help found open trojan port need advice

Discussion in 'Trojan Defence Suite' started by odin777xj, Apr 18, 2003.

Thread Status:
Not open for further replies.
  1. odin777xj

    odin777xj Registered Member

    Joined:
    Apr 18, 2003
    Posts:
    2
    Hi Im am new to tds but basically I have found and been able to connect to a trojan port on tcp port 5000, on my dads machine , when I done a full system scan it listed something like ddos.rat sdbot I delted it but it came back also I think I did a trojan port scan from the plugins area and it showed me this data 5000 - Connected [COMMPLEX-MAIN - Complex Main, SSDP - Web-XML Parser for Universal Plug & Play, RATs: Back Door Setup, Blazer5, Bubbel, ICKiller, Sockets des Troie, Bionet Lite]
    5000: Remained silent.
    what should i do also earlier there was a connected sign and it had net bios next to it could someone tell me how i could reconnect to there machines and tell them to go away?

    I am new to this but not new to computing as ive just STARTED programming and if someone could clearly explain a few of the steps in perhaps getting the port for a trojan sending them a nasty message,getting there ip and killing any trojan processess I would be very greatfull as im sure our network is getting attacked constantly from low lifes and I just want to no my computer and stop all the idiots from connecting and trying to damage my system.

    regards
    David
     
  2. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi odin777xj!

    Personally I think you didn't have had a trojan. Port 5000 has something to do with Plug'n'Play. I'm quite sure that it's activated on your computers. To be sure that it is so, go and check this site:

    http://grc.com/unpnp/unpnp.htm

    If you disable Plug'n'Play you won't have these messages again. If they remain, install TDS-3 and Port Explorer on the infected computer and check out the port.

    Best regards!

    Patrice
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    In the firewall block the port 5000 and you might like to set up the sockets automated and make sure port 5000 is among them, so TDS is listening and no obscure trojan on your system.
    If you have Port Explorer you can see if anything is connecting to the outside world and in the full version you can block that connection, or you might like to spy on the packets what they are.
    In TDS > Network > TCP Port listen, you can point to your port 5000 and looking at the packets entering and leaving your system and making changes if you like.
    This is what we did the otther year discovering Code Red among others, interesting to see the variants and they were not able to harm on well protected pc's.

    You say you were able to connect to your father's pc, was that from your own pc via the network or via internet?

    Is the pc running XP or ME with the system restore on? When deleting nasties, disable system restore, clean out, reboot, enable system rwestore (should be clean now) and make manually a new restore point to have that as a new clean point.
    For the sdbot have a look at the info page if they recommend also deletion of registry keys and maybe other files to look at.
    If a Full System Scan alerts on a file with a positive identification be sure it is there and needs your action.
    If at scanning your ports with the various plugins you see port 5000 open that could be your PnP or your sockets listening on that. If you put for instance 127.0.0.1 or 0.0.0.0 whatever is your local host in the Target Host display and do your scans, you will see your open ports.
     
Thread Status:
Not open for further replies.