Hey guys, I have this question, it's about this program that is running on this specific port.

I did a netstat -a and it showed up that port 5180 was listening, I did a fport on it and it showed that aim.exe was on this port. So I connected my aim but my aim connects to port 5190, like most aim's I know. I did research on port 5180 and I found that a trojan uses this port. The trojan's name is Backdoor.Peeper. According to symantec this is a trojan that allows remote control of the computer. I used "The Cleaner" and it showed me that I had some trojans, but none of this type. So can anyone help me out?

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=258332#post753023) by Soda_Popinsky
Google for fport, by foundstone

Best tool ever for this sort of thing.
I did a fport on it and it showed that aim.exe was on this port
Uh oh! Read twice, post once :p (just jokin w/ ya)


Anyways it looks like the peeper trojan, as you said. The default server name is internt.exe.. but most of the time trojans will be renamed to look like a well-known application. Check in the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
That's where it starts up from. If you see aim.exe remove it.

Hope this helps.

mjk

But shouln't the cleaner be able to clean it up?
I hate goning into the registery... :(

Unfortunatly I don't know the registry that well... If you could be kind enough to walk me through the process I would be very greatful :) .

EDIT***

Well, I checked the registry and didn't see a aim.exe. I only saw things that looked like I needed. Any other idea's?

P.S. I knew how to get to the registry, I just don't feel confortable there ;) .

Start->run->regedit

Then use the path given to you.

Oh and if you find what you want to delete right click for option...and make a back up first.

Will that back up the WHOLE registry?

This will...assuming it`s nt/2000/xp...


Click Start > Programs > Accessories > System Tools > Backup.
Click Advanced Mode.
On the Welcome tab, click the Backup Wizard (Advanced) button.
Click Next.
Select Only back up the System State data, and then click next.
Click the Browse button.
Click Cancel if the "Insert Disk" warning message pops up.
In the Save As dialog box, choose a location to save your registry back up.
Click Save.
Click Next.
Review the information in this window. Your Contents should say "Back up only the system state." Click Finish.
When the back up completes click Close.
Your registry is now backed up. You may close the Backup Utility window.

Win9x

Click Start, click Run, type scanregw, and then click OK.
When you receive a prompt to back up the registry, click Yes.
When you receive the "Backup complete" message, click OK.

I used this link as quick reference BTW...

Symantec (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617?OpenDocument&src=sec_doc_nam)

I don't have a "back up" option in my system tools menu. Is there another name that it would be called?

The thing is ...you never said what OS you were using.

Don`t you have Spybot s&d or something it has an option to back it up i believe.

//2nd edit...If the Cleaner was updated and all, are you sure it didn`t make the necessary changes? What exact trojans did it find? Need more info i guess.

Yes, I have spybot search and destroy and yes the cleaner is updated. It found 4 trojans that just tracked my internet activities, like spyware, and the other one was called...stumpy... I think. What stumpy does it open a connection to another server or ftp site and downloads other trojans. Before I ran the cleaner I did trend micro online scanner. It found a trojan to, but it just did small simple things like reset your homepage and stuff. Yesterday I ran spybot search and destroy in safe mode and it found something in the registry that was a "security hole". It removed it and yes I am up to date with my windows updates. BTW, I am running Windows XP.

I always wonder when i read threads like this how in the hell people manage to pick up trojan(s) like this. You need some kinda real-time protection The Duck. From know on enable TC active and TC monitor (the cleaner)to start with windows and run. This will hopefully stop the registry from being altered.

To back up the registry:

1. Start -> Run -> regedit
2. Registry -> Export Registry File
3. Save the file somewhere

If you want to restore it, under the Registry menu click Import Registry File and browse to the file you saved.

But shouln't the cleaner be able to clean it up?

You're right, it should... Make sure it's up to date. Maybe you have to stop the process before you run it? I dunno.

I guess sometimes you just have to remove it manually. Do a search on your hard drive for aim.exe and delete the file if you find it. It will probably be in the system32 folder. That's where lots of trojans hide themselves. Good luck.

Oh, I guess I'd might as well give you this (http://securityresponse.symantec.com/avcenter/venc/data/backdoor.peeper.html) link as well. In case you didn't STFW :p

mjk

Atticus, I know, I just got the cleaner a few days ago and I have those things running.

MJK, I already did a search for aim.exe and it led to a legit program, my aim program. :confused: :confused: :confused:

Hmmm... Well if you haven't already rebooted, do so then run fport again. If it's still listening, reinstall AIM. If that still doesn't work, I'm stumped. :confused:

mjk

Ok, I also didn't find any of those things you or norton.com told me to look for in the registry, I think I should also inform you guys that I have this program for aim. It's a filter and it's purpose is to protect me from people booting me and crashing my aim client. But that connects to port 3333, and when I log in using aim and that I am logged in using port 3333 and 5190 but port 5180 is still listening. Also can anyone tell me what bootpc is? It shows up in my netstat readouts as a UDP port. It comes and goes so I have no idea what it is. It doesnt connect, it just has that *:* next to it, what does that mean again? I forgot :D.

if you used fport what was the folder aim was running from? if it was 'C:\PROGRAM FILES\AIM95\AIM.EXE' or somrthing similar have you gone to that folder, right clicked>properties>version on aim.exe to see whay it says?

this anti-punter probably is intercepting traffic from/to 5180 internally. you need to have you computer scanned from the outside.

