Port 5000

Hi everyone.

I have alittle bit of problem here.I'm running windows xp with ANTIVIR,Trojan Hunter,Winpatrol,Adaware,Spybot search&destroy (kinda paranoid isn't it...) and of course TDS (trial ver lol..just tryin' atm).

So my problem is TDS say there's something wrong with port 5000 when i tried 3 TDS's plugins ..

a.Backdoor knock
b.TCP inspector
c.Trojan Port check

Plugin a says that port 5000 is connected , plugin b says that port 135 and 5000 is connected and lastly port 5000 just pop in plugin c..something like that.Does that mean there's trojan roaming freely in my comp.?And how do i solve it?

I don't know bout that 'Target Host' blank space in the middle of TDS (currently 127.0.01).What does it mean anyway?But i do know alittle bout my router (something like 192.168.2.1 rite) and have fowarded or open a few ports myself (6881-6885..mainly for BT).

Btw,IE is messing the forum or the wildersecurrity server,or either way round...coz i'm killin' my ass to post just one thread in this forum.The login keep kicking me out.Pasword retrieval say wierd things.Preview post say someone already use my username.Login quota used up...like someone is controling the keyboard..Opera is my hero.heh.

Please help.Thanx.

 

Hi granduke

Are these just listening connections?

Port 5000 is associated with UPnP (ssdp discovery service). If you have this service enabled (it is by default in XP) that is likely what is listening on that port. If you do not need this service, you can disable it.

Port 135 is RPC (epmap) and it also normal for your system to be listening on this port/service.

Being behind a router will protect you from unsolicited connection attempts to these services.

Regards,

CrazyM

 

Hi there and thanks CrasyM for the explanation!
Want to add: if you enabled TDS sockets in the upepr right corner you'll have TDS listening on those ports so no other application from inside can use them and from outside (if they could get passed your firewall protection at all!) would find TDS listening there and no other malwaer can use them, so an extra protection.
Test: have your local host in the Target Host, have those sockets enabled, press your Backdoor knock and the others you used and you will get those alerts;
put your public IP address or any of the others you have from the network, router, whatever and try again;
etc. You probably see TDS warnings and sending emails if you configured TDS to do so.

 

Hi Granduke.

If you want to check what's established with what port, etc. you can do a trial of Port Explorer, it will soon tell what's connected/listening, etc. with what services running trying to connect out.

In relation to that Target Host 127.0.0.1 [that being your own localhost of course] in the middle, that is simply a tool in which you paste an IP address to Resolve/Ping/Trace/TCP connect to TargetHOst... try it... just paste an IP address in the black Target Host window and hit either of the RPTC buttons...

PORT EXPLORER HERE

Cheers, TAS

edit: Jooske too quick

 

Haha..thanks everyone.

I've search google and found that there's so much info bout port 5000 and netbios (135) and so on..till i don't know which one to believe.Hell.I guess it's TDS who's been using those ports....coz as soon as i closed TDS,all the port listening are gone (I'm using an extra Run->cmd->netstat -a..didn't know TDS has it own netstat feature lol.. ).

Haha..i thought i was chasing someone last night..coz there's this ip 217.17.bla.bla..or something..(i don't remember anymore)..that keep listening..waiting..sending sync..establishing (i don't know what this mean either..hell..lots to learn) all my ports below 5000...something like port 1000 to 4000 is listening.And there's a few ports in 3100 to 3200 range that are sending snyc.

I even try putting the ip in the Target Host and try tracing...interrogating..tcp connecting him..(I don't know what i'm doin' either..hehe..just to give the impression to the other intruder that i know what he's doin' ).But it was all maybe just TDS doin' his stuff.

As for port 5000 CrazyM,TDS detected that the port is not listening anymore...it is connected.I found out in da net that it is used by worms..

http://isc.sans.org/diary.php?date=2004-05-17

..and after i disable UPnP,the connection is broken and the problem is solve.

http://www.diamondcs.com.au/info/port5000listening.htm

CrazyM,is there a special Firewall thread anywhere is the forum.I really like to learn bout many things.heh.

Thanx again everyone.

 

On the Wilders Security Forums you will find:

Official Look n Stop English Forum
Official Look n Stop French Forum

Other Firewalls Forum

Regards,

CrazyM