Open Port 5000 - What now??

Discussion in 'Port Explorer' started by mfreemanhcp7, Jan 13, 2004.

Thread Status:
Not open for further replies.
  1. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    I am trying to get to grips with my new DCS software packages and have noticed through PE that local port 5000 is open. The PID is 1172 and is described as 'svchost.exe'. I know svchost.exe to be a windows system application but am concerned as Port 5000 is also a known Trojan port. In this instance the local and remote address is 0.0.0.0 with no data packets showing in sent/received.

    There are also two other running processes with the same PID (1172) which are connected thru local port 1900 to remote port 1035 (not known bu PE) with local and remote address of 127.0.0.1 showing 0 data sent but 3/399 received.

    As a total newby but wanting to learn, what further investigation can I undertake (I don't understand the results shown in data packets thru socket spy). I am worried about killing the process in case this is a legit windows system application. If I do kill the process will this prevent the process reappearing (I don't think so) if not, how would I go about this (assuming its a nasty)?

    Thanks again people. BTW I am running XP Pro. :)
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  3. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    Hi again Pieter_Arntz,

    It would seem maybe that I have nothing to worry about - but one question, how do you know that this referes to windows servive UpnP? I cannot get this info from PE or any of the TDS plug-ins. I can only find this information when using the 'Who Is?' utility - C:\WINDOWS\System32\svchost.exe -k LocalService.

    Thanks
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    That I knew that from memory is probably not a big help?

    But if I hadn't I would have used this site to find out:
    http://www.portsdb.org/bin/portsdb.cgi
    Type in the port number and you'll get a list of possibilities.

    Regards,

    Pieter
     
  5. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    If you run our freeware CmdLine utility (available for download from our website) you can then run that and it'll probably tell you the parameters being sent to svchost.exe
     
  6. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    I have checked the port ref from the web site given and the possibilities show the Plug and Play option you described but for Windows ME not XP (which I am running), so I'm not sure if it is that. I also see ' Sockets De Troie Trojan' as a possibilty confirming the Trojan Porto_O?

    I will download and try thr CmdLine utility recommended by Wayne. I will post my findings here soon.

    regards
     
  7. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    I have just noticed that the port is TCP not UDP this might be significant in discounting the Sockets De Troie Trojan theory.
     
  8. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    I have run cmdline and just see this:

    1172 - C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe -k Local Service

    Which I can see using 'What is..' in PE.

    Still confusedo_O??/
     
  9. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    I think I have found the solution!!! :D

    There may well be some malware at play here as ports 5000 and 1900 are open for sending and listening. If interested refer to

    http://www.diamondcs.com.au/info/port5000listening.htm (not sure how to insert hyperlink. Rearranged them for you - Pieter)

    which I have found on the DiamondCS security info pages. I didn't even know these pages existed!! :eek:

    Sorry for wasting anyone's time.
     
  10. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    I have downloaded and run the small program following the links above and have disabled the Universal Plug and Play option. PE has confirmed that this process has gone.

    Thanks guys, :D with special thanks to Pieter for being on the right track in the first place (should never have doubted you!!) and also for helping out with my hyperlink dilemmna!! ;)
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    No problem. And you have wasted no-ones time. ;)
    You learned and tightened up security and that's what we are here for.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.