Yes, the fport path is similar to that, but what info am I looking for in the properties?

well if it says under version that is america online and not blank or something else renamed to aim its the original file.

its the same path as the file opening 5190?

i think your anti-punter doesn't 'change' AIM but acts as a proxy for it leaving the original port listening internally and communicating threw it. just my guess

hmm..doesnt look like a trojan to me if it's got that path and if the registry entry corresponds to aim(or it could be a pretty sophisticated trojan cos it'd have to had messed with the original aim file..not really sophisticated even lol..it could've just bound itself with it..but nm all that)
What I'd like to know The_Duck,is whether you see anything sneaky in your firewall logs..if AIM's just connecting to the regular AIM server(which you can find out by reverse DNSing the ip on your firewall) ,I figure you should be in the clear...if it's another ip tho..then yep//you've got something..hope this helped a bit

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=258332#post753018) by The Duck
Hey guys, I have this question, it's about this program that is running on this specific port.

I did a netstat -a and it showed up that port 5180 was listening, I did a fport on it and it showed that aim.exe was on this port. So I connected my aim but my aim connects to port 5190, like most aim's I know. I did research on port 5180 and I found that a trojan uses this port. The trojan's name is Backdoor.Peeper. According to symantec this is a trojan that allows remote control of the computer. I used "The Cleaner" and it showed me that I had some trojans, but none of this type. So can anyone help me out?
Do the netstat commands in my tutorial and match the PID's to your task managers(ctrl-alt-del) PID's, but listen to Tedob1 first.

PS: Tedob1 that proxyrama is bad a$$ ;)

to bind two files you have to use some kind of packer and it wouldn't show aol's version information but i agree that checking the logs would be a good thing

What happened was this idiot on aim said he "IP hacked me", and sent this program called reshack and supposedly, he said he has no control over the programs that it installs. I have a hardware based firewall, so I don't think I can view the firewall logs, or can I? The cleaner didn't catch anything called reshack, though it caught somehing called stumpy and that connects to another server or ftp site and downloads more trojans. The Cleaner already caught stumpy and took care of it. But ever since he said he ip hacked me, it seems as if my netstat readout's don't look normal, or am I just going crazy? Fport does show a lot of svchosts, and I don't remember seeing that many UDP ports, though they all have the *:* next to them, what does that mean? I forgot :p .

Here is the fport readouts in the attachment. What makes me worry is all the netbios stuff that is listening, I did the security check on norton.com and it said my firewall was keeping me safe, everything except that my computer response to pings. It claims I have the netbios port either closed or stealthed :confused: . I know what closed and stealth is but if that is true then why is it listening? Also something called "bootpc" keeps popping up here and there, and only for a couple of seconds, then it dispears, it's a UDP port and it has that *:* thing next to it.

Reshack seems to be a program that can be used to modify a lot of AIM functions(icons etc) amongst other activities.I reckon that the guy has your ip,but nothing else unless reshack was bound with something..I would've included links but I wasnt sure bearing in mind the context of AO;)
PM if you want them or just google around
and The_Duck..accepting files from people you dont know?tsk tsk:P

No No... I didn't accept any files. He just said he got my IP from a program and he IP hacked me sending me this file called "reshack" and that it come and goes for seconds and leaves other trojans behind, and then reshack disapears so you can't find it or something. This guy sounded like a script kiddie, he couldn't even tell me how to work the command prompt :rolleyes:. I asked him what port it connects to me with and he says he thinks 6647... at least I think that's the port he says...

hmm...cant seem to find anything grrr..tell ya what The Duck..how bout you have a peek at your registry and see if they're any suspicious entries?HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunServices

I have a related question. My firewall shows I've been scanned twice since yesterday, which is rather unusual, from IP address 12.158.80.10, 80 (couldn't ping it). My ports scanned were 1199, 1200, 1201, 1203, 1204, 1115, 1116, 1117, 1118, and 1119. I'm still learning what all these points are, so which ports are these, and are they hints to anything?

Looks like random port scanning by your isp actually,try a reverse DNS..it's crl.verisign.com,it'd have worked even if you'd just typed the ip in your browser;)
Here's a list of ports...the ports till 1024 are reserved,so I wouldnt worry lookuphttp://www.iana.org/assignments/port-numbers

Aha! Thanks!

The registry looks fine but I couldnt even find HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunServices
so... Am I looking for anything in particular in the registry?

Did I mention that I also have a wireless network set up? It's a wireless 2wire connection that we got for the PC and my laptop. Just thought you guys should know incase that makes a difference...

No anti malware program is picking up anything, not even in safe mode. Yest netbios related ports are listening and this program called "bootpc" keeps popping up... I did research on all of these things but I get things I don't understand. I think bootpc relates to linux somehow, according to my research, but I have windows, which made me suspicous...

Malware programs wouldnt pick up say,a trojan or a logger The Duck.Well,the registry thing was just an idea,most programs load from it.Does anything look overly suspicious in your HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr
ent Version\Run entry?(Google around for the file names and see if you get anything)
If you're still not sure,get HijackThis(http://www.spywareinfo.com/~merijn/downloads.html
Unzip HijackThis to a permanent directory and run it)
Attach the log and post it here(There's also a HijackThis tutorial on the site,removing the file,if any's more fun if you find it yourself lol

I thought malware = spyware, virii, trojans, etc. So wouldnt anti malware programs = AV, spybot, The Cleaner, etc?

I'm such an idiot, I still had Spybot search and destory version 1.2, I just recently got 1.3 now and I ran it, it found some stuff and fixed them, I did another netstat and port 5180 is no longer listening! However, I still have 2 netbios -ssn listening. Can anyone tell me what the *:* in the netbios readouts mean? I forgot what they mean :p . There are things called netbios -dgm with the *:* next to it. I will try your suggestion when I get back to that computer, which won't be till tuesday or wednesday.