Security Incidents mailing list archives
Re: DS trojan opens ports fport does not detect?
From: H Carvey <keydet89 () yahoo com>
Date: 15 Dec 2003 12:56:13 -0000
In-Reply-To: <4110.199.72.0.130.1071202370.squirrel () www zounds net>
Recently, when attempting to play Dungeon Siege with a friend, I installed a crack he found on the internet. (we each purchased the game)
Do you have the location where you downloaded the crack?
His machine began responding to port scans on tcp 25 and 110.
Just out of curiosity, did you port scan him after installing the crack? If so, what tool did you use? Was it a plain vanilla TCP connect scan, or a stealth scan, or what? And when you say "responding", what do you mean? That the scanner found the ports to be open, or did you actually get a response, such as a banner?
I could telnet to these ports, and the response was to clear my screen, and on any keypress, to drop the connection. He said he could not telnet to port 25 on his machine via localhost.
If the response was clear on your screen, what was the response?
After installing the crack on my machine, i found i could telnet to port 25 and get the connection with no banner.
Did you telnet to localhost? Curious, as you stated that your friend could not do this...
Neither Norton anti virus nor adaware found anything. I erased the dll, and port 25 closed for a while, but it is open again (sigh).
It's not surprising that NAV or AdAware wouldn't find this stuff, but it does sound unusual that you would delete the DLL, and that the port would be open again. This might be explained by the fact that perhaps the DLL itself isn't to blame. Maybe something else, or something you installed along with the DLL was the culprit.
But using tools like netstat, fport, or tcpview did not show any activity on 25 or 110.
Go to http://www.diamondcs.com.au/openports/, and get openports.exe.
Zone alarm isnt detecting is making outgoing connections.
From what you've said so far, it doesn't sound like it would...so your ZA results aren't suprising. It's good that you're being thorough, though.
What I'm curious about at this point is...was your friend running ZA? If so, why were ports 25 and 110 shown as open on his system?
Isnt the point of a tool like fport to detect and find the application that opens ports? Is it common for these tools to be evaded?
Well, as with any tool, you have to know what you're doing. One doesn't use a hammer when they have to tighten a bolt...usually. It might help if you provided information regarding the configuration of the systems in question, to include operating systems, installed Service Packs and hotfixes, etc. Also, if you have a concern about a tool and how it operates, contacting the author(s) of the tool would be the prefered route. Of course, they're going to ask you a lot of the same things I mentioned above, too. Without that information, it's most likely that the "incident" will be chalked up to a bunch of clueless gamers. Let me know if there's anything I can do to help. Harlan --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- DS trojan opens ports fport does not detect? junk (Dec 12)
- <Possible follow-ups>
- Re: DS trojan opens ports fport does not detect? H Carvey (Dec 16)
- RE: DS trojan opens ports fport does not detect? Lachniet, Mark (Dec 16)