port 666 UDP activity - from my own IP!

Discussion in 'Trojan Defence Suite' started by LurkaLot, Nov 25, 2004.

Thread Status:
Not open for further replies.
  1. LurkaLot

    LurkaLot Registered Member

    Joined:
    Nov 25, 2004
    Posts:
    1
    This is an extract from my snort log:

    17:54:32 eth1 - UDP 80.110.170.109 666 81.110.170.109 1026

    It occurs daily, quite a few times, irregular intervals. TDS doesn't find anything!

    I'm supposed to be totally stealthed ?!?

    Does anyone recognise the problem or issue or solution

    Even after changing IP (dynamically) it still re-occurs!

    TIA

    :mad:
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi LurkaLot,

    Welcome to Wilders!!!

    We may decide to move this to a more appropriate forum but first of all a couple of questions.
    Be sure you are using the latest radius file with TDS when you are scanning. If you are trialling TDS, you have to manually download the radius files. You can find the latest radius file and instructions HERE.
    Also, is this traffic to to port 666 incoming or outgoing. If it is outgoing, we can probably trace it to a process on your system.

    HTH....
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Port 666 can be Doom (Id Software), RAT: Peur de Rien FTP, Attack FTP, Back Construction, Cain & Abel, NokNok, Satans Back Door - SBD, ServU, Shadow Phyre, F-BackDoor, Worm.Grifin Remote Control, Uprising, Dimbus, TiVedo, MAD, Storm, Ulysses, Beast, Plateau, MaLPaYo, Dracula, Cyn, Dark Sill, InetWatch, DXM SMTP
    or something innocent.

    Since you run Snort, did you also have a look with Port Explorer (free trial at www.diamondcs.com.au ) ?
    This will show you in a blink of the eye to which service / application is involved.
    And you can block or kill the socket/process immediately.

    While scanning please make sure you close all other scanners and their resident protection completely to give TDS full access to every file.
    And the TDS settings, please checkmark every scan option and the wormslider on highest.

    A next thing to do is at the same DiamondCS location in the products page to get the AutoStartViewer and with all options checked there create a startup log to see if there is anything suspicious.
    You can send the log to support@diamondcs.com.au or post it here.

    Please let us know your results.
     
Thread Status:
Not open for further replies.