Tilted Forum Project Discussion Community

- Tilted Technology (https://thetfp.com/tfp/tilted-technology/)

- - closing a port (https://thetfp.com/tfp/tilted-technology/66627-closing-port.html)

ok

a. how do i find what is being used on a port

b. how do i close it

my firewall picked up a trojan scan on one of my ports nothing is going out but that port is open.. i dont have a trojan i should say... but the port is open and can be scanned..

what do i do?

depends on what port it was. some ports need to be open for certain applications. what port was scanned?

What port?

What firewall are you using?

Hardware or software firewall?

We need this information before we can provide an answer.

If you get a router, it'll close all ports except for a few (and ones you specify). Then a firewall should tell you when a program tries to get in or out.

A cheap router probably costs $20 and a firewall is free. Check out ZoneAlarm or Sygate. Use Sygate if you use p2p.

NMAP (*nix and windows versions available) will tell you which ports are open on a specific machine.

In windows, "netstat" can also give you good information.

sygate and port 5000 is what is listed on the scan

netstat will tell you what active connections you have (run netstat /a), but to see what processes have which connections you can download a utility called FPort at http://www.foundstone.com/resources/proddesc/fport.htm which will tell you that information.

2004/09/04 17:52:51 12.181.67.11:3183 (ip-12-181-67-11.dsl0-blvrtx.gvtc.com) 12.183.196.200:5000 Bubbel Trojan / Back Door Setup / Sockets de Troie Trojan

A computer at ip-12-181-67-11.dsl0-blvrtx.gvtc.com has attempted an unsolicited connection to TCP port 5000 on your machine.
TCP port 5000 is commonly used by the Bubbel Trojan / Back Door Setup / Sockets de Troie Trojan service or program. The Source computer has scanned your machine for this trojan, but this has been blocked by our security filters.

OrgName: AT&T WorldNet Services
OrgID: ATTW
Address: 400 Interpace Parkway
City: Parsippany
StateProv: NJ
PostalCode: 07054
Country: US

NetRange: 12.0.0.0 - 12.255.255.255
CIDR: 12.0.0.0/8
NetName: ATT
NetHandle: NET-12-0-0-0-1
Parent:
NetType: Direct Allocation
NameServer: DBRU.BR.NS.ELS-GMS.ATT.NET
NameServer: DMTU.MT.NS.ELS-GMS.ATT.NET
NameServer: CBRU.BR.NS.ELS-GMS.ATT.NET
NameServer: CMTU.MT.NS.ELS-GMS.ATT.NET
Comment: For abuse issues contact abuse@att.net
RegDate: 1983-08-23
Updated: 2002-08-23

TechHandle: DK71-ARIN
TechName: Kostick, Deirdre
TechPhone: +1-919-319-8249
TechEmail: help@ip.att.net

OrgAbuseHandle: ATTAB-ARIN
OrgAbuseName: ATT Abuse
OrgAbusePhone: +1-919-319-8130
OrgAbuseEmail: abuse@att.net

OrgTechHandle: ICC-ARIN
OrgTechName: IP Customer Care
OrgTechPhone: +1-888-613-6330
OrgTechEmail: qhoang@att.com

OrgTechHandle: IPSWI-ARIN
OrgTechName: IP SWIP
OrgTechPhone: +1-888-613-6330
OrgTechEmail: help@ip.att.net

ARIN WHOIS database, last updated 2004-09-03 19:10
Enter ? for additional hints on searching ARIN's WHOIS database.

egistrant:
Guadalupe Valley Telephone Coop (GVTC-DOM)
36101 FM 3159
New Braunfels, TX 78132
US

Domain Name: GVTC.COM

Administrative Contact:
Buckelew, John (JBZ872) webmaster@GVTC.COM
Guadalupe Valley Telephone Co-op
36101 FM 3159
New Braunfels, TX 78132
US
830.885.4411 fax: 830-885-2400

Technical Contact:
Eikel, Jon (NVLEKNPWBI) netops@GVTC.COM
Guadalupe Valley Network Operations
36101 FM 3159
NEW BRAUNFELS, TX 78132-5903
US
830-885-4411 x318 fax: 830-885-4953

Record expires on 12-Apr-2010.
Record created on 11-Apr-1996.
Database last updated on 4-Sep-2004 19:50:55 EDT.

Domain servers in listed order:

AUTH1.GVTC.COM 216.177.160.39
AUTH2.GVTC.COM 216.177.160.40

that is what is hitting my port 5000 i dont have a trojan as far as i know of.. but still im confused why this tard is hitting me. that is the info i got traceing the ip that hit me

any clue what i should do? probally a proxie but dont know

Just being connected to the internet you will see activity like this. I would doubt if anyone is trying to hit your system specifically. Most likely it is a stupid script kiddie scanning a range of IP addresses to see what is out there. That is why a firewall/router is a requirement for anyone attached to the internet .. at least in my opinion. As long as you have an updated anti-virus, run spyware detection, and have a firewall you should be ok.