Ants

Discussion in 'malware problems & news' started by ljc1174, Aug 29, 2002.

Thread Status:
Not open for further replies.
  1. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    I d/l Ants, not that I don't like TDS, I do, but I wanted to use something else. I did a port scan and I have two ports open this is what it says...

    Port 2706 offen. Wahrscheinlicher Trojaner: Kein Trojaner gefunden
    Port 5000 offen. Wahrscheinlicher Trojaner: Socket23

    Smack me, but does this mean I have two different trojans? I really should know how to read German, I am German, but I never learned, I am kicking myself now for this!

    Thanx for any help if I'm still helpable, *sigh*.
     
  2. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Ok, I think I'm doing a regular scan for trojans with my entire c:/ drive. If it comes up with anything I'll post it.

    ~Lori
     
  3. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Wait, now I'm confused again, if my firewall is on and was on when I did that portscan, why do I have two open ports?

    o_O
    ~Lori
     
  4. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Ok, maybe d/l'ing this wasn't a good idea, I have no idea what this means.

    Benötigte Zeit: 652 Sekunden
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Lori,
    Always good to try different scanners of course.
    You might like to try some of the online scanners too! I would, with such an alert!
    Did it give a full path to the possible nasty so you know where to look for it or do you now need to hunt your whole system for it?

    What does TDS full system scan, latest update, everything checked and sensitivity on highest say of that?
    Did you have TDS sockets activated?
    Port 5000 is used by many nasties and backdoors, as well by legit programs like ICQ etc.
    Socket23 or Sockets de Troie.
    Fingers crossed it is not on your system!
    There are reports of false positives of legit connections with this too, btw, like other software listening on the port, so no panic (yet!)
    Can you please keep us updated about your scan results?
     
  6. Gladiator

    Gladiator Guest

    Maybe i can help....

    This means: Scan time: 652 secs :D

    and

    Port 2706 offen. Wahrscheinlicher Trojaner: Kein Trojaner gefunden

    means Port 2706 open - possible trojan: Nothing found (no trojan)
    (maybe a program error)

    Greets, Gladiator
     
  7. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    I will keep it updated the best I can. An online scan says I have the sockets trojan, that was the reason I ended up on this forum, but when I scan with TDS it finds nothing.

    As far as Ants and a full path, I copied and pasted the results, and that was all it gave me.

    When I start TDS, it says I need to update, I found the update (i think), clicked it, ran it, but it stills says I need to update.

    I'm afraid to do anything! I am an accident waiting to happen over here!

    As much as I don't want to, I'll check my TDS settings again and run another scan.

    ~Lori
     
  8. Gladiator

    Gladiator Guest

    You can download my scanner at http://www.gladiator-scanner.de and scan your disk.

    Gladiator
     
  9. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Kewl, thanks... TDS is still scanning, I'll wait until it is finished and then come back to here.

    ~Lori
     
  10. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Jooske,

    (What does TDS full system scan, latest update, everything checked and sensitivity on highest say of that?)
    Full system scans says everything is fine, sensitivity and all settings are where Fan J says to have them from the TDS Conf. instructions.
    (Did you have TDS sockets activated?) With the settings Fan J supplied, aren't sockets already activated? If not, I think I need help finding that...

    I am going to double-double check and make sure it's all up to date, now that I think I know what I'm doing!

    ~Lori
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Lori, two things:
    About the update: do you have a registered version of TDS or evaluation?
    If it is the trial, please get the update file at http://tds.diamondcs.com.au/radius.td3; just grab the file, put it in your TDS directory, nothing to install, and start or reload TDS to make sure it's there.
    You should have today 16742 references.
    Then, if you have sockets initiated, are all green or are there red squares among them?
    You can unload the sockets and automatic initiate them another time to see if any is red, for that would mean something is listening on that port which is not TDS!

