Port 3128 LISTEN! Trojan Horse???

Port 3128 LISTEN! Trojan Horse???

Post by Bengt Thure » Fri, 18 Oct 2002 11:12:08



Hej,
I run a firewall scan (www.pcflank.com Advanced port scanner) on my system,
and it reported that my port 3128 was OPEN.
3128 OPEN "Masters Paradise and RingZero" Trojan Horses

I run a netstat -a and see
tcp4       0      0  *.3128                 *.*                    LISTEN

How do I find out which program is using this port?
grep 3128 in the /etc/services do not report anything.

Would appreciate some hints in how to find out which programs are listening
to the various ports, and how to stop them if not needed...

Thanks in advance

/bengt

I am actually listening to the following ports (according to netstat -an)
gatsby# netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0      0  *.2869                 *.*                    LISTEN
tcp4       0     20  192.168.20.1.22        192.168.20.2.1198
ESTABLISHED
tcp4       0      0  192.168.20.1.22        192.168.20.2.1441
ESTABLISHED
tcp4       0      0  192.168.20.1.8000      *.*                    LISTEN
tcp4       0      0  *.3128                 *.*                    LISTEN
tcp4       0      0  *.1029                 *.*                    LISTEN
tcp4       0      0  127.0.0.1.25           *.*                    LISTEN
tcp4       0      0  *.22                   *.*                    LISTEN
tcp4       0      0  MyExtIP.53  *.*                    LISTEN
tcp4       0      0  127.0.0.1.53           *.*                    LISTEN
tcp4       0      0  192.168.20.1.53        *.*                    LISTEN
tcp4       0      0  192.168.10.1.53        *.*                    LISTEN
udp4       0      0  *.1900                 *.*
udp4       0      0  *.3130                 *.*
udp4       0      0  *.*                    *.*
udp4       0      0  *.1718                 *.*
udp4       0      0  *.1719                 *.*
udp4       0      0  *.1028                 *.*
udp4       0      0  MyExtIp.53      *.*
udp4       0      0  127.0.0.1.53           *.*
udp4       0      0  192.168.20.1.53        *.*
udp4       0      0  192.168.10.1.53        *.*
udp4       0      0  *.514                  *.*
div4       0      0  *.8668                 *.*
ip 4       0      0  *.*                    *.*
icm4       0      0  *.*                    *.*
ip64       0      0  *.*                    *.*

--
Bengt Thure'e

Please remove the "icke" and the "-reklam",
if you want to send me an e-mail.

 
 
 

Port 3128 LISTEN! Trojan Horse???

Post by Bengt Thure » Fri, 18 Oct 2002 11:57:33


Thanks :-)
Found lots of interesting things there...
Mostly programs I have installed but never gotten to work :-(
Like squid.... (problem with hotmail)
/Bengt

Quote:> On Thu, 17 Oct 2002 02:12:08 GMT, Bengt Thuree hunched over the
> keyboard, flexed their fingers and thumped:

> > Hej,
> > I run a firewall scan (www.pcflank.com Advanced port scanner) on my
> > system, and it reported that my port 3128 was OPEN.
> > 3128 OPEN "Masters Paradise and RingZero" Trojan Horses

> > I run a netstat -a and see
> > tcp4       0      0  *.3128                 *.*
> > LISTEN

> > How do I find out which program is using this port?
> > grep 3128 in the /etc/services do not report anything.

> [snip]

> sockstat will reveal the PID of the culprit

> --
> Simon

> Optus Cable Traffic Monitor
> http://members.optusnet.com.au/trafficstats/arp/


 
 
 

Port 3128 LISTEN! Trojan Horse???

Post by Scott Harri » Fri, 18 Oct 2002 12:58:35


Quote:> > How do I find out which program is using this port?
> > grep 3128 in the /etc/services do not report anything.

Squid (cache proxy server) uses this port by default.

Regards,

Scott

Scott Harris
Cairns, Queensland, Australia

 
 
 

1. close port 3128

I am running RedHat 7.1.  I am getting a lot of port scans from Chinese
spammers on port 3128 and would like to close that port.  I am not using
squid and the service is shut off.  Could someone please tell me how to
close port 3128 or direct me towards some information that could help?

Thanks in advance,
Tabitha

2. eth_rebuild_header reporting unknown resolve?

3. What's port 635 and 3128

4. Diamond MB and BIOS

5. Probes on Port 3128

6. SCSI and FibreChannel Hotswap for linux 2.5.44-bk2

7. Activity on ports 1080, 3128, 8080

8. RedHat Kernel compile not working

9. apache listen to port 80, another standalone apache+modssl listen port 443, not working..?!

10. Satan - Has Trojan Horse?

11. Deep Throat Trojan Horse

12. Alert!: Trojan Horse (Red Hat 7.0)

13. CERT Advisory - wuarchive ftpd Trojan Horse *DETAILS OF NEW HOLE*