Nice one for the bookmarks …
This would be a great resource if it were kept up to date, 5 years in the IT or rather malware world is an eternity.
Default ports used by some known trojan horses:As the table has not been updated since 2002 it should be used with cation today.
In reality they could use any port to attempt to gain entry, so we have to maintain overall port security.
Hi Darth_Mikey,
Your list is a reference point everywhere. See also this link: http://www.petri.co.il/trojan_ports_list.htm
What DavidR remarks may not be relevant for with trojans it is as with proxies, users may come to use other port numbers.
There is a very important issue here, and I call it unawareness.
Let me give you an example:
“A false sense of security, is worse than insecurity.” – Steve Gibson
“Hey folks… wake up! The Internet is NOT a secure place!”
“May the Microsoft arrogance and obscurity lead to its demise”
At the work place one found that a certain lady had opened up her computer
fully to others, while she thought she only shared certain Windows documents.
But after looking around on the Internet she found out that that was not so,
no way. And it wasn’t so BY DEFAULT. And nobody told her, also M$ did not warn her.
(What is secure with Windows, when we have so many illiterate users… I ask you all)
Data, private or commercial are out on the street (Internet that is) via netbios.
There are only few programs that give an indication that this is so.
So again lets talk about the dark side of file-sharing. How can one abuse file-sharing?
With file-sharing on, you immediately open up a port to the outside world. Nothing
wrong there until you start sharing a file or folder (to think in Windows-like terms)
The very port you open up under Windows is 139. When you open this port up you can enter. Most people run a home pc without a password installed, so without them
knowing they share things with the outside world, and one can guess what will
happen, some in the know will abuse this knowledge inventfully.
Through linux one can mount netbios file-sharing system. That means get access
to the hard disk and change files or remove these completely, copy them, what ever
your phantasy tells you to do…
Nice this theory, but now live examples!
First with an online portscanner look for port 139 open. Then look what directories
have been mounted with the sambaclient.
$ smbclient -L 10.0.0.150
smbclient -L 10.0.0.150
added interface ip=10.0.0.4 bcast=10.255.255.255 nmask=255.0.0.0
session request to 10.0.0.150 failed (Called name not present)
session request to 10 failed (Called name not present)
Password:
Domain=[LION_650] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
Sharename Type Comment
--------- ---- -------
IPC$ IPC External IPC
ADMIN$ Disk Remote control
C$ Disk Standardshare
SOFTWARE Disk
JYes and there we go, everything without $ has not got a password installed.
What is smbclient
The sambaclient has been specially developed to make use of Microsoft’s filesharing features.
Say you own 20 Microsoft computers (this will turn your hair grey just to think of it), together with 20 linux computers and you like to share them all, well M$ does not do that
for you, and that is why samba came in
With the sambaclient you can use Microsoft’s networkfile systems. Using the parameter
-L you can see the shares. Want to know more about sambaclient, just give in ‘$ smbclient -h’ or ‘man smbclient’ in the command-line.
On with this story, we have ip, a numer ofl mountpoints,
now only the mounting itself.
this can be done liket:
$ mount -t smbfs //10.0.0.150/SOFTWARE /mnt
When all is done right it mounts the share. Don’t forget we work with Windows,
so when a prompt for a password comes by, just push enter.
When the share should be for instance Darth_Mikey (c) you’d give in:
//ip/Darth_Mikeyl\ (c)
So when the share has a space give in \ \ for special characters
a \ before and a \ behind.
Quite easy, duh?
Well there is also a nice script that you only have to work around a little:
====> Netbios perl script, that automatically mounts SharedDocs mount on /mnt <====
#!/bin/perl
my $a =' ' ;
my $done = 0;
my $folder = "SharedDocs";
print "give in a certain ip :\r\n";
$ip = <STDIN>;
chomp ($ip);
open (FILE, "mount -t smbfs //$ip/$folder /mnt -o username=administrator,password=$a |");
Like I have told you, nothing much there. Adjust the code so it snatches
C$ also. Whenever taht is in, that is total control…
Mounting netbios is not an illegal thing, there is no circumventing any security.
Because security here is NON-EXISTANT. But entering computers you do
not own is illegal, even when on the doormat it says “Welcome in to all that venture”.
