Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Backdoors - Open ports commonly used by trojans - 1 Mydoom(3127)

Posted on 2004-11-04
13
Medium Priority
?
1,790 Views
Last Modified: 2013-12-19
I am using a utility called GFI LANguard N.S.S along with my sygate firewall. Ocassionally I get called from some of the IP's on my network. When I use GFI LANguard  to scan the IP I am finding the following Vulnerabilities:

 High security vulnerabilities - 1
Backdoors - Open ports commonly used by trojans - 1  Mydoom(3127)
Mydoom(3127)

What is the best response to this vulnerabilities.

Thanks in advance for the help....
0
Comment
Question by:tqtclipper
12 Comments
 
LVL 24

Expert Comment

by:SunBow
ID: 12497670
You should be able to configure your firewall to first  deny access to all ports, but incoming and outgoing.  Once you do this you stop all such vulnerabilities, regardless of port. Following that, what you do is try to access the servers you need, and add back in the access to them, regardless of ports used.  If they need a specific port, such as 3127, you can try to reconfigure your own to use a different port, to avoid the vulnerability.  Sygate should allow this. If not performing well for you, try something else. Sucha as ZoneLabs' etc.  Just... learn your system well, and manage it as best you can.
0
 

Author Comment

by:tqtclipper
ID: 12502153
Is it safe to assume that the ip that is calling me with the:
 
High security vulnerabilities - 1
Backdoors - Open ports commonly used by trojans - 1  Mydoom(3127)
Mydoom(3127)

is a system that is trying to spread an infection? I am trying to determine if there is a virus on my network.  I am finding this same vulnerabilitiy on several machines on my network.

Please advise.
0
 
LVL 37

Expert Comment

by:bbao
ID: 12507944
> Once you do this you stop all such vulnerabilities, regardless of port.

not exactly. you can NOT disable outgoing traffic to port 80, so some clients can surf the internet with their unprotected IEs, so worms, viruses and trojan programs might be downloaded and installed on the computers without explicit notices. in fact, nowadays it should be the top reason of known trojans.

briefly, you can NOT avoid application's vulnerabilities by only blocking network traffic on gateway or router, especially for those most popular services such as HTTP.

as for your symptom, it sounds you have been hitted by some spywares? try http://www.spybot.info/en/index.html

regards,
bbao
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 4

Expert Comment

by:riotz
ID: 12514846
yes the pc youre scanning is infected with the mydoom source..
it opened a backdoor on port 3127 and is actually scanning the whole internet for new vulnerable machines to infect..

you should localy logon to the infected pcs as fast as you can.. and remove the worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom@mm.removal.tool.html

check the url for further instructions on how to remove it.

greets
riotz
0
 

Author Comment

by:tqtclipper
ID: 12516525
When I run the symantech patch for this virus everything come back clean. However the network scan (GFI LANguard N.S.S ) is still showing the vulnerability.

Ok here's come a "non-networking expert " questions:

Can I close the port?

Is there a tool that I can use to close the port?

Do I delet something out of the registery? What is the fix?

Thanks
0
 
LVL 4

Accepted Solution

by:
riotz earned 500 total points
ID: 12516782
well you can block access to a port with a firewall which you should use anyways

but i dunno if thats the right solution now too..

i would suggest you to get fport first...
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm

and identify which application is opening that port..

when youre not sure about the stuff just post the results.. i'll take a peak for you

greets
0
 

Author Comment

by:tqtclipper
ID: 12517028
Here are my fport results:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

N:\>c:

C:\>cd documents and settings

C:\Documents and Settings>cd hbc3284

C:\Documents and Settings\hbc3284>cd desktop

C:\Documents and Settings\hbc3284\Desktop>fport
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid   Process            Port  Proto Path
1096  svchost        ->  135   TCP   C:\WINNT\system32\svchost.exe
4     System         ->  139   TCP
4     System         ->  445   TCP
1328  svchost        ->  1025  TCP   C:\WINNT\System32\svchost.exe
4     System         ->  1036  TCP
1976                 ->  3004  TCP
1328  svchost        ->  3005  TCP   C:\WINNT\System32\svchost.exe
1328  svchost        ->  3006  TCP   C:\WINNT\System32\svchost.exe
4     System         ->  3063  TCP
4     System         ->  3185  TCP
4     System         ->  3245  TCP
4     System         ->  3329  TCP
1328  svchost        ->  3389  TCP   C:\WINNT\System32\svchost.exe
4     System         ->  3506  TCP
4     System         ->  3574  TCP
0     System         ->  3617  TCP
1676                 ->  5000  TCP
148   DWRCS          ->  6129  TCP   C:\WINNT\SYSTEM32\DWRCS.EXE

4     System         ->  123   UDP
1328  svchost        ->  123   UDP   C:\WINNT\System32\svchost.exe
4     System         ->  137   UDP
1676                 ->  138   UDP
1096  svchost        ->  445   UDP   C:\WINNT\system32\svchost.exe
4     System         ->  1026  UDP
1328  svchost        ->  1027  UDP   C:\WINNT\System32\svchost.exe
4     System         ->  1029  UDP
148   DWRCS          ->  1900  UDP   C:\WINNT\SYSTEM32\DWRCS.EXE
4     System         ->  1900  UDP
4     System         ->  2234  UDP
4     System         ->  2967  UDP
4     System         ->  3023  UDP
4     System         ->  3030  UDP

C:\Documents and Settings\hbc3284\Desktop>

However when I run (GFI LANguard N.S.S ) is still showing the vulnerability.

High security vulnerabilities (1)

Backdoors - Open ports commonly used by trojans (1)

Mydoom(3127)

I manage about 80 computers on my network. I am finding about 10 machines with this same vulnerabilitiy. Your help is greatly appreciated...

0
 
LVL 4

Expert Comment

by:riotz
ID: 12517198
hmm i hope the dameware remote controll server youre using is up to date.. cause there is a serious vulnerabitly in some older version of it..
besides that i would say that your pc looks pretty normal and isnt infected with any worms or something...
its probably just a false positive.. these vulnerability scanner tend often to do that..

whatever just to be realy sure
download the mydoom scanner from foundstone now and double scan the pcs with it

http://www.foundstone.com/resources/proddesc/mydoomscanner.htm

i guess nothing will show up

greets riotz!
0
 

Author Comment

by:tqtclipper
ID: 12517736
I just finished running the mydoom scanner from foundstone  for my entire network and it was clean. I guess my GFI LANguard N.S.S  network scanner is pretty bogus.. I never heard the term "false positive" but it sounds like that's the case. Anyway thanks for your help. I like the foundstone website. I use to work next door to macafee when it was a startup...


0
 

Author Comment

by:tqtclipper
ID: 12517753
riotz,

Are you familiar with the fpipe utility? I am being blocked by my firewall from using yahoo webcam and I was wondering if I could use fpipe to redirect the stream...  I knkow this is a different subject but I thought I would ask...

0
 
LVL 4

Expert Comment

by:riotz
ID: 12518312
uhm well i dont know that webcam soft.. but i dont think that you can..
fpipe is just a port redirector which redirects a incoming tcp stream on a specified port onto another location..
when that location that stream is coming in is blocked in the first place i dont see any chance to redirect it
heh
maybe you need to setup a proxy or something..

btw it would be great if you would accept my answer and gimme some points ;)
0
 

Author Comment

by:tqtclipper
ID: 12634940
I was wondering if anyone heard anything about Microsoft working on a patch for  the High security vulnerabilities - 1
Backdoors - Open ports commonly used by trojans - 1  Mydoom(3127).

I posted this a week ago but I am not comfortable that I got the right answer.

 
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
An article on effective troubleshooting
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question