DR_JAYMAHDI
join:2002-04-23
Verdun, QC
| Port 3158
Hi All,
Over the weekend I was using my laptop and unfortunately I found a virus/trojan named "dna.exe" which was slowing down my computer. I did a "netstat" in the Windows XP command prompt and my laptop was trying to connect to over 100 computers. I removed this virus and the laptop is running fine.
However...
I noticed that there is a connection to port: 3158 and the IP address is 70.42.52.11 . I tried doing a trace route and unfortunately it didn't give me much information as to where is the location of this IP address is coming from. Even after I do a clean reboot, my laptop keeps connecting to that IP address and the same port.
The question I ask is port: 3158 a potential security hole or is it a safe service program that I am unaware that my laptop keeps executing?
If need anymore details, I am more than happy to provide it if there is any good Samaritan willing to assist me.
Thanks |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
 ·RoadRunner Cable
| Re: IP address connection
WhoIs info: »/whois/70.42.52.11
CustName: Cerulean Studios, LLC
Address: 475 Federal Road
Address: Unit F
City: Brookfield
StateProv: CT
PostalCode: 06804
Country: US
RegDate: 2006-03-09
Updated: 2006-03-09
-amy-
--
DSLR Phishtracker |
|
DR_JAYMAHDI
join:2002-04-23
Verdun, QC | Thanks Amy
boy do I feel like an idiot  |
|
dannyboy 950
Premium
join:2002-12-30
Port Arthur, TX | reply to DR_JAYMAHDI
Re: Port 3158
The next thing to consider is do these people have any buisness connecting to you or you to them? Do they even know they are trying to connect to you? |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH | Port 3158 = "SmashTV Protocol", whatever that is.
But it could be a trojan as well. Is the connection inbound or outbound? Can you post the output of netstat -ano? |
|
Caution
@netcarrier.net
| reply to DR_JAYMAHDI
Cerulean Studios, LLC
Trillian (instant messenger)
»www.ceruleanstudios.com/
============================================================
Here are the ports that Trillian uses by default:
MSN
Connection: 1863
File Transfer: 6891
ICQ
Connection: 5190
File Transfer: Dynamic unless specified
AIM
Connection: 5190
File Transfer: 5190
Direct Connect: 4443
Yahoo
Connection: 5050
File Transfer: 80
Webcam: 5100
»www.ceruleanstudios.com/support/···ROOT/C_T
------------------------------------------------------------
Here are the default ports that Trillian uses:
MSN
Connection: 1863
File Transfer: 6891
ICQ
Connection: 5190
File Transfer: Dynamic unless specified
AIM
Connection: 5190
File Transfer: 5190
Yahoo
Connection: 5050
File Transfer: 80
Webcam: 5100
Jabber:
Connection: 5222
File Transfer: (automatic by default)
»forums.ceruleanstudios.com/showt···id=35182 |
|
The Snowman
Premium
join:2007-05-20
 ·Verizon Online DSL
| reply to DR_JAYMAHDI
If in fact you do have Trillian.....and you have used it for File Transfer...then perhaps thats were the Trojan came from, but no matter....there appears NO REASON for that particular Port to be doing anything....unless someone else here can offer a reason.......
My suggestion would be to remove Trillian if in fact you do have it installed....if its the Agent in all this then removing it should shut down that port....
Are you ABSOLUTELY SURE you removed that Trojan ? |
|
Caution
@netcarrier.net | reply to DR_JAYMAHDI
DEFINITELY YOU SHOULD READ THIS
»www.securityfocus.com/infocus/1605
>Detecting and Containing IRC-Controlled Trojans: When Firewalls, AV, and IDS Are Not Enough> |
|
The Snowman
Premium
join:2007-05-20 | reply to DR_JAYMAHDI
At this point I am not totally convinced the Trojan has been completely removed.....an would suggest you do a Hijack This .....
will drop back here later.....to see what you post back |
|
