[Dshield] Getting a lot of port 3651

John Sage jsage at finchhaven.com
Sat Sep 20 15:22:40 GMT 2003


Al:

On Sat, Sep 20, 2003 at 12:03:12AM -0700, Al Reust wrote:
> Hello All
> 
> I took a moment to go see what was said about port 3651, quick
> moment at google revealed this non detailed information.
> 
> <Quote>
> # Richard Hodges <rhodges at prismiq.com> January 2003
> xrpc-registry 3651/tcp XRPC Registry
> xrpc-registry 3651/udp XRPC Registry
> <End quote>
> 
> I do see some keywords, it affects both UDP and TCP. If we do a bit of 
> quick networks history, then we know that NetBios used UDP as the primary 
> vehicle. We also know that the default behavior of most Windows OS's to 
> enable NetBios over TCP/IP (browse the network neighborhood). Next we see a 
> silly keyword called "registry," well if I can get into the registry from 
> "remote" then what can I do?  In Win9.x it is wide open, in Win 2K it is 
> enabled the same for XP. So you can start to see potentials.
> 
> In the discussion of ports 135, 137-139 and 445 what showed was a lack of 
> understanding of what NetBios allows. It allows me to Enumerate the users 
> on the specific computer. It also allows that If I know an administrator 
> username, then I can start to crack an administrator account to control the 
> machine. If the "Everyone" User account has Full access then it is a Done 
> Deal (MSBlaster).
> 
> The quick example would be to open a command window, and type:
> 
> net user
> and then type
> net group
> 
> 
> So, NetBios was from a "trusting" days when your network was not connected 
> to the Internet and the System Administrator Ruled. He/She Often had a Null 
> Password for ease of operation (ring a Bell?).

Can we assume that XRPC == http://www.ietf.org/internet-drafts/draft-ietf-nfsv4-rfc1831bis-01.txt

"RPC: Remote Procedure Call Protocol Specification Version 2"

although here there is no direct association between TCP:3651 and
XRPC..

At dshield there is only a very low incidence of traffic to TCP:3651

http://www.dshield.org/port_report.php?port=3651&

Again, packet dumps would be helpful...



- John
-- 
"Warning: time of day goes back, taking countermeasures."
John Sage
InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this message is privileged communication. If you read it
even though you aren't supposed to, you're a poopy-head.




More information about the list mailing list