Backdoors - Open ports commonly used by trojans - 1 Mydoom(3127)

I am using a utility called GFI LANguard N.S.S along with my sygate firewall. Ocassionally I get called from some of the IP's on my network. When I use GFI LANguard  to scan the IP I am finding the following Vulnerabilities:

 High security vulnerabilities - 1
Backdoors - Open ports commonly used by trojans - 1  Mydoom(3127)
Mydoom(3127)

What is the best response to this vulnerabilities.

Thanks in advance for the help....
tqtclipperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SunBowCommented:
You should be able to configure your firewall to first  deny access to all ports, but incoming and outgoing.  Once you do this you stop all such vulnerabilities, regardless of port. Following that, what you do is try to access the servers you need, and add back in the access to them, regardless of ports used.  If they need a specific port, such as 3127, you can try to reconfigure your own to use a different port, to avoid the vulnerability.  Sygate should allow this. If not performing well for you, try something else. Sucha as ZoneLabs' etc.  Just... learn your system well, and manage it as best you can.
0
tqtclipperAuthor Commented:
Is it safe to assume that the ip that is calling me with the:
 
High security vulnerabilities - 1
Backdoors - Open ports commonly used by trojans - 1  Mydoom(3127)
Mydoom(3127)

is a system that is trying to spread an infection? I am trying to determine if there is a virus on my network.  I am finding this same vulnerabilitiy on several machines on my network.

Please advise.
0
bbaoIT ConsultantCommented:
> Once you do this you stop all such vulnerabilities, regardless of port.

not exactly. you can NOT disable outgoing traffic to port 80, so some clients can surf the internet with their unprotected IEs, so worms, viruses and trojan programs might be downloaded and installed on the computers without explicit notices. in fact, nowadays it should be the top reason of known trojans.

briefly, you can NOT avoid application's vulnerabilities by only blocking network traffic on gateway or router, especially for those most popular services such as HTTP.

as for your symptom, it sounds you have been hitted by some spywares? try http://www.spybot.info/en/index.html

regards,
bbao
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

riotzCommented:
yes the pc youre scanning is infected with the mydoom source..
it opened a backdoor on port 3127 and is actually scanning the whole internet for new vulnerable machines to infect..

you should localy logon to the infected pcs as fast as you can.. and remove the worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom@mm.removal.tool.html

check the url for further instructions on how to remove it.

greets
riotz
0
tqtclipperAuthor Commented:
When I run the symantech patch for this virus everything come back clean. However the network scan (GFI LANguard N.S.S ) is still showing the vulnerability.

Ok here's come a "non-networking expert " questions:

Can I close the port?

Is there a tool that I can use to close the port?

Do I delet something out of the registery? What is the fix?

Thanks
0
riotzCommented:
well you can block access to a port with a firewall which you should use anyways

but i dunno if thats the right solution now too..

i would suggest you to get fport first...
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm

and identify which application is opening that port..

when youre not sure about the stuff just post the results.. i'll take a peak for you

greets
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tqtclipperAuthor Commented:
Here are my fport results:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

N:\>c:

C:\>cd documents and settings

C:\Documents and Settings>cd hbc3284

C:\Documents and Settings\hbc3284>cd desktop

C:\Documents and Settings\hbc3284\Desktop>fport
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid   Process            Port  Proto Path
1096  svchost        ->  135   TCP   C:\WINNT\system32\svchost.exe
4     System         ->  139   TCP
4     System         ->  445   TCP
1328  svchost        ->  1025  TCP   C:\WINNT\System32\svchost.exe
4     System         ->  1036  TCP
1976                 ->  3004  TCP
1328  svchost        ->  3005  TCP   C:\WINNT\System32\svchost.exe
1328  svchost        ->  3006  TCP   C:\WINNT\System32\svchost.exe
4     System         ->  3063  TCP
4     System         ->  3185  TCP
4     System         ->  3245  TCP
4     System         ->  3329  TCP
1328  svchost        ->  3389  TCP   C:\WINNT\System32\svchost.exe
4     System         ->  3506  TCP
4     System         ->  3574  TCP
0     System         ->  3617  TCP
1676                 ->  5000  TCP
148   DWRCS          ->  6129  TCP   C:\WINNT\SYSTEM32\DWRCS.EXE

4     System         ->  123   UDP
1328  svchost        ->  123   UDP   C:\WINNT\System32\svchost.exe
4     System         ->  137   UDP
1676                 ->  138   UDP
1096  svchost        ->  445   UDP   C:\WINNT\system32\svchost.exe
4     System         ->  1026  UDP
1328  svchost        ->  1027  UDP   C:\WINNT\System32\svchost.exe
4     System         ->  1029  UDP
148   DWRCS          ->  1900  UDP   C:\WINNT\SYSTEM32\DWRCS.EXE
4     System         ->  1900  UDP
4     System         ->  2234  UDP
4     System         ->  2967  UDP
4     System         ->  3023  UDP
4     System         ->  3030  UDP

C:\Documents and Settings\hbc3284\Desktop>

However when I run (GFI LANguard N.S.S ) is still showing the vulnerability.

High security vulnerabilities (1)

Backdoors - Open ports commonly used by trojans (1)

Mydoom(3127)

I manage about 80 computers on my network. I am finding about 10 machines with this same vulnerabilitiy. Your help is greatly appreciated...

0
riotzCommented:
hmm i hope the dameware remote controll server youre using is up to date.. cause there is a serious vulnerabitly in some older version of it..
besides that i would say that your pc looks pretty normal and isnt infected with any worms or something...
its probably just a false positive.. these vulnerability scanner tend often to do that..

whatever just to be realy sure
download the mydoom scanner from foundstone now and double scan the pcs with it

http://www.foundstone.com/resources/proddesc/mydoomscanner.htm

i guess nothing will show up

greets riotz!
0
tqtclipperAuthor Commented:
I just finished running the mydoom scanner from foundstone  for my entire network and it was clean. I guess my GFI LANguard N.S.S  network scanner is pretty bogus.. I never heard the term "false positive" but it sounds like that's the case. Anyway thanks for your help. I like the foundstone website. I use to work next door to macafee when it was a startup...


0
tqtclipperAuthor Commented:
riotz,

Are you familiar with the fpipe utility? I am being blocked by my firewall from using yahoo webcam and I was wondering if I could use fpipe to redirect the stream...  I knkow this is a different subject but I thought I would ask...

0
riotzCommented:
uhm well i dont know that webcam soft.. but i dont think that you can..
fpipe is just a port redirector which redirects a incoming tcp stream on a specified port onto another location..
when that location that stream is coming in is blocked in the first place i dont see any chance to redirect it
heh
maybe you need to setup a proxy or something..

btw it would be great if you would accept my answer and gimme some points ;)
0
tqtclipperAuthor Commented:
I was wondering if anyone heard anything about Microsoft working on a patch for  the High security vulnerabilities - 1
Backdoors - Open ports commonly used by trojans - 1  Mydoom(3127).

I posted this a week ago but I am not comfortable that I got the right answer.

 
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.