RE: Strange ports

From: Erin Carroll (amoeba@amoebazone.com)
Date: Mon Jun 18 2007 - 23:31:37 EDT

• Next message: Philip Cox: "RE: Security and VPN"
• Previous message: killy: "Strange ports"
• In reply to: killy: "Strange ports"
• Next in thread: Jason Barbier: "Re: Strange ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I would recommend using amap to see about getting a fingerprint of the
application used on these ports if possible and/or contacting your firewall
team to check the configs and see what these services are for. The IANA
lists of port to application mappings are general guidelines, not explicit
sets of what the application actually is. There's no law that says you have
to run ms-term-serv on port 3389 :) You should be concerned about more than
just the 1029 and 1032 ports. I know of no valid security or business reason
why you would want to allow random people on the internet to attempt
terminal connections to your internal machines... That's what VPN's are for.

> -----Original Message-----
> From: listbounce@securityfocus.com
> [mailto:listbounce@securityfocus.com] On Behalf Of killy
> Sent: Monday, June 18, 2007 11:59 AM
> To: Pen-Tests
> Subject: Strange ports
>
> Scanning my external firewall(at work), I (yes, it is my job
> to) find this:
>
>
> PORT STATE SERVICE
> 53/tcp open domain
>
> 1029/tcp open ms-lsa
> 1032/tcp open iad3
>
> 3389/tcp open ms-term-serv
>
>
> Why would 1029 and 1032 need to be open from the outside?
>
> -Kill
>
>
> --
> If you spend more on coffee than on IT security, you will be hacked.
> What's more, you deserve to be hacked.
> -- former White House cybersecurity czar Richard Clarke
>
> --------------------------------------------------------------
> ----------
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic See HOW Now with
> our 20/20 program!
>
> http://www.cenzic.com/c/2020
> --------------------------------------------------------------
> ----------
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

• Next message: Philip Cox: "RE: Security and VPN"
• Previous message: killy: "Strange ports"
• In reply to: killy: "Strange ports"
• Next in thread: Jason Barbier: "Re: Strange ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:52 EDT