[Dshield] Getting a lot of port 3651
jsage at finchhaven.com
Sat Sep 20 15:22:40 GMT 2003
On Sat, Sep 20, 2003 at 12:03:12AM -0700, Al Reust wrote:
> Hello All
> I took a moment to go see what was said about port 3651, quick
> moment at google revealed this non detailed information.
> # Richard Hodges <rhodges at prismiq.com> January 2003
> xrpc-registry 3651/tcp XRPC Registry
> xrpc-registry 3651/udp XRPC Registry
> <End quote>
> I do see some keywords, it affects both UDP and TCP. If we do a bit of
> quick networks history, then we know that NetBios used UDP as the primary
> vehicle. We also know that the default behavior of most Windows OS's to
> enable NetBios over TCP/IP (browse the network neighborhood). Next we see a
> silly keyword called "registry," well if I can get into the registry from
> "remote" then what can I do? In Win9.x it is wide open, in Win 2K it is
> enabled the same for XP. So you can start to see potentials.
> In the discussion of ports 135, 137-139 and 445 what showed was a lack of
> understanding of what NetBios allows. It allows me to Enumerate the users
> on the specific computer. It also allows that If I know an administrator
> username, then I can start to crack an administrator account to control the
> machine. If the "Everyone" User account has Full access then it is a Done
> Deal (MSBlaster).
> The quick example would be to open a command window, and type:
> net user
> and then type
> net group
> So, NetBios was from a "trusting" days when your network was not connected
> to the Internet and the System Administrator Ruled. He/She Often had a Null
> Password for ease of operation (ring a Bell?).
Can we assume that XRPC == http://www.ietf.org/internet-drafts/draft-ietf-nfsv4-rfc1831bis-01.txt
"RPC: Remote Procedure Call Protocol Specification Version 2"
although here there is no direct association between TCP:3651 and
At dshield there is only a very low incidence of traffic to TCP:3651
Again, packet dumps would be helpful...
"Warning: time of day goes back, taking countermeasures."
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
ATTENTION: this message is privileged communication. If you read it
even though you aren't supposed to, you're a poopy-head.
More information about the list