I told you this little story just to demonstrate that a lot of users have all their
data out in the open, without being aware of this fact. This is a true story
both when someone uses packet-sniffers, and also with the Netbios story.
So some find it inspirational as a step-up to using linux. It could be a sure way for black
hats to hack your windows pc. This is not the place to demonstrate this, but think of your protection by disabling filesharing and printer sharing by default.
Many ISP’s like in my country: Chello,Planet and Xs4all all block port 139 now
standard, because a lot of script kiddies abused it. It is a sad thing to see
that ISP’s must do the things M$ omits. But take nothing for granted, check all
your connections. Maybe someone could inform us about the Linus NF rules?.
Information found and translated from Dutch by Polonus -
http://wiki.nedlinux.nl/index.php?action=edit&page=NetBios | Bekijk
document geschiedenis
http://wiki.nedlinux.nl/index.php?action=history&page=NetBios
Document laatst gewijzigd Thu, 01 Dec 2005 19:01:04
Zoeken:
© 2003?2007 NedDocWiki, tenzij anders vermeld. De inhoud van deze wiki
mag worden gebruikt onder de voorwaarden gesteld in de GNU Free
Documentation License <gnufdl.html>, used according to the GNU Free
Documentation Rules,
polonus
just surf safe and know where to go and not to go…common sense will go a-long way
Trojan horses can be protected against through end-user awareness, namely to treat them like a virus. Viruses can cause a great deal of damage to a personal computer but even more damage to a business, particularly a small business that usually does not have the same virus protection capabilities as a large business. Since a Trojan Horse virus payload is hidden, it is harder to protect yourself or your company from it, but there are things that you can do.
Trojan Horses are most commonly spread through an e-mail, much like other types of common viruses. The only difference being of course is that a Trojan Horse payload is hidden. The best ways to protect yourself and your company from Trojan Horses are as follows:
If you receive e-mail from someone that you do not know or you receive an unknown attachment, never open it right away. As an e-mail user, you should confirm the source. Some hackers have the ability to steal address books, so if you see e-mail from someone you know, it is not necessarily safe.
When setting up your e-mail client, make sure that you have the settings so that attachments do not open automatically. Some e-mail clients come ready with an anti-virus program that scans any attachments before they are opened. If your client does not come with this, it would be best to purchase one or download one for free.
Make sure your computer has an anti-virus program on it and update it regularly. If you have an auto-update option included in your anti-virus program you should turn it on; that way if you forget to update your software you can still be protected from threats
Operating systems offer patches to protect their users from certain threats. Software developers like Microsoft offer patches that in a sense “close the hole” that the Trojan horse or other virus would use to get through to your system. If you keep your system updated with these patches, your computer is kept much safer. However, it should be noted that ill designed patches can sometimes put computers more at risk as they may open new “holes”.
Avoid using peer-to-peer or P2P sharing networks like Kazaa, Limewire, Ares, or Gnutella because they are generally unprotected from viruses and Trojan Horse viruses spread through them especially easily. Some of these programs do offer some virus protection, but this is often not strong enough. If you insist on using P2P, it would be safe to not download files that claim to be “rare” songs, books, movies, pictures, etc.
Besides these sensible precautions, one can also install anti-trojan software, some of which is offered free…
Methods of Infection
The majority of trojan horse infections occur because the user was tricked into running an infected program. This is why it is advised to not open unexpected attachments on emails – the program is often a cute animation or a sexy picture, but behind the scenes it infects the computer with a trojan or worm. The infected program doesn’t have to arrive via email, though; it can be sent to you in an Instant Message, downloaded from a Web site or by FTP, or even delivered on a CD or floppy disk. (Physical delivery is uncommon, but if you were the specific target of an attack, it would be a fairly reliable way to infect your computer.) Furthermore, an infected program could come from someone who sits down at your computer and loads it manually. The chances of receiving the virus through an instant message are very low. It is usually received through a download.
By Websites:
You can be infected by visiting a rogue website.
