Port 5000

Discussion in 'Trojan Defence Suite' started by granduke, Jul 12, 2004.

Thread Status:
Not open for further replies.
  1. granduke

    granduke Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    4
    Location:
    Germany,EU near Jooske
    Hi everyone.

    I have alittle bit of problem here.I'm running windows xp with ANTIVIR,Trojan Hunter,Winpatrol,Adaware,Spybot search&destroy (kinda paranoid isn't it...) and of course TDS (trial ver lol..just tryin' atm).

    So my problem is TDS say there's something wrong with port 5000 when i tried 3 TDS's plugins ..

    a.Backdoor knock
    b.TCP inspector
    c.Trojan Port check

    Plugin a says that port 5000 is connected , plugin b says that port 135 and 5000 is connected and lastly port 5000 just pop in plugin c..something like that.Does that mean there's trojan roaming freely in my comp.?And how do i solve it?

    I don't know bout that 'Target Host' blank space in the middle of TDS (currently 127.0.01).What does it mean anyway?But i do know alittle bout my router (something like 192.168.2.1 rite) and have fowarded or open a few ports myself (6881-6885..mainly for BT).

    Btw,IE is messing the forum or the wildersecurrity server,or either way round...coz i'm killin' my ass to post just one thread in this forum.The login keep kicking me out.Pasword retrieval say wierd things.Preview post say someone already use my username.Login quota used up...like someone is controling the keyboard..Opera is my hero.heh.

    Please help.Thanx.
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi granduke

    Are these just listening connections?

    Port 5000 is associated with UPnP (ssdp discovery service). If you have this service enabled (it is by default in XP) that is likely what is listening on that port. If you do not need this service, you can disable it.

    Port 135 is RPC (epmap) and it also normal for your system to be listening on this port/service.

    Being behind a router will protect you from unsolicited connection attempts to these services.

    Regards,

    CrazyM
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there and thanks CrasyM for the explanation!
    Want to add: if you enabled TDS sockets in the upepr right corner you'll have TDS listening on those ports so no other application from inside can use them and from outside (if they could get passed your firewall protection at all!) would find TDS listening there and no other malwaer can use them, so an extra protection.
    Test: have your local host in the Target Host, have those sockets enabled, press your Backdoor knock and the others you used and you will get those alerts;
    put your public IP address or any of the others you have from the network, router, whatever and try again;
    etc. You probably see TDS warnings and sending emails if you configured TDS to do so.
     
  4. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Granduke.

    If you want to check what's established with what port, etc. you can do a trial of Port Explorer, it will soon tell what's connected/listening, etc. with what services running trying to connect out.

    In relation to that Target Host 127.0.0.1 [that being your own localhost of course] in the middle, that is simply a tool in which you paste an IP address to Resolve/Ping/Trace/TCP connect to TargetHOst... try it... just paste an IP address in the black Target Host window and hit either of the RPTC buttons...

    PORT EXPLORER HERE

    Cheers, TAS

    edit: Jooske too quick :D
     

    Attached Files:

  5. granduke

    granduke Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    4
    Location:
    Germany,EU near Jooske
    Haha..thanks everyone.

    I've search google and found that there's so much info bout port 5000 and netbios (135) and so on..till i don't know which one to believe.Hell.I guess it's TDS who's been using those ports....coz as soon as i closed TDS,all the port listening are gone (I'm using an extra Run->cmd->netstat -a..didn't know TDS has it own netstat feature lol.. :rolleyes: ).

    Haha..i thought i was chasing someone last night..coz there's this ip 217.17.bla.bla..or something..(i don't remember anymore)..that keep listening..waiting..sending sync..establishing (i don't know what this mean either..hell..lots to learn) all my ports below 5000...something like port 1000 to 4000 is listening.And there's a few ports in 3100 to 3200 range that are sending snyc. o_O

    I even try putting the ip in the Target Host and try tracing...interrogating..tcp connecting him..(I don't know what i'm doin' either..hehe..just to give the impression to the other intruder that i know what he's doin' :ninja: ).But it was all maybe just TDS doin' his stuff.

    As for port 5000 CrazyM,TDS detected that the port is not listening anymore...it is connected.I found out in da net that it is used by worms..

    http://isc.sans.org/diary.php?date=2004-05-17

    ..and after i disable UPnP,the connection is broken and the problem is solve.;)

    http://www.diamondcs.com.au/info/port5000listening.htm

    CrazyM,is there a special Firewall thread anywhere is the forum.I really like to learn bout many things.heh.

    Thanx again everyone.
     
  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
Thread Status:
Not open for further replies.