Firewall Wizards mailing list archives

Trojan detection and open ports

From: "Philip J. Koenig" <pjklist () ekahuna com>
Date: Fri, 7 Sep 2001 02:06:57 -0700

Have a client whose laptop was recently infected by the new Magistr.B 
virus.

In investigating this problem, I noticed that this machine (Win98SE) 
had some mysterious open ports, in particular:

135: TCP
5053: TCP
7000: TCP
7000: UDP

135 I remember from somewhere as normal (a NetBIOS thing?) but lists 
I have call it "DCE endpoint resolution" which doesn't make any sense 
to me.  None of the trojan port lists I reviewed showed anything on 
5053, and 7000 is used by SubSeven, among others.  Using a trojan 
scanner didn't turn up anything.

Anyone have any ideas what might be keeping those ports open?

Lastly - I was hoping to find some sort of tool that would scan for 
common open ports used by trojan programs, but the only anti-trojan 
tools I seem to be able to easily find are ones that run on the local 
PC.  Any pointers to something that works like the various DDoS 
zombie scanners or the eEye CodeRed scanner?

Thanks,


Phil



--
Philip J. Koenig                                       pjklist () ekahuna com
Electric Kahuna Systems -- Computers & Communications for the New Millenium

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Trojan detection and open ports Philip J. Koenig (Sep 07)
- <Possible follow-ups>
- Trojan detection and open ports Thomas Ray (Sep 08)
- RE: Trojan detection and open ports Dawes, Rogan (ZA - Johannesburg) (Sep 12)