Questions concerning Sockets

Hi everybody,

I'm not sure if I really understood the socket-feature in TDS3. If I go to the sockets configuration, automated area, obviously I have the option to let TDS "listen" on those specified ports if some trojans are dropping in.
When I look at my Active Ports screen I see just one port open that is also in TDS's list. Is it sensible to change the default ports in TDS's automated list? Or should I leave it as it is, make a mark in every box, just in case, and look for another solution? I have no idea how to handle the scripted option, therefore I didn't touch it. Right now TDS is listening on 9 nonexistent ports. For me this seems to be a bit senseless...

Regards - Stefan

 

Hi Stefan,

A lot of people keep those disabled most of the time. Bear in mind that if you have some sort of firewall in place, you will not see activity on whatever ports you configure there unless you open up your firewall for them. But they can be handy to setup (once they are allowed on the firewall) if you feel you need an immediate notification of activity on those ports

Rather than relying on the socket config, when you notice your firewall logging repeated activity on a certain trojan port and you want to "see" more of the data you can set your firewall to direct traffic on that port ot your PC (if it is an external firewall/router) or just open up that port if it is a Personal Firewall and then you can set TDS to listen on the port using TCP Port Listen in the Network menu

 

See them as an extra layer of security: if anything would be bypassing the firewall then there is still TDS listening on those ports. In test situations you can see how TDS reacts on them, etc.

 

OK, I'll leave them enabled then. But what is with let's say UDP 31337? Obviously this port isn't open at all on my system. Just TDS opens it. Or would a trojan open this port to communicate with his boss?

 

Port 12345 originally for Netbus is there too; a possible attacker finds there TDS listening if they would get past your firewall so they still can't do any harm with that exact nasty on that port.
Or you could have an emulator listening on such a port: the attacher thinks you're infected with his tool, he's trying all his arsenal on you giving you time to find out who and what he or she is and whatever you find useful to do, scanning for open ports on their system, broadcasting something friendly, whatever.
If you put your own local host in the target host display and do some test scans on yourself you should get some warnings on those ports.
I'm seeing a growing amount of portscans on TCP 3127, which is a backdoor for MyDoom, have not seen a usefull emulator to set listening on that port (would be a SS3 script i suppose if somebody would spend creativity on that) as an example.
Somebody else created such a listening socket for port 137 with the Bugbear outbreak, was very useful as in a few versions of ZoneAlarm ago it suppressed logging of the hundreds of bugbear portscans. Etc etc.
So yes, having something of your own tools listening on the target ports can be an extra layer of security.