Re: Port 38293

[Brian Bothwell <brian () WISDOMTOOLS COM>]

> I've recently seen a probe on port 38293 coming
from an Windows NT box .  Since
> this box has exhibited some suspicious behavior
in the past, I'd REALLY like to
> know what 38293 is associated with.  On the
well-know port list, it's unassigned
> and it doesn't match up to any of the known
Trojans.
> Bill...
>
> William Hayes, Computer Specialist,
Communications & Information Technology
> Network Security Consultant, Information
Services Networking & Ops Center
> University of Nebraska Lincoln,   201 Miller
Hall, Lincoln NE 68583-0713
> E-mail: whayes1 () unl edu


I am seeing this as well, between out NT 4.0
server and a few Win2000 Professional
workstations.  A quick packet sniff shows the UDP
traffic has strings refering to the name of our NT
server, as well as "NAV" so I guessed this is
Norton AntiVirus Corporate Edition.  We have the
NAV CE server running on our NT server.

The following thread from SANS confirms this:

http://www.sans.org/y2k/092300.htm