What in blazes are these ports? (1 Viewer)

[John_Berger]

I've been searching the Internet, but I have no idea what these are for. Apparently, they're not common TCP/IP ports.

The other day when the storm came through, the power dropped and my system rebooted. When it did, it got a different DHCP address and my firewall started registering hundreds of hits against port 4667. I searched through the Internet, both web and newsgroups, and found nothing to explain what this port is.

I've also been getting hits against ports 17300 and 6429.

My firewall software doesn't report whether these are TCP or UDP, but I'm curious as hell about what these ports are for, most especially 4667.

Does anyone have any idea?

 

[Kevin P]

No clue on 4667 or 6429, as I've never been scanned on those ports. 4662 is eDonkey (a P2P similar to Kazaa), which is about as close to 4667 as I can find. What firewall are you running? Most of them will tell you if it's TCP or UDP. If there's a protocol number being reported, TCP is 6, and UDP is 17. Also, if these are TCP packets, is the SYN flag set?

TCP 17300 is a scan for a trojan known as "Kuang2" or "Kuang2 The Virus". PCs that are infected with a certain virus (called Kuang2 or W32.Weird) will have this port open, and hackers can upload updated versions of the trojan which allow greater access. I've been getting 40-50 scans on this port daily.

Another common trojan port scan you'll see is TCP 27374, this one is called SubSeven. TCP 445 is a port used for file sharing on Win2K and XP, a lot of worms will scan on this port. TCP 1433 and UDP 1434 are scanned by infected SQL Server boxes, by the Spida or Slammer worms. Port 80 scans are commonly CodeRed.F or Nimda.

KJP

 

[John_Berger]

I'm using a LinkSys router that is sending firewall data to my PC which is running LinkLogger. It unfortunately doesn't give TCP/UDP statistics or SYN flags. I guess that I should set up an SMTP tool on my Sun Blade 100. A nice web-based SMTP monitoring and compilation tool would be sweet, but I haven't gotten around to looking for one yet.

It's been a while since I've gotten scanned for SubSeven, but I'm getting 445, 1433, and 1434 hits just about every 15 minutes if not less.

This is just more proof why I firmly believe that it you have broadband and you don't have a hardware firewall, you fully deserve to be hacked.

 

[Ted Lee]

i have NO CLUE john, but just thought i'd say "howdy!"

 

[John_Berger]

After a long absence, I'm back, much to the dismay of many, I'm sure, but that's their loss. :p)

 

[Chad Ellinger]

4667: Dwyco Video Conferencing or Voice-On-Net (http://www.jlathamsite.com/DSLR/LessSuspectPorts.htm)

 

[John_Berger]

That is possible. It looks like Dwyco uses random ports between 1024 and 5000 for file transfers. Unfortunately, a hell of a lot of other programs use random port assignments as well.

This is one mystery that might never be solved. Oh, well.

Hardware firewalls rule.

 

[Jeff Peake]

EDIT: didnt read the reply above that answered this question already.