Open ports:
Computers running their own servers (HTTP, FTP, or SMTP, for example), allowing Windows file sharing, or running programs that provide filesharing capabilities such as Instant Messengers (AOL’s AIM, MSN Messenger, etc.) may have vulnerabilities similar to those described above. These programs and services may open a network port giving attackers a means for interacting with these programs from anywhere on the Internet. Vulnerabilities allowing unauthorized remote entry are regularly found in such programs, so they should be avoided or properly secured.
A firewall may be used to limit access to open ports. Firewalls are widely used in practice, and they help to mitigate the problem of remote trojan insertion via open ports, but they are not a totally impenetrable solution, either.
Some of the modern trojans that come through messages. They come in as a very important looking message, but contain trojans, the executable files are same or look same as that of windows system processes like ‘Svchost.exe’, some of the look alike trojans are:
Svchost32.exe
Svhost.exe
back.exe
Road apple
A road apple is a real-world variation of a Trojan Horse that uses physical media and relies on the curiosity of the victim. The attacker leaves a malware infected floppy disc, CD ROM or USB key in a location sure to be found (bathroom, elevator, sidewalk), gives it a legitimate looking and curiosity piquing label - and simply waits.
Example: Get corporate logo off target’s web site, make a disk label using logo and write “Executive Salary Summary Q1 2007” on the front.
Methods of Deletion
Since trojan horses take a variety of forms, there isn’t a single method for deleting them. The simplest responses involve clearing the temporary internet files on a computer, or finding the file and deleting it manually. In some cases, registry editing or other treatments are needed.
Well-known trojan horses
Downloader-EV
Pest Trap
Sub7 (SubSeven)
Back Orifice
Back Orifice 2000
NetBus
flooder
Here is some very good Ports use Info list etc Download available Windows HTML Help (.chm) file.
http://lists.thedatalist.com/portlist/lookup.php
Hello Peter !
A nice link you gave us … Thanks !
I usually try to avoid opening up a port which i know is being used by trojans , that’s why i keep that list in the bookmarks. It’s been there for quite some time though and i haven’t really noticed it isn’t updated anymore.
That look-up link is nice, updated as well.
Unfortunately there are times when we can’t avoid opening ports that can be used for trojans, using the above look-up link check out the email ports, 25, 110, 119, 143 and see what also uses these ports.
Yes that’s very true , but it’s a good idea not to use the ports which you know are used by trojans if you can.
TCP pop3 Post Office Protocol - Version 3 ProMail trojan, ADM worm
UDP pop3 Post Office Protocol - Version 3
my pop mail server uses port 110 and i get the above from that port lookup…should i be concerned or what to do ???
sorry double post :o
No need to be concerned thats the standard port for pop3. But you can check if there is any activity on that port when you have your mail program closed just to be sure.
thanks for that-what program can i use to check on activity when the pop3 is not being used on my laptop(windows xp2)not on my quad-core desktop(vista) or would there be a difference because of the os ???
The simplest way would be to check inside your firewall and see which connections are getting trough.
thanks darth_mikey-your right-wasn’t thinking-its a MONDAY morning here :
just checked my pctools firewall plus activity-nothing
@ drhayden1
avast ;D
It is monitoring the email ports for activity which is routed to the proxy for scanning, avast will baulk at non-email protocol traffic as it cant scan it. If it is a bulk mailer depending on your settings (High) it should detect multiple identical emails in a period of time (outbound). So it is a rudimentary if crude tool to monitor the email ports.
TCPView will monitor traffic but you have to suspect something as it isn’t a security tool like an AV or firewall, but an analysis tool. Obviously your firewall should provide some protection.
http://www.snapfiles.com/get/tcpview.html
is this the one you are talking about davidr ???
Yes 8)
Or the official page http://www.microsoft.com/technet/sysinternals/utilities/TcpView.mspx
Yes that’s the one I was talking about.
Another good combination drhayden1 to view this info is
CurrPorts: TCP/IP Connections Viewer: Freeware tool that displays the list of all currently opened TCP and UDP ports on your local computer
CurrPorts: TCP/IP Connections Viewer
Used in conjunction with
IPNetInfo 1.09:Find all available information about an IP address: The owner of the IP address, the country/state name, IP addresses range, contact information (address, phone, fax, and email), and more.
IPNetInfo