Open ports. Safe?

My friend is currently running the default firewall with "Block all incoming connection" (except the basic ones like 80). I just scanned his mac for open ports and I found the following:

 Open TCP Port:     3128        ndl-aas
 Open TCP Port:     8080        http-alt

Is it normal to have those ports open, or does he have something fuzzy installed?

Neither of those ports is opened by the OS. You will want to run a command like sudo lsof|grep LISTEN to figure out what processes have opened those ports on the Mac.

See http://support.apple.com/kb/TS1629 for documented ports that Apple uses and note that neither are used other than 10.4 server and earlier where port 8080 was part of jboss as a stock component of server.

It's not normal to have ports open unless configured otherwise. You can find the names of the programs that are listening at these ports using the following command in Terminal (under /Applications/Utilities):

lsof -i :3128
lsof -i :8080

The first column of the output would be the program name.

Ports 3128 and 8080 are typically used by HTTP proxy software, such as squid (which uses port 3128 by default.)

Port 8080 is also often used by a local web server used for development or similar, typically because the root account is generally required to listen on port 80.