Firewall Wizards mailing list archives
Re: Port 5767
From: Tina Bird <tbird () secnetgroup com>
Date: Thu, 15 Apr 1999 13:10:47 -0500
Wow, Ryan, now you've reminded me. It was never a released version of ARCserve, it was an early beta that wanted to contact home to dump debugging information. It was running on about half of the NT servers at my old job, and generating millions of firewall alarms (okay, that might be an exaggeration) until I managed to convince the LAN administrators that it had >something< to do with backups.
From the Cheyenne/CAI Web site:
TECHNOTE: What Port and Socket numbers are used by the NT Agent? Date: October 10, 1996 Product: ARCserve Platform: Windows NT Version: 2.x / 6.x Port and Socket numbers used by the NT Agent: TCP and UDP : Port Number : 6050 IPX and SPX: Socket Number: 0x1687 (5767) NOTE: Upgrade your ARCserve versions 2.x and 6.0 for Windows NT to version 6.5 for Windows NT. ARCserve 6.5 addresses issues and adds feature enhancements and performance benefits. Upgrading the ARCserve agent software to a released version took care of the "phone home" issue. Cheers -- tbird At 03:37 PM 4/14/99 -0700, Ryan Russell wrote:
Has anyone seen or heard of an vulnerability/attack with a source port of 6050 and with a destination port 5767 and with a destination address of 141.1.19.215 -according to nslookup DNS name is: Please.contact.Cheyenne.for.complainsI remember that being discussed in a thread on one of the mailing lists I subscribe to.. can't remember which. A quick web search turns up zip, too. Anyway, a version of Arcserve would end up trying to reach some address back home.. something left over from development, apparently. There is a patch. Go find your Arcserve machine and patch it. Ryan
Current thread:
- Re: Port 5767 Ryan Russell (Apr 15)
- Re: Port 5767 Tina Bird (Apr 15)
- Re: Port 5767 -reply mht (Apr 15)
- Re: Port 5767 Tina Bird (Apr 15)