hacker in my ports?

Discussion in 'Port Explorer' started by trevorml, Sep 16, 2006.

Thread Status:
Not open for further replies.
  1. trevorml

    trevorml Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    4
    I have strong reason to believe a hacker is trying to or has gotten into my computer.

    For example my computer is not connected to the net (on a friends right now) and port 123 says it is known to be used by

    NTP- Ntework Time Protocol (RFC 958 ), RAT: Net Controller, Gift, WintTrix, Freeze, Propel, ZUD, Ass4ss1n, Peeper, Madfind

    There are other ports with this type of stuff listed.. one has Optix. What does all this mean? My computer is brand new as of yesterday. I installed Norton Internet Security from disk (2006) connected to internet to register and live update, then downloaded port explorer and bang- within minutes and on my first connection to the net my computer seems compromised. Does anyone else have this on their computer? I need to get rid of these things right?
     
  2. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    If this is what you are basing your suspicions on, take a deep breath and relax. Have you gotten any other confirmation that any of the above RAT's, not the NTP, are active. Given what you say below I would doubt it. This is only a list of services/programs that uses a particular port, in this case 123. Time sync programs use this port to synchronize your computer's clock with an external time server, usually a second tier time server, which is in turn synchronized to a first tier time server that is synchronized with an atomic clock somewhere in the world.

    Yes, we all do if you are talking about the PE Lookup Utility and in particular Port to Service.

    Only confirmed items in the port list that appear after RAT should be examined more closely, and by multiple malware scanners.

    HTH, take care.
     
  3. trevorml

    trevorml Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    4
    ok thank you! I'm not sure what you mean by this last part- "Only confirmed items in the port list that appear after RAT should be examined more closely, and by multiple malware scanners."

    How do I know if something is confirmed?
     
  4. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    :thumbd:
    I could have phrased that better.:p What I was trying to say is:
    Scan your computer with several different malware scanners and if more than one scan reports a detection, of an item that is listed after "RAT:", I would then examine the results (target files) of the scan(s).
    There is a chance for a false positive detection with any malware scanning software. By using/scanning with more than one you will reduce your chance of acting on such false positive, by acting on detections reported by more than one scanner.

    I hope I explained my thoughts better this time. :thumb: :thumbd:
     
  5. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    How about using that brand New Firewall to simply block the offending port - Do so bi-directionally. And voila! Fear + Risk = Gone!

    If you feel that your Firewall is not efficiently protecting you, try http://www.grc.com/x/ne.dll?rh1dkyd2 to test for vulnerabilities or try Audit my PC http://www.auditmypc.com/freescan/scanoptions.asp to do the same. Then you can begin your investigation in Port Explorer after confirming that Symantec actually is protecting those ports properly. Besides if the port is shut the Trojan will be affected as well. If there is a trojan.

    I hope this helps!
     
    Last edited: Sep 29, 2006
  6. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
Thread Status:
Not open for further replies.