Security Basics mailing list archives

RE: Port 8081 mystery

From: "Christopher A. Libby" <clibby () mainepublicservice com>
Date: Thu, 25 Jan 2007 11:51:17 -0500

Hi - I noticed your "Classification" line.  Is this for data
classification purposes?  My company is in the process of doing
something similar, and I'm curious how this method works for you.

 
- Chris

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Sandro, Herpich
Sent: Wednesday, January 24, 2007 4:21 AM
To: security-basics () securityfocus com
Cc: WALI
Subject: RE: Port 8081 mystery

Classification: NON SENSITIVE INFORMATION RELEASABLE TO THE PUBLIC

Run nmap with the -sV option. It will then try to detect the real
application listening on port 8081 (blackice-icecap is just listed as
the "default" applicatiohn in the nmap services file).

I assume it might be McAfee ePolicy Orchestrator (the agent normally
runs on this port). You can varify this by connecting to
http://192.168.126.245:80801


HTH,

Sandro

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of WALI
Sent: Tuesday, January 23, 2007 7:07 PM
To: security-basics () securityfocus com
Subject: Port 8081 mystery

HI list...

I ran a nmap scan on quite a few machines on my internal subnet and one
port that appears on all those scans, especially the machines that are
still running adequately patched but older Windows 2000 workstations, is
tcp 8081. Though nmap shows this as blackice-icecap port I do not find
any such application running in task manager neither is this installed.

nestat-a just lists this port as 'Listening' and does not list any
application name assigned to it, so why is this port there? Who is using
this? I have ran antivirus scan and spybot checker just to rule out any
malware possibilities.

Nessus Scan (tis weeks plugin feed) does not show this port listed
amongst any vulnerability.

Here is the nmap output:

SuSE101:/home/root # nmap -O 192.168.126.245 --osscan-guess Starting
Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2007-01-23 11:10 GST
Interesting ports on 192.168.126.245:
(The 1667 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2030/tcp open  device2
8081/tcp open  blackice-icecap
Device type: general purpose
Running: Microsoft Windows NT/2K/XP
OS details: Microsoft Windows 2000 SP4 or XP SP1

Nmap finished: 1 IP address (1 host up) scanned in 1.107 seconds

Current thread:

Re: Highlighting weak password dangers, (continued)
- - - Re: Highlighting weak password dangers Alexander Bolante (Jan 30)
    - Re: Highlighting weak password dangers anesde (Jan 31)
    - Message not available
    - Re: Port 8081 mystery WALI (Jan 24)
  - Message not available
    - Port 8081 mystery WALI (Jan 23)
    - RE: Port 8081 mystery Gressick, Michael (Jan 24)
    - Re: Port 8081 mystery Brian . D . Turk (Jan 24)
    - RE: Port 8081 mystery Remad (Jan 24)
    - Re: Port 8081 mystery George A. Theall (Jan 24)
    - Re: Port 8081 mystery Johnny Wong (Jan 24)
    - RE: Port 8081 mystery Sandro, Herpich (Jan 24)
    - RE: Port 8081 mystery Christopher A. Libby (Jan 25)
    - Re: Port 8081 mystery Alcides (Jan 24)
    - Re: Port 8081 mystery Steven Nixon (Jan 25)
    - Re: Port 8081 mystery Lukasz (Jan 24)