Help to resolve these port connections

Page 1 of 2 12 LastLast

  1. Posts : 149
    Windows 10 Pro x64
       #1

    Help to resolve these port connections


    Hi there. Hoping to get answer if this is something to worry about, hoping its in the right topic. I got firewall block from Eset. It said that Steam.exe tried using port 5000 and remote address was 127.0.0.1, i get a lot of this 127.0.0.1 as a remote address, it's supposed to be local not remote right?

    Steam don't use that port as i have googled the ports used by steam, and i never got that kind of block before, it blocked it over 8000 times in just seconds! I google "Steam port 5000" and i get nothing! Nothing whatsoever about that port for steam. Please have a look at what they say about that port, and it rings all kinds of warning bells when i read it.

    LINK: Port 5000 (tcp/udp) :: SpeedGuide Port 5000 (tcp/udp) :: SpeedGuide

    This does not look good at all. I have already disabled UPnP service in services.msc a long time ago. It seems like someone or something in my PC uses the steam.exe file as a backdoor to get in, with the port 5000, and also maybe by 127.0.0.1 ?
    Would be really grateful if you guys would help me find out what this is.

    I don't need virus reports here because i have already asked about that in another topic, here i just want focus on these ports and why they make these connections and why 127.0.0.1 is trying to connect from a REMOTE address, indicating it's not 127.0.0.1 local. Is that right?

    Glad to be a part of this site! Thanks in advance! <3
      My Computer


  2. Posts : 149
    Windows 10 Pro x64
    Thread Starter
       #2

    It might be related to this. They talk about python please reply.
    Help to resolve these port connections-steam.exe-127-0-0-1-port-5000-duckduckgo.pngHelp to resolve these port connections-steam-port-5000-remote-ip-127.0.0.1.png

    - - - Updated - - -

    Please read this. Accessing debugger for flask @127.0.0.1:5000 | DigitalOcean
      My Computer


  3. Posts : 1,604
    Win 10 home 20H2 19042.1110
       #3
      My Computers


  4. Posts : 149
    Windows 10 Pro x64
    Thread Starter
       #4

    Thank you. So does this mean i have one of those trojans? I have premium malwarebytes and did so many scans nothing comes up. But eset blocks the connection. So something is hiding maybe?

    Here is some info. GRC | Port Authority, for Internet Port 5000 Something about Universal Plug N' Play (UPnP). I have disabled UPnP in services.msc, is there somewhere else i can disable it? Or maybe in my case its just a trojan/backdoor and not because of UPnP?
      My Computer


  5. Posts : 1,604
    Win 10 home 20H2 19042.1110
       #5

    You said Eset blocked it. That's a good thing! I don't know anything about Flask Web Service.....
      My Computers


  6. Posts : 149
    Windows 10 Pro x64
    Thread Starter
       #6

    Yeah, and i found this. It tells us it can masquerade like a game exe file, and that is whatīs happening to me, it tries connecting from my steam.exe

    Help to resolve these port connections-screenshot_2020-09-09-basics-trojan-virus-web24.png

    Here is a virus total from me steam.exe file, please review. VirusTotal

    Scroll down and read the "Files Opened" i think there is a lot of dangerous entries there, or am i wrong? Example we find there is "\DEVICE\NETBT_TCPIP_{E698D55B-6E63-4B2F-ABDF-E08FDA424715}
    \DEVICE\NETBT_TCPIP_{846EE342-7039-11DE-9D20-806E6F6E6963}
    \DEVICE\NETBT_TCPIP_{83811ED5-13C8-4FB1-B6A3-6B9E83E6B1EE}
    \Device\Afd\AsyncConnectHlp"

    I have disabled NETbios why are there entries like you see above. And what is \Device? Please if you know people here, ask them if they can help me that you know of thatīs is more experienced. Regards

    - - - Updated - - -

    Here i did a Hybrid Analysis. And it tells us its malicious threat score 100/100!!
    https://www.hybrid-analysis.com/samp...85457e9a1996b0
    Please help

    - - - Updated - - -

    Here is from another analysis from hybrid analysis and it marked it as trojan. I think i am being hacked but in a way that is not detectable by my virus software. I need help pin pointing it. https://www.hybrid-analysis.com/samp...6105672450e596

    i have reinstalled steam many times but it wonīt do any good, i have fresh installed windows also but it wonīt do any good. So i need to pin point it.

    Help to resolve these port connections-screenshot_2020-09-09-free-automated-malware-analysis-service-powered-falcon-sandbox-view.png
      My Computer


  7. Posts : 5,209
    21H1 64 Bit Home
       #7

    Not too sure. Maybe try CrowdInspect.

    Too Many Trackers
      My Computer


  8. Posts : 149
    Windows 10 Pro x64
    Thread Starter
       #8

    Hi again. I'm back after fresh install even on a new HDD, and i get this connection attempts Help to resolve these port connections-hack-port-143.png

    According to this site Port 143 (tcp/udp) :: SpeedGuide itīs MAP (Internet Mail Access Protocol) mail server uses this port. See also port 993/tcp.

    allows remote attackers to cause a denial of service (application crash) via a long string to IMAP port (143/tcp).

    My connection goes unidentified from no reason from time to time so i have to restart the pc. I guess its because this hacker doing this attempts. Numerous IMAP servers have buffer overflows that allow compromise during the login. Note that for awhile, there was a Linux worm (admw0rm) that would spread by compromising port 143, so a lot of scans on this port are actually from innocent people who have already been compromised. IMAP exploits became popular when Red Hat enabled the service by default on its distributions. This port is also used for IMAP2, but that version wasn't very popular. Several people have noted attacks from port 0 to port 143, which appears to be from some attack script.

    As you see in the pic, destination port is 0 and in the article they say "Several people have noted attacks from port 0 to port 143, which appears to be from some attack script."

    Thank you for any reply.
      My Computer


  9. Posts : 149
    Windows 10 Pro x64
    Thread Starter
       #9

    Bumping this
      My Computer


  10. Posts : 1,244
    Windows 10 Pro x64 21H2 (Build: 19044.1415)
       #10

    You have to understand that blocking ports based on some known trojans that used (or use) these ports is not reliable method to block trojans.

    Haxor can set any port he wants ranging from 1 to 65536, and he can do so any time and any amount of times he want, meaning there is no way for you to stop him once you have his client (aka. trojan)

    The connections from your last screenshot have nothing to do with trojans, in fact blocking these may make your UI Unresponsive and OS not functioning properly in some cases.

    How to proceed?
    Step 1:
    Understand IP addressing and address ranges, these in 99% of cases do not imply trojan activity:

    Loopback address range
    127.0.0.0/8

    Private address ranges:
    192.168.0.0/16
    172.16.0.0/12
    10.0.0.0/8

    Link-local addresses (Microsoft calls this "APIPA"):
    169.254.0.0/16

    Multicast addresses:
    224.0.0/24
    224.0.1/24
    224.0.2.0 - 224.0.255.255
    224.1/16
    224.2/16
    224.3/16, 224.4/16
    224.252/14
    232/8
    233.252/14

    Step 2:
    Get familiar with IP protocols
    In 99% of the cases trojans will use TCP protocol, rarely UDP and almost never other protocols
    List of IP protocol numbers - Wikipedia

    Step 3:
    Get familiar with TPC/UDP protocol ports and for what they are used:
    List of TCP and UDP port numbers - Wikipedia

    Step 4:
    Get familiar with minimum tools required to hunt down trojans:
    https://docs.microsoft.com/en-us/sys...ocess-explorer
    https://docs.microsoft.com/en-us/sys...nloads/procmon
    https://docs.microsoft.com/en-us/sys...loads/autoruns
    https://docs.microsoft.com/en-us/sys...nloads/tcpview
    https://docs.microsoft.com/en-us/sys...ownloads/whois

    Step 5:
    To be 100% certain to catch trojans (or isolate them) you'll need separate machine acting as a gateway which will also generate connection logs.

    It depends on what your goal is?
    1. Intentionally use potentially dangerous software but verify what it does
    2. Prevent malware

    If you want to prevent malware (trojans) then rules are simple, don't install unsigned/untrusted programs

    If you want to verify if bad programs (which you want) aren't actually as bad or are acceptable then good luck, because
    you better set up a separate gateway machine and good firewall setup, and then spend a whole night watching traffic or write some programs that will do the job for you to give you a summary in the morning as you drink your coffee.

    Additional reference:
    IANA IPv4 Special-Purpose Address Registry
    IPv4 Multicast Address Space Registry
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Đ Designer Media Ltd
All times are GMT -5. The time now is 01:09.
Find Us




Windows 10 Forums