I have strong reason to believe a hacker is trying to or has gotten into my computer. For example my computer is not connected to the net (on a friends right now) and port 123 says it is known to be used by NTP- Ntework Time Protocol (RFC 958 ), RAT: Net Controller, Gift, WintTrix, Freeze, Propel, ZUD, Ass4ss1n, Peeper, Madfind There are other ports with this type of stuff listed.. one has Optix. What does all this mean? My computer is brand new as of yesterday. I installed Norton Internet Security from disk (2006) connected to internet to register and live update, then downloaded port explorer and bang- within minutes and on my first connection to the net my computer seems compromised. Does anyone else have this on their computer? I need to get rid of these things right?
If this is what you are basing your suspicions on, take a deep breath and relax. Have you gotten any other confirmation that any of the above RAT's, not the NTP, are active. Given what you say below I would doubt it. This is only a list of services/programs that uses a particular port, in this case 123. Time sync programs use this port to synchronize your computer's clock with an external time server, usually a second tier time server, which is in turn synchronized to a first tier time server that is synchronized with an atomic clock somewhere in the world. Yes, we all do if you are talking about the PE Lookup Utility and in particular Port to Service. Only confirmed items in the port list that appear after RAT should be examined more closely, and by multiple malware scanners. HTH, take care.
ok thank you! I'm not sure what you mean by this last part- "Only confirmed items in the port list that appear after RAT should be examined more closely, and by multiple malware scanners." How do I know if something is confirmed?
I could have phrased that better. What I was trying to say is: Scan your computer with several different malware scanners and if more than one scan reports a detection, of an item that is listed after "RAT:", I would then examine the results (target files) of the scan(s). There is a chance for a false positive detection with any malware scanning software. By using/scanning with more than one you will reduce your chance of acting on such false positive, by acting on detections reported by more than one scanner. I hope I explained my thoughts better this time.
How about using that brand New Firewall to simply block the offending port - Do so bi-directionally. And voila! Fear + Risk = Gone! If you feel that your Firewall is not efficiently protecting you, try http://www.grc.com/x/ne.dll?rh1dkyd2 to test for vulnerabilities or try Audit my PC http://www.auditmypc.com/freescan/scanoptions.asp to do the same. Then you can begin your investigation in Port Explorer after confirming that Symantec actually is protecting those ports properly. Besides if the port is shut the Trojan will be affected as well. If there is a trojan. I hope this helps!
Also if you think a hacker is sitting on your computer he needs to logon to services somehow to activelly use things If he is exploiting internal resources you might be able to see him loged in witht he following tools: To see what is loged on in real time (People and Virtual sessions as well as machine connections) http://www.sysinternals.com/Utilities/LogonSessions.html To find who is using miscellaneous resources: http://www.sysinternals.com/Utilities/PsLoggedOn.html Good Luck!
