Description: network blackjack
Description: UPnP / filmaker.com / Socket de Troie (Windows Trojan)
Could you please help with suggestions for 1) removal, 2) blocking and 3) hardening my network to prevent future attacks?
My network comprises of 45 desktops with Windows XP and Windows 2000 Pro (with latest service packs deployed).
Port 1025 is assigned to network blackjack. However it is also used for other services including: Many hosting providers use it for SMTP as some providers block port 25. Net2phone uses port 1025 for VOIP services, can also be used by RPC and active directory. So make sure that none of those services are present on your network. With that said you are right in that port 1025 can also be used for attacks as there is an RPC exploit that targets that port. Here is a link http://www.dshield.org/topports.php that indicates that port 1025 is one of the top 10 most probed ports.
Port 5000 is used for Window Universal Plug and Play. It's true that it is also used for the Socket de Troie Trojan but that one is pretty old. I believe it dates back to 1998 or earlier. If you are infected with that Trojan you should be able to pick it up with a current virus scanner.
So back to your original question on how to protect your network? Well the best method is by developing defense in depth and by adopting the principle of least privilege. Defense in depth means that you stack on layer of security on top of another. As an example use a firewall, control access to the servers, patch the servers and desktops regularly, keep the anti-virus software current, and setup ACL's on your routers.
Now on to the principle of least privilege. This rule states that you only give users and services the least amount of privilege needed to do the job. That means that you should turn off those ports that are not needed. That may mean that one at a time you start turning ports off or you may elect to block everything and then only turn back on the minimum services needed for the network and users to complete their needed tasks.
There are lots of good books and resources on the net that discuss hardening devices and services. The NSA has hardening guidelines that you may want to take a look at here. http://www.nsa.gov/snac/
Dig Deeper on Network Security Monitoring and Analysis
Related Q&A from Michael Gregg
Enterprise security expert, Michael Gregg answers a question regarding port 3389 issues when a user tries to open port 3389 RDP on their router to ... Continue Reading
Security expert Michael Gregg discusses the disadvantages to a layered approach to enterprise security. Continue Reading
Security expert Michael Gregg fields a question about unknown network cards gaining access to a user's network. Continue Reading