Re: DS trojan opens ports fport does not detect?

From: H Carvey (keydet89_at_yahoo.com)
Date: 12/15/03

  • Next message: Lachniet, Mark: "RE: DS trojan opens ports fport does not detect?"
    Date: 15 Dec 2003 12:56:13 -0000
    To: incidents@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <4110.199.72.0.130.1071202370.squirrel@www.zounds.net>

    >Recently, when attempting to play Dungeon Siege with a friend, I installed
    >a crack he found on the internet. (we each purchased the game)
    >

    Do you have the location where you downloaded the crack?

    >His machine began responding to port scans on tcp 25 and 110.

    Just out of curiosity, did you port scan him after installing the crack? If so, what tool did you use? Was it a plain vanilla TCP connect scan, or a stealth scan, or what? And when you say "responding", what do you mean? That the scanner found the ports to be open, or did you actually get a response, such as a banner?

    > I could
    >telnet to these ports, and the response was to clear my screen, and on any
    >keypress, to drop the connection. He said he could not telnet to port 25
    >on his machine via localhost.

    If the response was clear on your screen, what was the response?

    >After installing the crack on my machine, i found i could telnet to port
    >25 and get the connection with no banner.

    Did you telnet to localhost? Curious, as you stated that your friend could not do this...

    >Neither Norton anti virus nor adaware found anything. I erased the dll,
    >and port 25 closed for a while, but it is open again (sigh).
    >

    It's not surprising that NAV or AdAware wouldn't find this stuff, but it does sound unusual that you would delete the DLL, and that the port would be open again. This might be explained by the fact that perhaps the DLL itself isn't to blame. Maybe something else, or something you installed along with the DLL was the culprit.

    >But using tools like netstat, fport, or tcpview did not show any activity
    >on 25 or 110.

    Go to http://www.diamondcs.com.au/openports/, and get openports.exe.

    > Zone alarm isnt detecting is making outgoing connections.

    From what you've said so far, it doesn't sound like it would...so your ZA results aren't suprising. It's good that you're being thorough, though.

    What I'm curious about at this point is...was your friend running ZA? If so, why were ports 25 and 110 shown as open on his system?

    >Isnt the point of a tool like fport to detect and find the application
    >that opens ports? Is it common for these tools to be evaded?
    >

    Well, as with any tool, you have to know what you're doing. One doesn't use a hammer when they have to tighten a bolt...usually. It might help if you provided information regarding the configuration of the systems in question, to include operating systems, installed Service Packs and hotfixes, etc.

    Also, if you have a concern about a tool and how it operates, contacting the author(s) of the tool would be the prefered route. Of course, they're going to ask you a lot of the same things I mentioned above, too. Without that information, it's most likely that the "incident" will be chalked up to a bunch of clueless gamers.

    Let me know if there's anything I can do to help.

    Harlan

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Lachniet, Mark: "RE: DS trojan opens ports fport does not detect?"

    Relevant Pages

    • Will Delfavero stuff the origin?
      ... Until Otto prohibits the welcomes half, Rasul won't read any ... May did Kenny halt in response to all the breakfasts? ...
      (sci.crypt)
    • Re: Did I give up on telnet too easily?
      ... I am using telnet and other similar tools. ... If you try to crack my box ... I will kick your ass. ... Come ahead and try, windbag. ...
      (comp.os.linux.security)
    • Re: Limericks of good taste,part zwei
      ... the "Goebbels' or Saddam's" crack. ... exactly the same thing in response to both Charlie's and Ancona's ... i like the 16 responses..but would like to hear from a wider variety ...
      (rec.music.opera)
    • Re: Did I give up on telnet too easily?
      ... I am using telnet and other similar tools. ... If you try to crack my box ... I will kick your ass. ... Come ahead and try, windbag. ...
      (comp.os.linux.networking)
    • Re: Did I give up on telnet too easily?
      ... I am using telnet and other similar tools. ... If you try to crack my box ... I will kick your ass. ... Come ahead and try, windbag. ...
      (comp.os.linux.security)