Q

How can I hardening my network against Trojans?

A quick audit of my network of 45 business critical desktops have revealed that we've been infected with two Trojans:

Port:1025
Description: network blackjack

Port: 5000
Description: UPnP / filmaker.com / Socket de Troie (Windows Trojan)

Could you please help with suggestions for 1) removal, 2) blocking and 3) hardening my network to prevent future attacks?

My network comprises of 45 desktops with Windows XP and Windows 2000 Pro (with latest service packs deployed).

It's good to see that you have performed a quick audit of your network. Let's discuss the two open ports you found first.

Port 1025 is assigned to network blackjack. However it is also used for other services including: Many hosting providers use it for SMTP as some providers block port 25. Net2phone uses port 1025 for VOIP services, can also be used by RPC and active directory. So make sure that none of those services are present on your network. With that said you are right in that port 1025 can also be used for attacks as there is an RPC exploit that targets that port. Here is a link http://www.dshield.org/topports.php that indicates that port 1025 is one of the top 10 most probed ports.

Port 5000 is used for Window Universal Plug and Play. It's true that it is also used for the Socket de Troie Trojan but that one is pretty old. I believe it dates back to 1998 or earlier. If you are infected with that Trojan you should be able to pick it up with a current virus scanner.

So back to your original question on how to protect your network? Well the best method is by developing defense in depth and by adopting the principle of least privilege. Defense in depth means that you stack on layer of security on top of another. As an example use a firewall, control access to the servers, patch the servers and desktops regularly, keep the anti-virus software current, and setup ACL's on your routers.

Now on to the principle of least privilege. This rule states that you only give users and services the least amount of privilege needed to do the job. That means that you should turn off those ports that are not needed. That may mean that one at a time you start turning ports off or you may elect to block everything and then only turn back on the minimum services needed for the network and users to complete their needed tasks.

There are lots of good books and resources on the net that discuss hardening devices and services. The NSA has hardening guidelines that you may want to take a look at here. http://www.nsa.gov/snac/

This was first published in June 2005
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close