    For you next scan you might like to decide to keep the sockets unloaded and see if TDS or ANTS are warning.
    Did the online scan tell which file it is and where it is located? You might like to submit it to support@diamondcs.com.au for the TDS lab to look at the file and tell you what to do with it, and see if it might be innocent or not. You can also immediately submit it from the TDS console after the scan.
    If for instance the one scan says the file is infected and the other says it's not i would most certainly submit the possible nasty.
    BTW if you know where the suspicious thing is located you can also just scan the folder so no need to do the whole HD then.

    But again, don't panic yet, as there are false alarms possible with this Socket23 thing and certainly on port 5000.

    Nice offer Gladiator!

    So you see all the forum is watching how you're doing, fingers crossed for you! Waiting for your next result.
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Lori,

    Drop ANTS - period. the actual available version is outdated and abandonned.

    As stated elsewhere: a new version 2.2 is being build.

    Since you do have a (registered, I presume?) version from TDS installed, no need for an outdated abandonned extra anti-trojan.

    regards.

    paul
     
  13. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Ants is gone... thnx Paul...

    Jooske, brb... I have to read your's again! LOL
     
  14. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    My pleasure - and a good choice, Lori ;)

    regards.

    paul
     
  15. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Jooske,
    I am updated and have all refereneces...

    I'm assuming sockets are unloaded, I am scanning like that I assume as well. I don't know how to load them.

    I'm scanning again now that I know it's all uptodate.

    Could someone post how to set the sockets? Or is it best to leave them unloaded?

    ~Lori
     
  16. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Lori,

    In order to run TDS safe and sound, have a look at this explanation from Jan.

    No need to set sockets. As for further explanations: there's an exhaustive help file ready for download over on the DCS/TDS site.

    regards.

    paul
     
  17. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Thankx again Paul,
    I'll check out those links tonight after dinner.

    Anyone hungry? I'm making steaks and baked potato's!

    mmm, mmm, goood! :D

    ~Lori
     
  18. FanJ

    FanJ Guest

    Yeah !!! I would like to :D
     
  19. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Paul, you were faster then i as i was copying the link and writing a personal Lori sockets setting quick manual :)

    Jan's wonderful basic configuration is in Paul's posting.
    If you look in other threads in the TDS area, you'll see probably my recommendation to check everything in the scanner and the worm sensitivity slider all to the highest.
    Certainly in your first full scan. In next occasions you can make it more to Jans recommendations.


    I thought of using the sockets a moment to test if anything is listening or keeping a port open, so i post the sockets config anyway :)
    Upper right click Sockets
    Tab Automated
    check all the sockets
    press initialise
    Tab Options
    i checked everything
    and fill in your email address to be alerted to
    and save

    If you want to unload the sockets at another moment,
    on the Automated tab uncheck and save
    so all the green lights should be black like you see in Jans screenshot.

    I would most certainly try to look if it goes ok. In the TDS Helpfile (which came with the install (on the console press Help > TDS Helpfile) you find lots more. Among others you can have TDS listening on certain ports (those sockets you just learned to activate) to react if anything would drop through your firewall for instance.

    But now first of all try to locate the file the scanners fall over and see what TDS says about it.

    Looking forward to your next report.
     
  20. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Hi Paul,
    Those are the exact settings I used and what I reconfirmed earlier today b4 I did my last scan.

    I'm on to read Jooske's post...

    ~Lori
     
  21. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
     
  22. Gladiator

    Gladiator Guest

    And some scotch-cola with 3 ice blocks plz hehe :D

    Gladiator :D
     
  23. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Jooske, I started TDS, I was getting ready to mess with the sockets thing... and I noticed it still says...
    Warning your TDS radius3 needs updated, visit the site... blah, blah, blah, I've done this... and I'm positive that the update on the site matches what it says in my file. Is there something I'm missing?
     
  24. FanJ

    FanJ Guest

    Mmmmmmm yeah :D
     
  25. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    You sure can and those brownies are on their way!

    :p
     
Thread Status:
Not open for further replies.