TDS-3 Backdoor Knock help, please

Discussion in 'Trojan Defence Suite' started by tk89, Aug 13, 2005.

Thread Status:
Not open for further replies.
  1. tk89

    tk89 Registered Member

    Joined:
    Aug 13, 2005
    Posts:
    2
    Greetings all,

    I've got a simple question I was hoping someone here could help me with. I recently did a backdoor knock scan on my local computer and got the following reply/result from the TDS-3 backdoor plugin:

    UDP Port 31337 --> (o)
    UDP Port 60000 --> (o)

    I was wondering if the " (o) " in this case means that these two ports are open. I can't find any documentation on this...

    Thanks everyone,

    Ted
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi TEd, those are UDP connections, seems on an XP system TDS doesn't show them as expected, as on my Win98 system they just are "didn't respond" and on the XP i have the same like you.
    But i suppose you have for port UDP 31666 "didn't respond" as well.
    With the plugin Trojan Ports check you might see other ports open.

    If you activated the Sockets in the upper right corner you have TDS listening on those ports so eventual malware can never use those same ports.
     
  3. tk89

    tk89 Registered Member

    Joined:
    Aug 13, 2005
    Posts:
    2
    Thanks, Jooske! I'll try out port explorer and see what turns up as well. I appreciate your help!
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    My Port Explorer shows me nicely the TDS sockets listening on those ports, the TCP as well as their corresponding UDP ports.
    You see that port 60000 as TCP and UDP both in the Backdoor Knock, good for this one
    RAT: DeepThroat 2.0 & 3.0, Foreplay or Reduced Foreplay, Sockets des Troie
    Port Explorer will show you some of the UDP connected to your computer name, others to the localhost name.
    In my HOSTS file i added an extra line like
    127.0.0.1 www.jooskesdomain.com (something not existing anyway)
    so Port Explorer will show in several cases that name in stead of localhost, giving an idea what exactly is connected to where. :cool:
    Also very nice if you networked your system!
     
Thread Status:
Not open for further replies.