Re: Strange ports

Subject:	Re: Strange ports
From:	Jason Barbier <kusuriya@gmail.com>
Date:	Mon, 18 Jun 2007 21:11:55 -0700
Cc:	Pen-Tests <pen-test@securityfocus.com>
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	pentest-list2@consult.net
Delivered-to:	mailing list pen-test@securityfocus.com
Delivered-to:	moderator for pen-test@securityfocus.com
Dkim-signature:	a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=NEfwhnmtMYWfgOLPT4tEzCfYxwxFT7uT7Xkr1I/5mSi/CaA4N0bCpjQuayCOGM79PZNEEYiVMgymYEZEUXHHHxPAh+6aVmB/U7Dftxw2OAbJRzamcnc3NG819p5/rRurV8KTGhH/phgiRJa73qBdRiBOuOIAZ3r1r4hfbScPSxc=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=Zz9T7AHDRYH6vesC3eCBFqLARDjiJrjpNQ5q0m63S3Sz3YD/E7yvLdTP1k7qfYSalmw+exzpQYs9sNvkFCM5+OJScsKZ/acBUlMdUAmhz4f+xvP2XTI6vHU7xyoev8tZ7+n0cB/n2k5n3lBK6yXCSspzsVUqwUpGsSC0LeTWypE=
In-reply-to:	<9c43c6dd0706181159g412a60bekeaabcae80143172a@mail.gmail.com>
List-help:	<mailto:pen-test-help@securityfocus.com>
List-id:	<pen-test.list-id.securityfocus.com>
List-post:	<mailto:pen-test@securityfocus.com>
List-subscribe:	<mailto:pen-test-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:pen-test-unsubscribe@securityfocus.com>
Mailing-list:	contact pen-test-help@securityfocus.com; run by ezmlm
References:	<9c43c6dd0706181159g412a60bekeaabcae80143172a@mail.gmail.com>
Resent-date:	Tue, 19 Jun 2007 15:58:03 -0600 (MDT)
Resent-from:	pen-test-return-1078484391@securityfocus.com
Resent-message-id:	<20070619215803.42328237338@outgoing3.securityfocus.com>
Resent-sender:	listbounce@securityfocus.com
Sender:	listbounce@securityfocus.com
User-agent:	Thunderbird 2.0.0.4 (Macintosh/20070604)

it looks like it has something to do with IIS or MS Phoning home or itssome sort of gateway from or to an attack its hard to say but here aresome tidbits I found. One way to know for certain is to sniff trafficoff them.

http://www.grc.com/port_1029.htm
http://www.auditmypc.com/port/tcp-port-1029.asp

http://www.seifried.org/security/ports/1000/1032.html
http://lists.debian.org/debian-user/2000/08/msg01614.html

and heres a list of what the ports are default registered to that youcan download

http://lists.thedatalist.com/portlist/PortRef1.zip


killy wrote:

Scanning my external firewall(at work), I (yes, it is my job to) findthis:



PORT     STATE    SERVICE
53/tcp   open     domain

1029/tcp open     ms-lsa
1032/tcp open     iad3

3389/tcp open     ms-term-serv


Why would 1029 and 1032 need to be open from the outside?

-Kill



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
Strange ports, killy RE: Strange ports, Erin Carroll Re: Strange ports, Jason Barbier <= Message not available Re: Strange ports, StaticRez Re: Strange ports, zion Re: Strange ports, R. DuFresne Re: Strange ports, Christine Kronberg Re: Strange ports, Tim Shea Re: Strange ports, killy Re: Strange ports, ebk_lists Re: Re: Strange ports, brian . marino Re: Re: Strange ports, Tim Shea Re: Re: Strange ports, R. DuFresne

Previous by Date:	RE: Security and VPN, Philip Cox
Next by Date:	Re: Pen Testing Tippingpoint, TStark
Previous by Thread:	RE: Strange ports, Erin Carroll
Next by Thread:	Re: Strange ports, StaticRez
Indexes:	[Date] [Thread] [Top] [All Lists]