[Dshield] rfx-lm

John Gordon jwg at sinewave.com
Tue May 17 20:34:17 GMT 2005


Thanks for the quality postings.

-  Using "tcpview[1] (windows) or netstat (*nix) to show
what process is generating the traffic"  is very good advice
that I'll continue to use.  It makes so much sense.

I won't be able try anything at the client site again until
Friday (they're away on business) and I don't have remote
access.

- All the interesting stuff was in blocks of 1497 and some
1499 -- everything else I was familar with or was able to
look up and eliminate.   So I'm going to pass for now on
posting a packet monitor dump, but if I'm still stumped
Friday I'll post a dump late Friday.  (I actually emailed my
client the packetmonitoring app and they sent me results.)

- RFX-lm ("record field exchange -- license manager") is
helpful.  Thanks for the detective work.

- RFX, as in the pronounciation, "Our Effects" (rfx.com),
was a search result I also ran into, but I think "Record
Field Exchange" is more likely since I was led to "rfx" by
the port number and not the other way around.

- I already had the most techie person at the client site
try disabling services and startup apps via tedious phone
help with me, but it didn't stop the 1497 flow.  On Friday,
after going for jugular with tcpview, I'll look at startup
reg keys and run rootkitrevealer and other stuff myself.

-  The wikibook is a good idea provided it exceeds info from
the plethora of port tables already out there.  It looks to
me like people keep copying the basic port assignment tables
and adding it to their own sites.  The extra info someone
found above "-- license manager" was an exception (though I
viewed only a small fraction of google results and they were
all the same about 1497).  I guess the starting point is to
join the crowd and copy/paste the generic port-use table so
prevelent on the net into the wikibook, but it would be good
to also add the advice from Brian:
	"...use tcpview[1] (windows) or netstat (*nix) to show what
process is generating the traffic?  ... a port number based
on "well known ports" is often misleading, since the
assignments in those lists tend to be for very very old
protocols, a lot
of them being things that nobody has used for decades.  Once
you have the name of the process you can poke at the binary
(using e.g. process explorer[2]) to determine what software
product it is associated with, assuming it's not something
you recognise."


I'll keep you posted.

-John










-----Original Message-----
Subject: Re: [Dshield] rfx-lm


John Gordon wrote:

> I ran a packet monitor on a client's PCs after they
> complained about lan traffic even with no obvious open
apps.
> 1497 is in heavy use. Worry about evil using port 1497
even
> though PCs show clean even scanning for rootkits. Thought
> maybe 1497 traffic was related to a Maxtor network hd, but
> Maxtor support only listed another port they use (4301 or
> thereabouts) for firewall pinhole purposes.  Packet
> monitor's destination IPs for packet 1497 is another PCs
in
> the LAN.

Why don't you use tcpview[1] (windows) or netstat (*nix) to
show what
process is generating the traffic?  I find that a lot of the
time using
a port number based on "well known ports" is often
misleading, since the
assignments in those lists tend to be for very very old
protocols, a lot
of them being things that nobody has used for decades.  Once
you have
the name of the process you can poke at the binary (using
e.g. process
explorer[2]) to determine what software product it is
associated with,
assuming it's not something you recognise.

Brian

[1] http://www.sysinternals.com/ntw2k/source/tcpview.shtml
[2] http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
-------------- Sponsor
Message ------------------------------------
Join us at SANSFIRE 2005 in Atlanta!
The Internet Storm Center Conference.
Details: http://www.sans.org/sansfire2005

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list






More information about the list mailing list