Re: Unusual ports??

[Nathan Smith <nsmith () bbn com>]

The problem with port list is that they only list port that are registered, not the most common use of ports . Most companies today with client/server and network products will not register ports for use with their products. I.E. CheckPoint VPN-1 uses 256-258 as control ports but they are really registered to be used for RAP, YAK Winsock chat and SET. They just figured they wouldn't be used anyway so why not use them. A lot of ports have been registered for services that are no longer in use or are so rare that you never run into them so companies cannibalize them. 
In this case port 1031 is register to an old BBN Corporation project, and most of the other ones are not registered at all. So they are not being you for what they are listed for. I would suspect that 1027,29,31 are for a single service. I believe 1031 is used for inetinfo. If you are running IIS that is most likely it. Over all I would suggest you do the following:

1. If you are using programs that assign a random port number to an established connection such as FTP, configure them to use a set range of very high ports over 50,000. Set each service to a separate group of 1000-5000. This will remove them as a culprit and also help you track them in the future. 

2. Someone mentioned a sniffer. I think that is a good idea too. You can tell what they are by: where they are going, when they activate and what their payload is.  

3. List all the software on the box and contact the companies and find out what ports need to be running and ask if the ports you mentioned are used for anything. I you don't know what it is for turn it off. A lot of software will open ports when installed as a default even if you are not using the particular functionality also do a port scan before and after you add new software. This will help you keep everything under control  






At 08:15 AM 3/9/2000 -0600, you wrote: 
>>>>
> Ports 1024 and up are dynamically assigned (with a few exceptions) so these ports could be being used by anything.  For a great FAQ explaining the ports and what uses them, see:
>
> <http://www.robertgraham.com/pubs/firewall-seen.html>http://www.robertgraham.com/pubs/firewall-seen.html 
>
>
> -----Original Message----- 
> From: Sven Atkinson [<mailto:suasponte275 () hotmail com>mailto:suasponte275 () hotmail com] 
> Sent: Tuesday, March 07, 2000 1:54 PM 
> To: firewall-wizards () nfr net 
> Subject: Unusual ports?? 
>
>
> Can anyone tell me what these ports may be used for? 
>
> 1027 
> 1029 
> 1031 
> 1099 
> 2056 
> 2060 
> 15345 
>
> Any help would be greatly appreciated. 
>
> Thanks in advance, 
>
> Sven 
>
>
> ______________________________________________________ 
> Get Your Private, Free Email at <http://www.hotmail.com>http://www.hotmail.com 
<<<<