an open port even if no one is listening in on it?
> >>
> >> I assume what you are asking is: "Is a port open also when not being
> >> used for connections?" - In that case, yes. "Open" means open for
> >> connections and should be visible when the program that opens it is
> >> running. The State coloumn of TCPview should tell you whether a
> >> connection is actually active.
> >>
> >> >Could it be that it is open and vulnerable even if it isn't being used?
> >>
> >> Again, assuming you mean: "Is a port open also when not being used for
> >> connections?" Then Yes. "Open" means something is there.
> >>
> >> If instead you mean: "Can a port be open and vulnerable even if not in
> >> use?", then no.
> >>
> >> >Is file name the name of the port or is it a program that opens that port?
> >>
> >> A program (File Nail). Ports are only numbers. However, programs like
> >> TCPview often translates known ports into a more understandable name.
> >> In TCPview you can toggle that by pressing the A on the toolbar.
> >> You should look for 4567 in the Local Address coloumn.
> >>
> >> >I can't find any program named filename or file name.
> >>
> >> In principle the executable can be named anything. The important thing
> >> is to find which one is listening on port 4567.
> >>
> >> >I've been trying for about 3 weeks now
> >> >to find a way to close this port.
> >>
> >> You don't actually "close" ports. Either it's open - which means a
> >> program is listening for incoming connections or there is nothing at
> >> all - which is referred to as closed.
> >>
> >> You need to do some further investigation. It does'nt have to be the
> >> file nail trojan that has hit you, BTW. There are more programs using
> >> port 4567.
> >>
> >> Worst case here is that a backdoor was installed and that a hacker
> >> succeeded in compromising your system bad enough to also hide the
> >> backdoor from you and the tools you use.
> >>
> >> BUT there could also be other much less evil explanations!
> >>
> >> When running an online scan it is'nt nescessarily your machine that is
> >> being scanned. It could just as well be a device like a router or
> >> firewall upstream ("in front of" your machine so to speak) either at
> >> yourself or even at your ISP. In the latter case it is of course
> >> difficult to do anything about it.
> >>
> >> So, are you directly connected to the internet (with a public IP
> >> address)? If not - how?
> >>
> >> Are you sharing an internet connection with others?
> >>
> >> What windows version are you running?
> >>
> >> /B. Nice
> >>
> >> --
> >> Comments I make or advice I may provide is primarily aimed at home users.
> >>
>

marcew
Sun Feb 18 18:57:05 CST 2007

Are you talking about online scanners for the Security Check or to see what
else is running on my computer? I don't know of any other Security Checks.
Do you have any suggestions?

I've tried Fport to see if it would find port 4567 but it didn't. I only
did that on two of the computers though. Fport wouldn't run on the win98se
computer.

"B. Nice" wrote:

> On Sun, 18 Feb 2007 15:44:10 -0800, marcew
> <marcew@discussions.microsoft.com> wrote:
>
> >I've run TCPview on all 3 computers. I don't see Port 4567 on any of them.
> >It's only the Symantec online Security Check that shows this port open and it
> >shows it open on all 3 computers.
>
> Have you tried with other online scanners?
>

marcew
Tue Feb 20 12:45:43 CST 2007

I ran the Advanced Port Scanner from pcflank and it showed port 4567 open. I
checked a range of ports from 4560 to 4570. 4567 was the only one open.

I checked the Port Forwarding on my router and it's not configured to
forward any ports.

Is there any way to determine exactly where this is coming from? I've
talked to my ISP but all they did was check my router.

"B. Nice" wrote:

> On Sun, 18 Feb 2007 16:57:05 -0800, marcew
> <marcew@discussions.microsoft.com> wrote:
>
> >Are you talking about online scanners for the Security Check or to see what
> >else is running on my computer?
>
> I was thinking about testing the port with another online scanner to
> confirm it.
>
> >I don't know of any other Security Checks.
> >Do you have any suggestions?
>
> For this particular purpose you could use the "Advanced Port Scanner"
> at http://www.pcflank.com/ It allows you to scan a single specific
> port number.
>
> >> >I've run TCPview on all 3 computers. I don't see Port 4567 on any of them.
> >> >It's only the Symantec online Security Check that shows this port open and it
> >> >shows it open on all 3 computers.
>
> The fact that the online check shows the port to be open on all 3
> computers indicates that a device upstream is showing it as open
> (probably by port forwarding). If the other check mentioned confirms
> it, check your own router to see if it is configured to forward port
> 4567 to any machine. If not, it is probably going on at a device
> upstream that you are not in control of.
>

marcew
Wed Feb 21 12:56:47 CST 2007

I couldn't find anything that looked like my router was configured for
configuration access from the outside.

When the Security Check scan is running it shows the IP address of my
router. That's the same address that shows up when I am on any websites.

"B. Nice" wrote:

> On Tue, 20 Feb 2007 10:45:43 -0800, marcew
> <marcew@discussions.microsoft.com> wrote:
>
> >I ran the Advanced Port Scanner from pcflank and it showed port 4567 open. I
> >checked a range of ports from 4560 to 4570. 4567 was the only one open.
>
> Okay.
>
> >I checked the Port Forwarding on my router and it's not configured to
> >forward any ports.
>
> Also check that your router is not somehow configured for
> configuration access from the outside.
>
> >Is there any way to determine exactly where this is coming from? I've
> >talked to my ISP but all they did was check my router.
>
> Next thing you need to confirm is that the device being tested is
> actually yours (your router). You need to compare the "WAN side" or
> "outside IP" address of your router with the IP address being scanned
> by the scanning tools to see if they match.
>
> Some ISP's actually grant you an IP address in the private IP address
> space (e.g. 10.*.*.*) - in which case the device being scanned is not
> in your control.
>