Re: Port 5767

[Tina Bird <tbird () secnetgroup com>]

Wow, Ryan, now you've reminded me.  It was never a released version
of ARCserve, it was an early beta that wanted to contact home to
dump debugging information.  It was running on about half of the 
NT servers at my old job, and generating millions of firewall alarms 
(okay, that might be an exaggeration) until I managed to convince the
LAN administrators that it had >something< to do with backups.

> From the Cheyenne/CAI Web site:

TECHNOTE: What Port and Socket numbers are used by the NT Agent? 

 Date: October 10, 1996 
 Product: ARCserve 
 Platform: Windows NT 
 Version: 2.x / 6.x 

 Port and Socket numbers used by the NT Agent:
 TCP and UDP : Port Number : 6050
 IPX and SPX: Socket Number: 0x1687 (5767)

NOTE: Upgrade your ARCserve versions 2.x and 6.0 for Windows NT to 
version 6.5 for Windows NT.  ARCserve 6.5 addresses issues and adds 
feature enhancements and performance benefits.

Upgrading the ARCserve agent software to a released version took
care of the "phone home" issue.

Cheers -- tbird

At 03:37 PM 4/14/99 -0700, Ryan Russell wrote:
> > Has anyone seen or heard of an vulnerability/attack with a source port of
> > 6050 and with a destination port 5767 and with a destination address of
> >
> > 141.1.19.215 -according to nslookup DNS name is:
> > Please.contact.Cheyenne.for.complains
>
> I remember that being discussed in a thread on one of the mailing
>
> lists I subscribe to.. can't remember which.  A quick web search
>
> turns up zip, too.  Anyway, a version of Arcserve would end
>
> up trying to reach some address back home.. something left
>
> over from development, apparently.  There is a patch.  Go
>
> find your Arcserve machine and patch it.
>
>
>
>                         Ryan