Do I have a Trojan or Not?

Discussion in 'Trojan Defence Suite' started by Archangel, Aug 5, 2003.

Thread Status:
Not open for further replies.
  1. Archangel

    Archangel Registered Member

    Joined:
    Aug 5, 2003
    Posts:
    4
    Location:
    USA
    Hi folks, I'm a new user, just downloaded TDS-3 (demo). I am running a box with 98SE, DSL from SBC, NetGear router/firewall, Sygate Personal firewall Pro 5.1, Norton A/V 2003, and TrojanHunter 3.5. The last couple of days I've noticed a lot of activity on ports 137 and 138, plus someone is scanning my ports every 3 min. The scan began at port 2011 and currently stands at 2880. I ran TrojanHunter and Norton virus scans on my system - both say I'm clean. Still not convinced, I downloaded from G-Lock software their AA Network Tools kit and ran a port scan. AA tools tells me these ports are listening: 110 TCP ProMail; 137 UDP Chode Msinit; 138 UDP Chode; 139 TCP Chode God Messenger. I went to the Symantec site and ran an online virus scan: results were no infection. I decided to try TDS-3 based on its industrial strength reputation, configured it according to FanJ's "basic config" post, and TDS-3 also found no trojan infection. So, I'm not sure if I have Trojan infections, or if TDS-3 just can't find them because it's a demo. If I knew for sure the program is working I'd be more inclined to buy, because I like the fact that it can do so much more than TrojanHunter. Plus, I'd also feel better if I knew for sure that my system was clean. Until this week, my Sygate logs didn't show the activity that they're showing now, so I know something is in my system but I just haven't been able to catch it yet. Can anyone offer me some advice with this? Thank you in advance, and apologies for the long post.
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Archangel,

    Welcome to Wilders!

    The 137-139 ports you have open are NetBIOS ports for local network connections. Can you tell us a bit more about the activity you noticed on these ports. Also, can you tell us a bit more about the portcsan? Portscans are usually much faster than you appear to be describing.

    I would recommend that you download and install Port Explorer from DCS as that is perfectly suited for the type of questions you are asking. You can see all open connections, what the endpoints are, how many packets have traversed that connection and you can spy on those sockets to determine what info is being relayed.

    The URL for it is

    http://www.diamondcs.com.au/portexplorer/

    Regards,

    Dan
     
  3. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    I'll defer to the mods in here, but the first thing I would do is boot into safe mode and run your antivirus program, or run it from a DOS command line and see what/if it picks something up. Anything with the word "chode" in it is not an encouraging sign.

    Glocksoft has info on the Chode trojan here:

    http://www.glocksoft.com/trojan_list/Chode.htm

    Good luck, and a "real" TDS guy/gal should be along shortly. ;)
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there Archangel, welcome!
    TDS is almost fully functional, it just misses the automatic database updates and you can't install it's resident extra protection (exec protection)nor can you run SS3 scripts over 5kb, so the scanning part is fully functional!
    After installing TDS and reboot get the latest database update from the site, put it into the TDS directory and (re)start TDS.
    I'd advice you to check under these circumstances all possible options in startup and in the scan options and worm slider on highest sensitivity and scan again.


    There's a lot of activity on port 137 thanks to the many people infected with bugbear among others: that you see your firewall blocking those many on your ports means you are safe! (see a few threads here in the "other firewalls section on port 137)
    For the moment for me is seems mainly knocking on port 17300 to which traffic i listened a few moments with TDS > ?Network > TCP Port Listen, on that port allowing it to act as a server (it's an emulator, so nothing can happen) and see the IP addresses knocking.
    Dan mentioned PortExplorer, indeed, i put that port listening process under spy to look another time at the data packets, so nice how they work together.

    In your case, do have your scans most certainly, and i don't think you're infected but always make at least 300% certain with the scans.
    Further with PE up you can see if there would be suspicious connections anywhere (all hidden and they will be red, which does only mean processes you don't know are suspicious, not all of them!)
    With PE you can block such connections immediately, so nice to have them working together!
    Let us hear how your scanning resulted please!


    BTW: if you look in TDs > System analysis > Process List, is tehre anything running which should not be there, or something with the name "chode" in it?
    If so, kill that process there and get into deeper cleansing.
    But this depends on the TDS finds after your full system scan.
     
  5. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    To be short, when you have firewall logs, the packets stay outside, the firewall is just doing it's job
    Dolf
     
  6. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    I found the activity on the NetBIOS ports curious given that there is an external firewall (presumeably doing NAT). This should filter incoming and outgoing NetBIOS at that point so why is it in the Sygate logs (unless they were only outbound)?
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    So we would love a PE saved table or screenshot or part of the logfile
    and the TDS processes and what more, faber toys (free at www.faberbox.com) or hijackthis?
    (and and and i guess?)
     
  8. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    I should have to see the Netgear ruleset to anwer that, but what I do know, is that configuring a hardware firewall is no childplay.
    But still, in is in and out is out ;)

    besides that, I've never heard of malware knocking on it's own port

    Dolf
     
  9. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Lol! Except for Sonicwalls, those are kinda strange.
     
  10. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
  11. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    The port reference to 137 138 139 are just the NetBIOS ports being open, I think the rest of the advice here is enough, show us your Port Explorer output :)
     
  12. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Huh? If those ports were open, how come they show up in the sygate logs o_O
     
  13. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Eeek :eek:

    Ok my post was for the original poster, I doubt he has the trojan/virus in question, the only thing indicating he MAY have, is that he has those ports open and is being scanned :)

    Sorry Dolf... :D
     
  14. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Ok, my opinion: the NetGear firewall has not been enabled (or badly configured), because port 137-139 are blocked almost by default. That's why those Sygate logs show all those scans
    And indeed, his system has NOT been compromised, otherwise TDS and others should have indicated something.
    Besides that, there is no reason to suggest there is something wrong: port-knocking logfiles are NO indication for that
    Dolf
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Once you have TDS running which showed no infections, and PE which shows no suspicious connections, be complete with wormGuard to look for malicious scripts which could be stopped if they would be there, and the AutostartViewer (from the free tools area) to look another time for all that is started automatically (including auto-updates etc -- rather unveiling i found!)
    Ports 137-138-139 are among others NetBIOS ports and among others default ports for the ones mentioned, but a portscan on those does not mean you are infected with those nasties, as they were blocked by the fw anyway.
    Hope we'll read good results soon!
    We all are: you see, we all are interested to know, you never struggle alone here!
     
Thread Status:
Not open for further replies.