Where to start?

Discussion in 'Trojan Defence Suite' started by dallen, May 13, 2003.

Thread Status:
Not open for further replies.
  1. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    I am new to this defense suite, but I'm willing to put the time in to learn. I was unsure where to begin so I started with a port scan and have attached a file containing the results. How can I determain which ports should be in use and which should not. Does anyone have any suggestions on reading material that will help me? Thanks.
     

    Attached Files:

  2. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Just to let everyone know. I found a good starting point for reading material. Who would have thought to look in the TDS help file? I'm still open for any suggestions.
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi again Dallen,
    good to see you learning! The Help Manual is a respected piece of information in which you find more then info about pressing the right button!
    You have this forum and as licensed TDS operator you also can now ask access to the TDS private (licensed operators only) areas in the DCS forums (see link in my signature)
    for lots more info and backgrounds.
    Did you also check your TDS configuration with basics FanJ described in his thread http://www.wilderssecurity.com/showthread.php?t=2871

    If you look in the TDS > Utilities > Port Reference
    you type in the port numbers and see if there is a special description for them.
    In PE is the same function, btw.
    Seeing those ports in use can be because of your system settings, maybe you have sockets installed to listen on default trojan ports, some software using those ports like 443 and 445, such things. Suppose you see the same in the PE netstat sockets list, right?
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Which ports are open isn't an overly accurate method to detect trojans, but of course knowing which ports are open is useful !

    Use Port Explorer to see which ports are being used by which process, and then you will have a much better indication of what is going on :)

    Use TDS to run scans on files you are unsure about, and scan the rest of your system - most importantly memory. The rest of the nice people on the forums will help you learn the advanced features when you are ready.. of course the help file does list a lot :)
     
  5. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi dallen,
    if you could give us some information about your OS then you'll get a couple of hints about what to think of ports 135,139,445 and 5000 (what services are they? are they necessary? if not, how can they be disabled?).
    Ports 80 and 443 look like you're running a http server. If this is what you intended, then it's fine.
    If you've done the local ports scan after some of your programs (e.g. browser, updaters) have already connected or are still connected to the internet, then the Ports 1025-1038 are okay as well (when a program needs a connection, it is given ports starting from 1025 by the OS).
    I'd like to know what port 16200 is, tho. Do you have an idea? If you don't, there are several tools (some free, some shareware - of course DiamondCS' PortExplorer is best at that :D) that can tell you which program use that port...

    HTHH,
    Andreas
     
  6. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Hi dallen,
    Block ports 135-139, 445, and 5000 tcp/udp from inbound connections. They have no use on the Internet and can cause you only trouble
    Port 135-139:
    look here:
    https://nanoprobe.grc.com/x/ne.dll?bh0bkyd2
    under file sharing and messenger spam
    port 5000, look here:
    https://grc.com/unpnp/unpnp.htm
    Port 445:
    LANMAN service on Microsoft Windows 2000 allows remote attackers to cause a denial of service (CPU/memory exhaustion) via a stream of malformed data to microsoft-ds port 445.

    Windows XP with port 445 open allows remote attackers to cause a denial of service (CPU consumption) via a flood of TCP SYN packets containing possibly malformed data.

    (from dshield.org)

    Dolf
     
  7. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi guys,

    not so fast with tips to block some ports! The ports 135, 139 and 445 I'm using myself as well. These ports are used by NetBIOS. If you are in a network you need those ports to be open. If you use a firewall and/or a router besides this works fine. So don't touch these ports prematurely! Otherwise you won't be able to use your network printer and to share or access files with other computers. ;)

    Best regards,

    Patrice
     
  8. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Hi Patrice,
    I was only referring to inbound connections from the Internet.
    For local network interfaces you are right, although I don't see any reason for somebody to block any ports on his local network
    Dolf
     
Thread Status:
Not open for further replies.