Why these ports are running on a Windows Server 2003?

[Doug Fox]

Did an internal port scan on a number of Windows Server 2003 and found the
following ports, but they seems weired. Any
comments/suggestions/information are thankful.

85 (MIT ML Device)
264 (BGMP)
039 (Streamlined Blackhole)
1041 (AK2 Product)
1043 (BONIC Client Control)
$1051 (Optima VNET)
1052 (Dynamic DNS Tools)
1074 (FASTechnologies License Manager)
1098 (RMI Activation)
1106 (ISOIPSIGPORT-1)
1119 (Battle.net Chat/Game Protocol)
1208 (SEAGULL AIS)
1264 (PRAT)
1302 (Cl3-Software-2)
1360 (MIMER)
1366 (Novell NetWare Comm Service Platform) - We don't have Novell stuff on
our network!!
1378 Elan License Manager
4000 (Terabase)
5998 (Asp module for Apache servers(
6001 (Rainbow SuperPro Net network Services)
6071 (SSDTP)
6502 (BoKS Servm)
6503 (BoKS Clntd)
6504 ??

Best regards,

 

[Steven L Umbach]

A lot depends on what you have installed on that server as applications and
services. The above 1024 ports are generally used as a client port randomly
selected to connect to a server service though trojans are also known to use
them. If connected, the server address/port used could also be of help in
finding out what is going on. There are some free tools from SysInternals
called SysInternals called TCPView and Process Explorer that can be very
helpful in identifying port use by mapping to the process/executable and
showing the publisher name that can help you determine if it is a legitimate
process or application [hopefully you have a baseline or documentation to
compare to] though unless the file used for the process is digitally signed
you can not be 100 percent sure that the publisher name is what it says but
not being digitally signed does not mean that it is bogus either.

I would certainly question these and as an administrator be able identify if
all of them are legitimate or not with the help of the tools I mentioned.
For instance why is 1119 Battle.net Chat/Game Protocol showing as a process
on a server? You could also search Google for any port or description you
have listed if you need further assistance in trying to track them down
which is what I do. Of course the server should be scanned with a quality
malware program and a spyware program such as Microsoft AntiSpyware, AdAware
SE, etc which can help in identifying malware, spyware and suspicious
programs. If it appears that a lot of these processes are accessing the
internet and should not be consider using a firewall that has a block all
default outbound rule and then you define the exceptions for authorized
access. The Windows 2003 Security Guide also has guidance on how to create
and assign an ipsec filtering policy for a Windows 2003 Server based on it's
role. Software Restriction Policies can also be implemented to stop the
installation of and use of unauthorized software.--- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
--- XP and Windows 2003 Software Restriction Policies