[Dshield] Getting a lot of port 3651

Al Reust areust at comcast.net
Sat Sep 20 07:03:12 GMT 2003

Hello All

I took a moment to go see what was said about port 3651, quick moment at 
google revealed this non detailed information.

# Richard Hodges <rhodges at prismiq.com> January 2003
xrpc-registry 3651/tcp XRPC Registry
xrpc-registry 3651/udp XRPC Registry
<End quote>

I do see some keywords, it affects both UDP and TCP. If we do a bit of 
quick networks history, then we know that NetBios used UDP as the primary 
vehicle. We also know that the default behavior of most Windows OS's to 
enable NetBios over TCP/IP (browse the network neighborhood). Next we see a 
silly keyword called "registry," well if I can get into the registry from 
"remote" then what can I do?  In Win9.x it is wide open, in Win 2K it is 
enabled the same for XP. So you can start to see potentials.

In the discussion of ports 135, 137-139 and 445 what showed was a lack of 
understanding of what NetBios allows. It allows me to Enumerate the users 
on the specific computer. It also allows that If I know an administrator 
username, then I can start to crack an administrator account to control the 
machine. If the "Everyone" User account has Full access then it is a Done 
Deal (MSBlaster).

The quick example would be to open a command window, and type:

net user
and then type
net group

So, NetBios was from a "trusting" days when your network was not connected 
to the Internet and the System Administrator Ruled. He/She Often had a Null 
Password for ease of operation (ring a Bell?).



At 10:02 PM 9/19/2003 -0400, you wrote:

>-----Original Message-----
>From: John Sage
>To: General DShield Discussion List <list at dshield.org>
>Date: Friday, September 19, 2003 5:38 PM
>Subject: Re: [Dshield] Getting a lot of port 3651
> >Dan:
> >
> >On Fri, Sep 19, 2003 at 04:14:06PM -0400, Dan wrote:
> >> Hello all,
> >> I am getting a lot of hits on port 3651 from a LOT of different sources.
> >> Anyone else seeing this?
> >>
> >> -Dan
> >
> >You give no context, whatsoever..
>Correction, I gave the context that was needed.  The current IP has nothing
>to do with getting certain hits on a certain port (at least in general, I
>was just asking a simple question).  And yes the machine in question is on
>DSL.  However I did not get a new IP address and it has been hitting
>steadily all day long.
>And yes I realize that when one gets a reassigned IP, sometimes you get a
>lot of hits looking for the previous computer that was previously connected
>to the systems now bouncing off your firewall.  However, I had personally
>not seen this port before and since there were quite a few hits I thought
>that I would ask on the list if anyone else was seeing this activity.  And
>if you recall, the last time I asked about such activity it was a result of
>the MSBlaster worm, which at the time I asked was only released a few hours
>previous was unknown, unclassified, and people were trying to obtain samples
>for analysis.
>One other interesting thing, it started about 12noon and peaked in the
>afternoon about 5pm and has went down a bit since then some 4 hours later.
>Generally what you suggested does not increase several hours later after
>changing IP's.
>Anyway since no one else has seen this activity I shall assume it is just me
>and disregard it.
> >I'm betting you're on DSL.
> >
> >By chance did you just get a new IP address?
> >
> >Could be what I call "dialup cruft": P2P or filesharing of somesort
> >intended for the previous occupant of the IP address you have now.
> >
> >One thought, anyway...
> >
> >
> >
> >- John
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

More information about the list mailing list