About once every day or two, my firewall (Norton Internet Security) blocks an attempt to connect to my computer using the Sokets de Trois v1. Trojan horse. Each time it is coming from an IP address that has the same first three groups of numbers as mine. The only difference is the last group of numbers in the IP address. Given that the IP addresses are so similar, is the trojan horse actually coming from my computer, or is it just someone who has the same provider (Earthlink) and that is why the IP addresses are similar?

I have run Norton antivirus, Ad-aware, and Spybot and they say my system is clean. I have no problems with popups. Everything seems to be running fine. I'm just curious because of the similarity of the IP address of the computer trying to connect to my computer.

Thanks for any insight that anyone may have.

The attempt to connect is coming from out side your system. If your firewall is properly configured, it would raise an laert first, trying to complete an outbound connection.

Run a Whois on the IP address and notify the ISP involved that you are receiving connection attempts from a Trojan at the address you supplied. Be sure to include a portion of your firewall log for their use.

Thanks. I had not thought of running a Whois on the IP. :thumb:

Port 5000 is open on my system. I have found web sites indicating that this port is used by the "Sockets de Troie" trojan. Is my system compromised by a trojan?

The "Universal Plug and Play" service on Windows Millennium Editition and Windows XP uses UDP port 1900 and TCP port 5000. If you are running either of these Windows versions then there is a very good chance that the Universal Plug and Play service is what is holding these ports open.
To verify that Universal Plug and Play is what is holding ports 1900 and 5000 open, follow these steps if you are using Windows XP:

Go to Start->Settings->Control Panel->Administrative Tools->Services
Find the service named "SSDP Discovery Service", right-click it and select Stop
After the SSDP Discovery Service has been stopped, ports 5000/TCP and 1900/UDP should no longer be open on your system. If you want to permanently close these ports you should right-click the SSDP Discovery Service, select Properties and set the "Startup Type" of the service to Disabled.
If the SSDP Discovery Service was not running then something else, possibly a trojan, was holding port 5000/TCP open.

My firewall tells me that it has blocked access to a port used by a trojan. Is my system compromised by a trojan?

No. The alert you are getting simply means that your firewall has blocked an attempt from an external host to access a port on your computer that is commonly used by a trojan. Even if the port is indeed open on your system, the message indicates that your firewall has blocked the attempt to access it. To check whether or not the port in question is indeed open on your system go to Start->Run... and type Command<Enter>. In the Command Prompt that appears, type netstat -an. If the port in question is listed as "Listening" there is a possibility that it is in use by a trojan server (though your firewall, if properly configured, should have blocked any attempt to access it) and you should scan your computer for trojans.
http://www.misec.net/papers/trojanfaq/

Thanks for the info! :king: