[Dshield] rfx-lm

John Gordon jwg at sinewave.com
Tue May 17 02:11:41 GMT 2005


OK, newbie here way in over his head....

GOAL:  find out what the heck rfx-lm is and, more
importantly, what is does with port 1497.
(Joined this list to try find this out.)


I ran a packet monitor on a client's PCs after they
complained about lan traffic even with no obvious open apps.
1497 is in heavy use. Worry about evil using port 1497 even
though PCs show clean even scanning for rootkits. Thought
maybe 1497 traffic was related to a Maxtor network hd, but
Maxtor support only listed another port they use (4301 or
thereabouts) for firewall pinhole purposes.  Packet
monitor's destination IPs for packet 1497 is another PCs in
the LAN.

Google, clusty.com, wikipedia et al. basically describe port
1497 this way:

rfx-lm 1497    tcp rfx-lm
rfx-lm 1497    udp rfx-lm

And I searched high, low and sideways for "rfx-lm" and "rfx"
and only found circular descriptions with port 1497 (e.g.,
"rfx-lm uses port 1497" and "1497 is used by rfx-lm").
Drove me batty, these Alice-in-Wonderland TLA Descriptions!
("ATD," btw, and the longer "AIW TLA Descriptions.") There's
too much AIW out there.


Microsoft.com's KB lists RFX
as "Record Field Exchange"

with lots of blather about it's use in C++ without
mentioning port 1497 (or at least I couldn't find it).

"Visual C++ Concepts: Adding Functionality
Record Field Exchange: How RFX Works

http://msdn.microsoft.com/library/default.asp?url=/library/e
n-us/vccore/html/_core_record_field_exchange.3a_.how_rfx_wor
ks.asp





More information about the list mailing list