Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IIS Using Port 1843

From: Jean-Baptiste Marchand <Jean-Baptiste.Marchand () hsc fr>
Date: Tue, 1 Oct 2002 10:29:20 +0200
Matt Barton <matt () webexc com> wrote:


We have a server that has been experiencing some odd behavior.  It is
running Microsoft Windows 2000 Server, Service Pack 2 with IIS 5.  So far
twice inetinfo.exe has stopped for no reason.  In trying to investigate
the issue, I ran fport and noticed that inetinfo.exe was bound to port
1843/tcp, which seems very odd to me.

Searches on Google have not revealed anything useful (other than some
information on how that port is used with some Netopia products).


When started, IIS 5 registers RPC services. These RPC services can be
reached, among other protocol sequences, via TCP/IP.

TCP and UDP Ports allocated to RPC services are dynamic and can be found
using the endpoint mapper (portmapper) RPC service, running on port 135
(in case of DCE/RPC, the RPC standard implemented on Windows systems).

If you want to check if a given port is used by RPC services, you can
use a program that asks for all registered RPC services. This kind of
programs are typically named rpcdump.

In the output of rpcdump, you will find that the same RPC service is
reachable via different protocol sequences (typically, ncalrpc (local
RPC), ncacn_np (named pipes, carried in SMB/CIFS), ncacn_ip_tcp
(TCP/IP) or ncadg_ip_udp (UDP/IP)). 

In IIS 5, the named pipe \pipe\inetinfo is the endpoint of ncacn_np
protocol sequences for IIS RPC services. 

On a test system (IIS5 under Windows 2000, with HTTP and SMTP services),
the rcpdump output filtered to show only IIS RPC services on
ncacn_ip_tcp and ncadg_ip_udp is:

C:\WINNT>rpcdump -p ncacn_ip_tcp 127.0.0.1 

[...]

IfId: 82ad4280-036b-11cf-972c-00aa006887b0 version 2.0
Annotation: 
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncacn_ip_tcp:192.70.106.143[1027]

IfId: 82ad4280-036b-11cf-972c-00aa006887b0 version 2.0
Annotation: 
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncacn_np:\\\\FENETRE-2K-DFLT[\\PIPE\\INETINFO]

[...]

IfId: 8cfb5d70-31a4-11cf-a7d8-00805f48a135 version 3.0
Annotation: 
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncacn_ip_tcp:192.70.106.143[1027]

IfId: 8cfb5d70-31a4-11cf-a7d8-00805f48a135 version 3.0
Annotation: 
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncacn_np:\\\\FENETRE-2K-DFLT[\\PIPE\\INETINFO]

[...]

IfId: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a version 1.0
Annotation: 
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncacn_ip_tcp:192.70.106.143[1027]

IfId: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a version 1.0
Annotation: 
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncacn_np:\\\\FENETRE-2K-DFLT[\\PIPE\\INETINFO]

[...]

IfId: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a version 1.0
Annotation: 
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncacn_np:\\\\FENETRE-2K-DFLT[\\PIPE\\SMTPSVC]

IfId: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a version 1.0
Annotation: 
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncadg_ip_udp:192.70.106.143[1028]


As names of named pipes are quite explicit (inetinfo, smtpsvc), they can
be used to find the IfId of RPC services. Once you've found the
interface identifier of a given RPC service, you can look for
ncacn_ip_tcp and ncadg_ip_udp endpoints to find TCP and UDP ports.


Another method to determine if a given port is allocated to RPC service
is to ask directly what interface identifiers are supported on this
endpoint. Programs to achieve this are typically named ifids. 

For example, in your case, you could use the following command:

  ifids -p ncacn_ip_tcp -e 1843 ip_adress_of_your_server

If the command returns a list of interface identifiers, it confirms that
the port is used by RPC services. In the list, you should find one (or
more) interface identifiers of IIS RPC Services. 


If you are running Windows, you can try Todd Sabin's rpctools
suite (it contains rpcdump and ifids):

 http://razor.bindview.com/tools/desc/rpctools1.0-readme.html

If you are running Unix, latest version of Dave Aitel's SPIKE toolkit
contains dcedump (equivalent of rpcdump) and ifids:

 http://www.immunitysec.com/spike.html

Finally, if you are familiar with french, you can take a look at this
article that describes the technical details of the different network
services on Windows systems:

 http://www.hsc.fr/ressources/articles/srv_res_win/

Hope this helps, 

Jean-Baptiste Marchand
-- 
Jean-Baptiste.Marchand () hsc fr
Hervé Schauer Consultants
http://www.hsc.fr/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: