Trojan and Open port - Netstat -a

Hi experts:

I am using ms dos to view my open ports. netstat - a ( when the internet connection is off). From one of the book, I have learned that certain ports are trojan ports. In my netstat - I have 2 ports they are trojan ports. - But, I am not sure if it correct.

These are list of ports are open: ))))) INTERNET CONNECTION IS OFF

epmap
1025
1028
3531
1036
microsoft-ds
1026
1027 - ( from the book that I have read - it is a trojan port - TCP-ICQ) - I do not have any icq program running at that time)
1245 - same (from the book that I have read - it is a trojan port - TCP - VOODOO DOLL
3531
4500
ntp
1900

What is that all mean.....thanks all

How do I find it out if I have trojan port.. horse...

neonlightsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tim HolmanCommented:
Are you running an antivirus package ?  These should pick up trojans.

If not, then to make sure you're clean:

Run Stinger on the machine -

http://vil.mcafeesecurity.com/vil/averttools.asp#stinger

A fuller free scan is available from http://housecall.trendmicro.com

If this doesn't pick up anything, please use HijackThs for diagnosis:

http://www.tomcoyote.org/hjt/

..and post the log @ www.hijackthis.de.

Autoruns is also useful in working out whether or not something has latched on to your system that shouldn't have:

http://www.sysinternals.com/Utilities/Autoruns.html

Then try SpyBot to clean up the rest of the mess:

http://www.safer-networking.org/en/download/

If any of these applications pick anything up, bear in mind you may need to disable System Restore AND run them again in SAFE MODE to ensure disinfection.

If this doesn't work, then at least we've elimnated 99.99% of what the problem may be...  :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
neonlightsAuthor Commented:
Thanks for your message Tim_holman.

Yes, I have Node32 and it updates every hour. Antivirus program. and I have zonelap firewall.

please let me know if I still have to do all these tests you just mentioned.

thanks
rossfingalCommented:
Yes, you should probably try those tests.
Also, try the "Shields Up" test at Gibson Research:
https://www.grc.com/x/ne.dll?bh0bkyd2

RF
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

Tim HolmanCommented:
1245 isn't just a trojan port, it runs genuine apps too.
tcp/1027 is usually Windows Messengerm so you probably have that running.
Look at www.portsdb.org to lookup ports.
netstat is NOT a reliable method of telling you whether or not your machine is infected.  You need to run a full AV scan to make doubly sure!
r-kCommented:
If you are using Windows/XP, you can use "netstat -ab" instead of "netsat -a"

It tells you directly which program is using which port, so you can decide easily.
neonlightsAuthor Commented:
Thank you all. I am at the https://www.grc.com/x/ne.dll?bh0bkyd2 site suggested by Rossfingal.

and this is what I got from FileSharing:

Am I safe? was not able to understand the first one. here is the message:



Attempting connection to your computer. . .
Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet!
 

Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.

 Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.
neonlightsAuthor Commented:
And then I did port:


Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.

Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)

Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

and list of ports: one message repeating: what is this mean:There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

Thank you all
neonlightsAuthor Commented:
In my zonelab, I set Internet Zone Security and Trusted Zone Securtiy to HIGH

just in case.. if you guys needed that information.
Tim HolmanCommented:
Is there anything more we can do to help?
Tim HolmanCommented:
Can you provide any update?  Did any suggestions help?  If you need assistance in closing down the question, visit http://www.experts-exchange.com/help.jsp.
neonlightsAuthor Commented:
Hi... it worked all - I was in vacation... sorry for late delay...thanks all
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.