[Dshield] rfx-lm

Aaron Lewis aaron at adldatacomm.net
Tue May 17 12:22:13 GMT 2005


I found this which provides slightly more help.
http://www.cirt.net/cgi-bin/ports.pl?method=export&format=csv and gives the
description of

"1497","tcp/udp","rfx-lm","RFX License Manager--"

I would take a look at the services applet. If it's in there you should get
a pretty good description on it's origin and usage.

If not then I would take a look at the startup keys in the registry and see
what's being started on boot. My general rule of thumb is to look in there
and remove anything I can't identify by it's name. If something  breaks I'll
fix it later. Better safe than sorry. I know that's a little bit of a
butcher approach and may not be ok for everyone but it works for me.

All of this assuming you're on a Windows PC running 2000 or greater

ADL

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org]On Behalf Of John Gordon
Sent: Monday, May 16, 2005 10:12 PM
To: list at lists.dshield.org
Subject: [Dshield] rfx-lm


OK, newbie here way in over his head....

GOAL:  find out what the heck rfx-lm is and, more
importantly, what is does with port 1497.
(Joined this list to try find this out.)


I ran a packet monitor on a client's PCs after they
complained about lan traffic even with no obvious open apps.
1497 is in heavy use. Worry about evil using port 1497 even
though PCs show clean even scanning for rootkits. Thought
maybe 1497 traffic was related to a Maxtor network hd, but
Maxtor support only listed another port they use (4301 or
thereabouts) for firewall pinhole purposes.  Packet
monitor's destination IPs for packet 1497 is another PCs in
the LAN.

Google, clusty.com, wikipedia et al. basically describe port
1497 this way:

rfx-lm 1497    tcp rfx-lm
rfx-lm 1497    udp rfx-lm

And I searched high, low and sideways for "rfx-lm" and "rfx"
and only found circular descriptions with port 1497 (e.g.,
"rfx-lm uses port 1497" and "1497 is used by rfx-lm").
Drove me batty, these Alice-in-Wonderland TLA Descriptions!
("ATD," btw, and the longer "AIW TLA Descriptions.") There's
too much AIW out there.


Microsoft.com's KB lists RFX
as "Record Field Exchange"

with lots of blather about it's use in C++ without
mentioning port 1497 (or at least I couldn't find it).

"Visual C++ Concepts: Adding Functionality
Record Field Exchange: How RFX Works

http://msdn.microsoft.com/library/default.asp?url=/library/e
n-us/vccore/html/_core_record_field_exchange.3a_.how_rfx_wor
ks.asp


-------------- Sponsor Message ------------------------------------
Join us at SANSFIRE 2005 in Atlanta!
The Internet Storm Center Conference.
Details: http://www.sans.org/sansfire2005

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list