[Dshield] rfx-lm

Brian Dessent brian at dessent.net
Tue May 17 02:40:35 GMT 2005


John Gordon wrote:

> I ran a packet monitor on a client's PCs after they
> complained about lan traffic even with no obvious open apps.
> 1497 is in heavy use. Worry about evil using port 1497 even
> though PCs show clean even scanning for rootkits. Thought
> maybe 1497 traffic was related to a Maxtor network hd, but
> Maxtor support only listed another port they use (4301 or
> thereabouts) for firewall pinhole purposes.  Packet
> monitor's destination IPs for packet 1497 is another PCs in
> the LAN.

Why don't you use tcpview[1] (windows) or netstat (*nix) to show what
process is generating the traffic?  I find that a lot of the time using
a port number based on "well known ports" is often misleading, since the
assignments in those lists tend to be for very very old protocols, a lot
of them being things that nobody has used for decades.  Once you have
the name of the process you can poke at the binary (using e.g. process
explorer[2]) to determine what software product it is associated with,
assuming it's not something you recognise.

Brian

[1] http://www.sysinternals.com/ntw2k/source/tcpview.shtml
[2] http://www.sysinternals.com/ntw2k/freeware/procexp.shtml



More information about the list mailing list