Backdoors - Open ports commonly used by trojans - 1 Mydoom(3127)

Posted on 2004-11-04
Last Modified: 2013-12-19
I am using a utility called GFI LANguard N.S.S along with my sygate firewall. Ocassionally I get called from some of the IP's on my network. When I use GFI LANguard  to scan the IP I am finding the following Vulnerabilities:

 High security vulnerabilities - 1
Backdoors - Open ports commonly used by trojans - 1  Mydoom(3127)

What is the best response to this vulnerabilities.

Thanks in advance for the help....
Question by:tqtclipper
    LVL 24

    Expert Comment

    You should be able to configure your firewall to first  deny access to all ports, but incoming and outgoing.  Once you do this you stop all such vulnerabilities, regardless of port. Following that, what you do is try to access the servers you need, and add back in the access to them, regardless of ports used.  If they need a specific port, such as 3127, you can try to reconfigure your own to use a different port, to avoid the vulnerability.  Sygate should allow this. If not performing well for you, try something else. Sucha as ZoneLabs' etc.  Just... learn your system well, and manage it as best you can.

    Author Comment

    Is it safe to assume that the ip that is calling me with the:
    High security vulnerabilities - 1
    Backdoors - Open ports commonly used by trojans - 1  Mydoom(3127)

    is a system that is trying to spread an infection? I am trying to determine if there is a virus on my network.  I am finding this same vulnerabilitiy on several machines on my network.

    Please advise.
    LVL 37

    Expert Comment

    by:Bing CISM / CISSP
    > Once you do this you stop all such vulnerabilities, regardless of port.

    not exactly. you can NOT disable outgoing traffic to port 80, so some clients can surf the internet with their unprotected IEs, so worms, viruses and trojan programs might be downloaded and installed on the computers without explicit notices. in fact, nowadays it should be the top reason of known trojans.

    briefly, you can NOT avoid application's vulnerabilities by only blocking network traffic on gateway or router, especially for those most popular services such as HTTP.

    as for your symptom, it sounds you have been hitted by some spywares? try

    LVL 4

    Expert Comment

    yes the pc youre scanning is infected with the mydoom source..
    it opened a backdoor on port 3127 and is actually scanning the whole internet for new vulnerable machines to infect..

    you should localy logon to the infected pcs as fast as you can.. and remove the worm

    check the url for further instructions on how to remove it.


    Author Comment

    When I run the symantech patch for this virus everything come back clean. However the network scan (GFI LANguard N.S.S ) is still showing the vulnerability.

    Ok here's come a "non-networking expert " questions:

    Can I close the port?

    Is there a tool that I can use to close the port?

    Do I delet something out of the registery? What is the fix?

    LVL 4

    Accepted Solution

    well you can block access to a port with a firewall which you should use anyways

    but i dunno if thats the right solution now too..

    i would suggest you to get fport first...

    and identify which application is opening that port..

    when youre not sure about the stuff just post the results.. i'll take a peak for you


    Author Comment

    Here are my fport results:
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.


    C:\>cd documents and settings

    C:\Documents and Settings>cd hbc3284

    C:\Documents and Settings\hbc3284>cd desktop

    C:\Documents and Settings\hbc3284\Desktop>fport
    FPort v2.0 - TCP/IP Process to Port Mapper
    Copyright 2000 by Foundstone, Inc.

    Pid   Process            Port  Proto Path
    1096  svchost        ->  135   TCP   C:\WINNT\system32\svchost.exe
    4     System         ->  139   TCP
    4     System         ->  445   TCP
    1328  svchost        ->  1025  TCP   C:\WINNT\System32\svchost.exe
    4     System         ->  1036  TCP
    1976                 ->  3004  TCP
    1328  svchost        ->  3005  TCP   C:\WINNT\System32\svchost.exe
    1328  svchost        ->  3006  TCP   C:\WINNT\System32\svchost.exe
    4     System         ->  3063  TCP
    4     System         ->  3185  TCP
    4     System         ->  3245  TCP
    4     System         ->  3329  TCP
    1328  svchost        ->  3389  TCP   C:\WINNT\System32\svchost.exe
    4     System         ->  3506  TCP
    4     System         ->  3574  TCP
    0     System         ->  3617  TCP
    1676                 ->  5000  TCP
    148   DWRCS          ->  6129  TCP   C:\WINNT\SYSTEM32\DWRCS.EXE

    4     System         ->  123   UDP
    1328  svchost        ->  123   UDP   C:\WINNT\System32\svchost.exe
    4     System         ->  137   UDP
    1676                 ->  138   UDP
    1096  svchost        ->  445   UDP   C:\WINNT\system32\svchost.exe
    4     System         ->  1026  UDP
    1328  svchost        ->  1027  UDP   C:\WINNT\System32\svchost.exe
    4     System         ->  1029  UDP
    148   DWRCS          ->  1900  UDP   C:\WINNT\SYSTEM32\DWRCS.EXE
    4     System         ->  1900  UDP
    4     System         ->  2234  UDP
    4     System         ->  2967  UDP
    4     System         ->  3023  UDP
    4     System         ->  3030  UDP

    C:\Documents and Settings\hbc3284\Desktop>

    However when I run (GFI LANguard N.S.S ) is still showing the vulnerability.

    High security vulnerabilities (1)

    Backdoors - Open ports commonly used by trojans (1)


    I manage about 80 computers on my network. I am finding about 10 machines with this same vulnerabilitiy. Your help is greatly appreciated...

    LVL 4

    Expert Comment

    hmm i hope the dameware remote controll server youre using is up to date.. cause there is a serious vulnerabitly in some older version of it..
    besides that i would say that your pc looks pretty normal and isnt infected with any worms or something...
    its probably just a false positive.. these vulnerability scanner tend often to do that..

    whatever just to be realy sure
    download the mydoom scanner from foundstone now and double scan the pcs with it

    i guess nothing will show up

    greets riotz!

    Author Comment

    I just finished running the mydoom scanner from foundstone  for my entire network and it was clean. I guess my GFI LANguard N.S.S  network scanner is pretty bogus.. I never heard the term "false positive" but it sounds like that's the case. Anyway thanks for your help. I like the foundstone website. I use to work next door to macafee when it was a startup...


    Author Comment


    Are you familiar with the fpipe utility? I am being blocked by my firewall from using yahoo webcam and I was wondering if I could use fpipe to redirect the stream...  I knkow this is a different subject but I thought I would ask...

    LVL 4

    Expert Comment

    uhm well i dont know that webcam soft.. but i dont think that you can..
    fpipe is just a port redirector which redirects a incoming tcp stream on a specified port onto another location..
    when that location that stream is coming in is blocked in the first place i dont see any chance to redirect it
    maybe you need to setup a proxy or something..

    btw it would be great if you would accept my answer and gimme some points ;)

    Author Comment

    I was wondering if anyone heard anything about Microsoft working on a patch for  the High security vulnerabilities - 1
    Backdoors - Open ports commonly used by trojans - 1  Mydoom(3127).

    I posted this a week ago but I am not comfortable that I got the right answer.


    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
    Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now