Help to resolve these port connections

Hi there. Hoping to get answer if this is something to worry about, hoping its in the right topic. I got firewall block from Eset. It said that Steam.exe tried using port 5000 and remote address was 127.0.0.1, i get a lot of this 127.0.0.1 as a remote address, it's supposed to be local not remote right?

Steam don't use that port as i have googled the ports used by steam, and i never got that kind of block before, it blocked it over 8000 times in just seconds! I google "Steam port 5000" and i get nothing! Nothing whatsoever about that port for steam. Please have a look at what they say about that port, and it rings all kinds of warning bells when i read it.

LINK: Port 5000 (tcp/udp) :: SpeedGuide Port 5000 (tcp/udp) :: SpeedGuide

This does not look good at all. I have already disabled UPnP service in services.msc a long time ago. It seems like someone or something in my PC uses the steam.exe file as a backdoor to get in, with the port 5000, and also maybe by 127.0.0.1 ?
Would be really grateful if you guys would help me find out what this is.

I don't need virus reports here because i have already asked about that in another topic, here i just want focus on these ports and why they make these connections and why 127.0.0.1 is trying to connect from a REMOTE address, indicating it's not 127.0.0.1 local. Is that right?

Glad to be a part of this site! Thanks in advance! <3

It might be related to this. They talk about python please reply.


- - - Updated - - -

Please read this. Accessing debugger for flask @127.0.0.1:5000 | DigitalOcean

Jacee said:

See this....Hackers Libray: Search results for port 5000

Thank you. So does this mean i have one of those trojans? I have premium malwarebytes and did so many scans nothing comes up. But eset blocks the connection. So something is hiding maybe?

Here is some info. GRC | Port Authority, for Internet Port 5000 Something about Universal Plug N' Play (UPnP). I have disabled UPnP in services.msc, is there somewhere else i can disable it? Or maybe in my case its just a trojan/backdoor and not because of UPnP?

Yeah, and i found this. It tells us it can masquerade like a game exe file, and that is what´s happening to me, it tries connecting from my steam.exe



Here is a virus total from me steam.exe file, please review. VirusTotal

Scroll down and read the "Files Opened" i think there is a lot of dangerous entries there, or am i wrong? Example we find there is "\DEVICE\NETBT_TCPIP_{E698D55B-6E63-4B2F-ABDF-E08FDA424715}
\DEVICE\NETBT_TCPIP_{846EE342-7039-11DE-9D20-806E6F6E6963}
\DEVICE\NETBT_TCPIP_{83811ED5-13C8-4FB1-B6A3-6B9E83E6B1EE}
\Device\Afd\AsyncConnectHlp"

I have disabled NETbios why are there entries like you see above. And what is \Device? Please if you know people here, ask them if they can help me that you know of that´s is more experienced. Regards

- - - Updated - - -

Here i did a Hybrid Analysis. And it tells us its malicious threat score 100/100!!
https://www.hybrid-analysis.com/samp...85457e9a1996b0
Please help

- - - Updated - - -

Here is from another analysis from hybrid analysis and it marked it as trojan. I think i am being hacked but in a way that is not detectable by my virus software. I need help pin pointing it. https://www.hybrid-analysis.com/samp...6105672450e596

i have reinstalled steam many times but it won´t do any good, i have fresh installed windows also but it won´t do any good. So i need to pin point it.

Hi again. I'm back after fresh install even on a new HDD, and i get this connection attempts

According to this site Port 143 (tcp/udp) :: SpeedGuide it´s MAP (Internet Mail Access Protocol) mail server uses this port. See also port 993/tcp.

allows remote attackers to cause a denial of service (application crash) via a long string to IMAP port (143/tcp).

My connection goes unidentified from no reason from time to time so i have to restart the pc. I guess its because this hacker doing this attempts. Numerous IMAP servers have buffer overflows that allow compromise during the login. Note that for awhile, there was a Linux worm (admw0rm) that would spread by compromising port 143, so a lot of scans on this port are actually from innocent people who have already been compromised. IMAP exploits became popular when Red Hat enabled the service by default on its distributions. This port is also used for IMAP2, but that version wasn't very popular. Several people have noted attacks from port 0 to port 143, which appears to be from some attack script.

As you see in the pic, destination port is 0 and in the article they say "Several people have noted attacks from port 0 to port 143, which appears to be from some attack script."

Thank you for any reply.

Bumping this

You have to understand that blocking ports based on some known trojans that used (or use) these ports is not reliable method to block trojans.

Haxor can set any port he wants ranging from 1 to 65536, and he can do so any time and any amount of times he want, meaning there is no way for you to stop him once you have his client (aka. trojan)

The connections from your last screenshot have nothing to do with trojans, in fact blocking these may make your UI Unresponsive and OS not functioning properly in some cases.

How to proceed?
Step 1:
Understand IP addressing and address ranges, these in 99% of cases do not imply trojan activity:

Loopback address range
127.0.0.0/8

Private address ranges:
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8

Link-local addresses (Microsoft calls this "APIPA"):
169.254.0.0/16

Multicast addresses:
224.0.0/24
224.0.1/24
224.0.2.0 - 224.0.255.255
224.1/16
224.2/16
224.3/16, 224.4/16
224.252/14
232/8
233.252/14

Step 2:
Get familiar with IP protocols
In 99% of the cases trojans will use TCP protocol, rarely UDP and almost never other protocols
List of IP protocol numbers - Wikipedia

Step 3:
Get familiar with TPC/UDP protocol ports and for what they are used:
List of TCP and UDP port numbers - Wikipedia

Step 4:
Get familiar with minimum tools required to hunt down trojans:
https://docs.microsoft.com/en-us/sys...ocess-explorer
https://docs.microsoft.com/en-us/sys...nloads/procmon
https://docs.microsoft.com/en-us/sys...loads/autoruns
https://docs.microsoft.com/en-us/sys...nloads/tcpview
https://docs.microsoft.com/en-us/sys...ownloads/whois

Step 5:
To be 100% certain to catch trojans (or isolate them) you'll need separate machine acting as a gateway which will also generate connection logs.

It depends on what your goal is?
1. Intentionally use potentially dangerous software but verify what it does
2. Prevent malware

If you want to prevent malware (trojans) then rules are simple, don't install unsigned/untrusted programs

If you want to verify if bad programs (which you want) aren't actually as bad or are acceptable then good luck, because
you better set up a separate gateway machine and good firewall setup, and then spend a whole night watching traffic or write some programs that will do the job for you to give you a summary in the morning as you drink your coffee.

Additional reference:
IANA IPv4 Special-Purpose Address Registry
IPv4 Multicast Address Space Registry