[Dshield] Getting a lot of port 3651
areust at comcast.net
Sat Sep 20 07:03:12 GMT 2003
I took a moment to go see what was said about port 3651, quick moment at
google revealed this non detailed information.
# Richard Hodges <rhodges at prismiq.com> January 2003
xrpc-registry 3651/tcp XRPC Registry
xrpc-registry 3651/udp XRPC Registry
I do see some keywords, it affects both UDP and TCP. If we do a bit of
quick networks history, then we know that NetBios used UDP as the primary
vehicle. We also know that the default behavior of most Windows OS's to
enable NetBios over TCP/IP (browse the network neighborhood). Next we see a
silly keyword called "registry," well if I can get into the registry from
"remote" then what can I do? In Win9.x it is wide open, in Win 2K it is
enabled the same for XP. So you can start to see potentials.
In the discussion of ports 135, 137-139 and 445 what showed was a lack of
understanding of what NetBios allows. It allows me to Enumerate the users
on the specific computer. It also allows that If I know an administrator
username, then I can start to crack an administrator account to control the
machine. If the "Everyone" User account has Full access then it is a Done
The quick example would be to open a command window, and type:
and then type
So, NetBios was from a "trusting" days when your network was not connected
to the Internet and the System Administrator Ruled. He/She Often had a Null
Password for ease of operation (ring a Bell?).
At 10:02 PM 9/19/2003 -0400, you wrote:
>From: John Sage
>To: General DShield Discussion List <list at dshield.org>
>Date: Friday, September 19, 2003 5:38 PM
>Subject: Re: [Dshield] Getting a lot of port 3651
> >On Fri, Sep 19, 2003 at 04:14:06PM -0400, Dan wrote:
> >> Hello all,
> >> I am getting a lot of hits on port 3651 from a LOT of different sources.
> >> Anyone else seeing this?
> >> -Dan
> >You give no context, whatsoever..
>Correction, I gave the context that was needed. The current IP has nothing
>to do with getting certain hits on a certain port (at least in general, I
>was just asking a simple question). And yes the machine in question is on
>DSL. However I did not get a new IP address and it has been hitting
>steadily all day long.
>And yes I realize that when one gets a reassigned IP, sometimes you get a
>lot of hits looking for the previous computer that was previously connected
>to the systems now bouncing off your firewall. However, I had personally
>not seen this port before and since there were quite a few hits I thought
>that I would ask on the list if anyone else was seeing this activity. And
>if you recall, the last time I asked about such activity it was a result of
>the MSBlaster worm, which at the time I asked was only released a few hours
>previous was unknown, unclassified, and people were trying to obtain samples
>One other interesting thing, it started about 12noon and peaked in the
>afternoon about 5pm and has went down a bit since then some 4 hours later.
>Generally what you suggested does not increase several hours later after
>Anyway since no one else has seen this activity I shall assume it is just me
>and disregard it.
> >I'm betting you're on DSL.
> >By chance did you just get a new IP address?
> >Could be what I call "dialup cruft": P2P or filesharing of somesort
> >intended for the previous occupant of the IP address you have now.
> >One thought, anyway...
> >- John
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see:
More information about the list