Scare on port 1040

Discussion in 'Trojan Defence Suite' started by tutankamon, Dec 4, 2003.

Thread Status:
Not open for further replies.
  1. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    I`m here again,
    I ran Netstat on TDS system analysis, it showed a line saying: UDP 127.0.0.1:1040 *.*
    when I right clicked on this line and selected "what is port 1040" TDS said Port 1040 = RAT infiltrator.
    I run AVG6(fully updated) no virus found. I ran Spybot S&D nothing found, I had already done a scan with TDS, and obviously it was running when I was using the Netstat, but no reports of any trojan activity. I did a Google search on port 1040 some reports of a keylogger using this. I ran Sygate personal firewall and had a look at what program was using port 1040, it said, Program files / ie plorer/ process 429451, I did not understand what it meant, so fearing that I may have a new keylogger on my computer, I blocked that connection off. After a while I came offline to have my dinner, When I tried to get back online, I could not connect to my ISP, I could not get online at all, I turned my computer on/off tried again, no luck. Then I thought what if I allow that connection on port 1040, so I open Sygate, allowed the connection, and now I am back on line.Would I be correct in thinking that it was a legal program that was using port 1040, if so, why was TDS telling me "Port 1040 = RAT infiltrator"
     
  2. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Don't worry, 127.0.0.1 isn't an Internet IP address, it is your own computer.
    Dolf
     
  3. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hi Dollefie,
    So 127.0.0.1 is my own computer, thats fine, but why show port 1040, I dont understand.
     
  4. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    on your computer there are always processes running which communicate with each other and when they do this via TCP, then this address will be used and the port can be anything.
    Dolf
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Did you try to have a look with PE ?
    what you described is a typical netstat socket.
    You will notice applications using a port like your 1040, 1025, such numbers and you will most of time see two lines: one with UDP and another with TCP, like with the 137, 138, 139 ports for instance, both UDP and TCP, as they come in pairs;
    So there could be an application using the 1040 and in the netstat sockets you see the same number with localport and remote in many cases *.*.*.* port *
    or localhost port 0 so you know if the other one was not a suspicious process (default in red characters) it's ok.
    See the esplanation recently for port 1025 here.
     
  6. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hello Jooske,
    I have just bought Port Explorer because you refer it on many occasions in your replies, I will have to read both, the help files, and comments on the port explorer forum to gain experience in using it. As you tell by my questions I have a long way to go in learning about the internet.
     
  7. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    IE will always establish a UDP localhost (loopback) connection. Without it, browsing will slow to a crawl or not at all.

    When network (Internet) connections are established the port used on your system will be random and from what is referred to as the ephemeral ports: 1024-5000 (default on Windows system). In your example, 1040 was used because it would have been the first available ephemeral port on your system.

    If you monitor your network (Internet) connections, you will see the various applications/services using these ephemeral ports for the local system port used, and be able to watch them increment up through the range and start over again once reaching 5000. The other part of the connection will involve the remote address and remote service (port) requested.

    Edit:

    Just to expand a little, when checking connections and looking up ports and what services and malicious apps they may be associated to, can be confusing at times.

    In your example port 1040, which when looked up in TDS's list, may be associated with "RAT infiltrator".

    You need to look at all the connection particulars. In this case, local and remote address = localhost, local and remote service/port = UDP 1040, application = IE.

    As mentioned this localhost connection is normal for IE. (attached pic shows this same connection on my system, the ephemeral port being used is 3090).

    If you had an unknown application listening for connections on local service/port 1040, then that would be cause for concern and further checking.
    (the pic also shows in this case a valid program acting as a server (listening for connections) on local service/port UDP 162).

    Regards,

    CrazyM
     

    Attached Files:

  8. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Thank you for that explaination,it is becoming a little clearer now.
     
  9. tepi

    tepi Registered Member

    Joined:
    Nov 12, 2003
    Posts:
    81
    My thanks too. It's also becoming a bit clearer to me. Though I have to admit to finding Port Explorer a bit overwhelming. For a quick check of which ports are active I prefer the much simpler freebie 'Active Ports.' In case anyone reading this thread is interested, here are a few details from:

    http://www.majorgeeks.com/download682.html

    Active Ports

    Easy to use tool for Windows NT/2000/XP that enables you to monitor all open TCP/IP and UDP ports on the local computer. Active Ports maps ports to the owning application so you can watch which process has opened which port. It also displays a local and remote IP address for each connection and allows you to close any port. Active Ports can help you to detect trojans and other malicious programs.

    Regards
     
  10. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    IMO port explorers extra capabilities( socket spy, kill socket, kill process etc) are well worth the price.
     
  11. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    if free is all you want then it's ok, why don't you just use netstat -ano command..it doesn't even require a download..LOL
    isn't active ports just a thinned down port explorer..
     
  12. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    in which i wanted to point out that it's a $30 well spent. PE really is the best of it's kind!
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi guys,
    For Port Explorer i like to point you to the PE forum and especially this thread here http://www.wilderssecurity.com/showthread.php?t=14918;start=0#msg108582

    Since this is the TDS forum, i would like to ask to stay on topic about TDS and the original port 1040 issue in the thread here at hand.
     
Thread Status:
Not open for further replies.