Security Incidents mailing list archives

Re: Weird Ports on NT box

From: moeller () CERT DFN DE (Klaus Moeller)
Date: Fri, 14 Apr 2000 11:53:29 +0200


-----BEGIN PGP SIGNED MESSAGE-----

Maniac . writes:

I've got a we        ird one for you.

I did a scan on a clients NT 4.0 SP6a, MS Exchange 5.5 SP3 box and came up
with the following ports that I cannot ID.

TCP 389
TCP 593
TCP 636


 389 | TCP/UDP    Lightweight Directory Access Protocol
 636 | TCP/UDP    ldap protocol over TLS | SSL (was sldap)

The ldap ports are most likely to be part of the address book and/or
integration with MS Active Directory.

- From the IANA Database:

http-rpc-epmap  593/tcp    HTTP RPC Ep Map
http-rpc-epmap  593/udp    HTTP RPC Ep Map

And from http://advice.networkice.com/advice/Exploits/Ports

593 provides "endpoint mapper" services for RPC-over-HTTP (when IIS
acts as a proxy for RPC).  See port 135 for more info. Sometimes
enabled automatically by Exchange. See "MIDL Programmers Guide and
Reference" programmers documentation.
http://msdn.microsoft.com/library/specs/51oxidresolverportsendpoints.htm

Looking under port 135 (same location)

Microsoft DCE Locator service aka. end-point mapper. It works like Sun
RPC portmapper, except that end-points can also be named pipes.
AKA NCS local location broker

Hope that helps,
        Klaus Moeller, DFN-CERT

- --
Klaus Moeller            |                    mailto:moeller () cert dfn de
DFN-CERT GmbH            |
Vogt-Koelln-Str. 30      |                      Phone: +49(40)42883-2262
D-22527 Hamburg          |                        FAX: +49(40)42883-2241
Germany                  |       PGP-Key: finger moeller () ftp cert dfn de

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQEVAwUBOPbqf4rEggYLt8j5AQEEzwf/bXvZL/Av2J5pBkEBaEHkiyYFAYvuEIBP
PGhX8BsyZGsEVnN3zGJ+2lnUKZpmoXUPdZmegwXFvKCPxO98Y5Qxns7kPv+c/rRc
esD938+yBUpj74QEjWyVZri4nJy9fBJaDlIDP0aB7AEYG+0rMZ2hV1amfqmbbb+Q
aQSfgbXov3p32nIvahTN3gAcPuLj3HXEVhDelRyAwYmmZK27Cl14IupzTP1AF9G5
vsn0/4HBXJag4WKUkKcRiqiPBMmo0hAom3eMW9EZuv0QmIO8BCti+4f5tVFZoRXB
3HT3MnptJ5jUA+Z0Z2Pn1AaPTbhncAJjMks3FfdpdCIVxGuud0XJGQ==
=O8x1
-----END PGP SIGNATURE-----

Current thread:

IP fw-in deny spam in logs Jason Baker (Apr 11)
- Weird Ports on NT box Maniac . (Apr 12)
  - Re: Weird Ports on NT box Joe McAlerney (Apr 13)
  - Re: Weird Ports on NT box Klaus Moeller (Apr 14)
- dsnhack.pl --ooops Roelof Temmingh (Apr 13)
- Re: IP fw-in deny spam in logs Erich Meier (Apr 13)
  - Re: IP fw-in deny spam in logs Paul Wouters (Apr 13)