closing ports

Hello - I need to close a couple of ports, one that has connections to it now and again, pretty sure this is a trojan, and one that is listening - I discovered this by creating a txt file using netstat -an...txt. I have tried a couple of port watching programmes, briefly, but they needed server rights according to zone alarm and someone advised me not to use them. I use win98 - I've just tried TCPVIEW which is ok but doesn't allow me to close ports or even to find out which programme is opening them. Thankyou.

 

Try to block them in your firewall
do you see strange processes in contr+alt+del? Kill them and do another netstat -an to see if they're gone.
I use Port Explorer: the free trial gives you a nice overview of what is connected to which ports, but it does not give you the full functionallity of the registered version to kill or disable sockets/processes and/or look into the datapackets from those sockets; even in the trial the whois and resolve functions are very nice.
Possible hidden connections which might be trojans but not necessarily are in all cases, are displayed in red for instance.
Further i use TDS, with lot of testing and scanning and killing processes too, netstat, etc.
See those tools in the DiamondCS forums here.
At least get your free trials, they function with Win98 too.

 

Hi stubolt8,

Welcome at Wilders. Could you specify the port numbers? Especially the one that is listening.
If you suspect it is a trojan, what is stopping you from running a trojan scanner?

Regards,

Pieter

Sorry Jooske. Didn´t see you were on the case already.

 

Doesn't matter, TDS could be used as a fine trojan scanner, if updated after installing with the most recent database, so our advice is additional And you're the global mod, my vision is more from the DCS tools side (because i really love them so very much to use )
So feel free to answer and the whole forum is looking forward to know about the ports and next results.

 

Thankyou Jooske and Pieter
I have BOClean anti trojan and AVG. I've not noticed anything dodgy in ctrl-alt-del. Regrun did notice one or two changes when I installed port listener. I've just noticed all the webpages I've saved on the desktop have had the icon change from IE to a sort of dark video like box with a green dot with a spanner superimposed! Anyway I don't know how to block ports with zone alarm, I block anything that asks to connect that shouldn't or I don't want to.
The ports I'm worried about are 1524 ingreslock and 1513(listening in netstat when not connected).
Just found out what that spanner icon is - it's Netmon.
Thankyou.

 

I moved it to the firewall forum so our specialists can help you in blocking the ports. I´m pretty sure you don´t have a trojan or it must be a extremely new one

Regards,

Pieter

 

Thankyou LowWaterMark- I have had a good look at ZA progs and removed a lot that I no longer use although none of them had server rights or access without permission.
Perhaps you could tell me a little about port 1524 ingreslock - whats the point of it, I don't use it for ftp or whatever it's for. A search on google is quite alarming a, lot of the posts refer to linux though.
I don't know a lot about computers but reading sites like this have made me aware of some of the problems that await the unwary - and the wary. I dread to think what lurks on the computers of all those who haven't even heard of ZA. Thankyou - this is a good site.

 

Hi stubolt8

In regards to port 1524, have you been able to determine what on your system is listening on that port?

There are a number of legitimate programs/system functions that could doing this along with the alternative that it could be something you do not want on your system.

Regards,
CrazyM

 

Hi stubolt8

A little further explanation...

iana.org may show ingreslock being a service associated with that particular port, but it does not necessarily mean that is what it is being used for on your system in this particular instance.

When your system, application or service communicates they may use specific services/ports or they may also use or listen on what are referred to as ephemeral ports. These will be ports in the range 1024-5000 (and will sometimes be referred to as the temp range). Examples of this would be Task Scheduler, AV email scanners, that you may see listening on one of these ephemeral ports. The application/service listening on one of these ports in the temp range, may have nothing to do with the service associated to it in the iana.org list.

This is why it is important to determine what is listening on that port in this case instead of focussing on the service associated with it in the iana.org list.

Regards,
CrazyM

 

Hi again, sorry for jumping in so rude again
Fport is for NT, not for win98 systems.
That's why i advised to get the free trial for Port Explorer in the first place, as this will tell what's listening anyway, but for deeper determination you will need other tools or the registered version.
Found more on your ports mentioned:
1524: INGRESLOCK - ingres, RAT: Trinoo
1513: FUJITSU-DTC - Fujitsu Systems Business of America Inc
That Trinoo thing could be a server on your system, for example, if you say it's listening already when not connected to internet, but on the other hand it's so known and should have been cleansed out by your software.
Are you able to post a netstat output when it's there?

 

Hi Jooske - I may have been misunderstood slightly.
port 1524 isn't listening all the time, 1513 is listening all the time. I caught ingreslock appearing in netstat -a 5
because I had the window open on the side of the screen whilst surfing out of curiosity. Suddenly I saw 1524:ingreslock appear, listening and after a short time it vanished - a couple of times I've seen it establish a connection and this is while I'm just regular surfing, bbc, cnn maybe.
I read somewhere that you could test for a shell on that port by telneting to it, could you explain how to do that using my own machine- if possible? I've never used telnet.
I will be using port explorer- it looks useful.

 

Have you been able to determine what is listening on port 1513 to know whether it is of concern or not?

If you are just seeing port 1524 popping up occassionally as the local service/port and part of a valid remote service/port 80 connection (part of normal surfing), it is just being used as an ephemeral port and part of normal communication with your system as noted above. It does not have anything to do with ingreslock and you have nothing to worry about.

Regards,
CrazyM

 

Hi CrazyM - Thanks for the info on ingreslock, it does connect to 8080.
As for 1513 I've not caught anything connecting to it yet and will get back If anything interesting turns up.