Open Port 5000 - What now??

I am trying to get to grips with my new DCS software packages and have noticed through PE that local port 5000 is open. The PID is 1172 and is described as 'svchost.exe'. I know svchost.exe to be a windows system application but am concerned as Port 5000 is also a known Trojan port. In this instance the local and remote address is 0.0.0.0 with no data packets showing in sent/received.

There are also two other running processes with the same PID (1172) which are connected thru local port 1900 to remote port 1035 (not known bu PE) with local and remote address of 127.0.0.1 showing 0 data sent but 3/399 received.

As a total newby but wanting to learn, what further investigation can I undertake (I don't understand the results shown in data packets thru socket spy). I am worried about killing the process in case this is a legit windows system application. If I do kill the process will this prevent the process reappearing (I don't think so) if not, how would I go about this (assuming its a nasty)?

Thanks again people. BTW I am running XP Pro.

 

Let's assume it is what it claims to be.
A windows service. The one called UpnP.

Description of Universal Plug and Play Features in Windows XP

Check this site if and how to disable it:
Windows XP Home and Professional Service Configurations

Regards,

Pieter

 

Hi again Pieter_Arntz,

It would seem maybe that I have nothing to worry about - but one question, how do you know that this referes to windows servive UpnP? I cannot get this info from PE or any of the TDS plug-ins. I can only find this information when using the 'Who Is?' utility - C:\WINDOWS\System32\svchost.exe -k LocalService.

Thanks

 

That I knew that from memory is probably not a big help?

But if I hadn't I would have used this site to find out:
http://www.portsdb.org/bin/portsdb.cgi
Type in the port number and you'll get a list of possibilities.

Regards,

Pieter

 

If you run our freeware CmdLine utility (available for download from our website) you can then run that and it'll probably tell you the parameters being sent to svchost.exe

 

I have checked the port ref from the web site given and the possibilities show the Plug and Play option you described but for Windows ME not XP (which I am running), so I'm not sure if it is that. I also see ' Sockets De Troie Trojan' as a possibilty confirming the Trojan Port?

I will download and try thr CmdLine utility recommended by Wayne. I will post my findings here soon.

regards

 

I have just noticed that the port is TCP not UDP this might be significant in discounting the Sockets De Troie Trojan theory.

 

I have run cmdline and just see this:

1172 - C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe -k Local Service

Which I can see using 'What is..' in PE.

Still confused??/

 

I think I have found the solution!!!

There may well be some malware at play here as ports 5000 and 1900 are open for sending and listening. If interested refer to

http://www.diamondcs.com.au/info/port5000listening.htm (not sure how to insert hyperlink. Rearranged them for you - Pieter)

which I have found on the DiamondCS security info pages. I didn't even know these pages existed!!

Sorry for wasting anyone's time.

 

I have downloaded and run the small program following the links above and have disabled the Universal Plug and Play option. PE has confirmed that this process has gone.

Thanks guys, with special thanks to Pieter for being on the right track in the first place (should never have doubted you!!) and also for helping out with my hyperlink dilemmna!!

 

No problem. And you have wasted no-ones time.
You learned and tightened up security and that's what we are here for.

Regards,

Pieter