Remote Access Trojan FAQ
Port 5000 is open on my system. I have found web sites indicating that this port is used by the "Sockets De Troie" trojan. Is my system compromised by a trojan?The "Universal Plug and Play" service on Windows Millennium Editition and Windows XP uses UDP port 1900 and TCP port 5000. If you are running either of these Windows versions then there is a very good chance that the Universal Plug and Play service is what is holding these ports open.
To verify that Universal Plug and Play is what is holding ports 1900 and 5000 open, follow these steps if you are using Windows XP:
- Go to Start->Settings->Control Panel->Administrative Tools->Services
- Find the service named "SSDP Discovery Service", right-click it and select Stop
If the SSDP Discovery Service was not running then something else, possibly a trojan, was holding port 5000/TCP open.
My firewall tells me that it has blocked access to a port used by a trojan. Is my system compromised by a trojan?No. The alert you are getting simply means that your firewall has blocked an attempt from an external host to access a port on your computer that is commonly used by a trojan. Even if the port is indeed open on your system, the message indicates that your firewall has blocked the attempt to access it. To check whether or not the port in question is indeed open on your system go to Start->Run... and type
Command<Enter>. In the Command Prompt that appears, type
netstat -an. If the port in question is listed as "Listening" there is a possibility that it is in use by a trojan server (though your firewall, if properly configured, should have blocked any attempt to access it) and you should scan your computer for trojans.