Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Outbound to port 9000

Reply
Thread Tools

Outbound to port 9000

 
 
claudel
Guest
Posts: n/a
 
      09-16-2004
Hi

My local firewall has been blocking the occasional outbound TCP
connection attempt from a random source port to port 9000 on
an off-site server. Port 9000 is registered as "cslistener" and
the limited info I've been able to dig up associates it with:

Port 9000 tcp/udp
CSlistener. Uses cslistener service.

What is cslistener?

Port 9000 tcp
Netministrator

?

Port 9000 tcp
AltaVista HTTP Server may be an attempt to compromise
an AltaVista HTTP (web) server.

Do these still exist?

Port 9000 tcp
Sendmail Switch SDAPSendmail's "Switch" protocol listens on
this TCP port. It also listens on port 8890.

I wouldn't use a mail server at the logged destination address on purpose...

None of these services seem to be anything that I would be
purposefully wanting to access at random times. Does anyone
know if there are any exploits involving this port?

I tried telnetting to the server/port but get unknown host/service error.

TIA


Claude
 
Reply With Quote
 
 
 
 
Moe Trin
Guest
Posts: n/a
 
      09-17-2004
In article <cicfmi$sju$(E-Mail Removed)>, claudel wrote:
>My local firewall has been blocking the occasional outbound TCP
>connection attempt from a random source port to port 9000 on
>an off-site server. Port 9000 is registered as "cslistener" and
>the limited info I've been able to dig up associates it with:


non-relevant stuff. Please remember that there is nothing that _REQUIRES_
that a service must use a specific port number (I know people who run
web servers on port 190, just to get around ISP firewalls), AND that no
other service can use a port that is "registered" for some specific
service.

Port 9000 TCP is not used by software normally installed by Microsoft,
or the big-name software companies. Nor is it found on Apples or UNIX.
This means that someone installed _EXTRA_ software that wants to
connect to some remote host (would have been nice to see the log of a
_single_ connection attempt). Now software doesn't magically appear on
a computer unless the user is a total fool and has so terribly misset
the operating system (in which case, turning the computer of to the
Department of Sanitation as "toxic waste" is probably a good idea). So
this means you or your user installed _something_ on the computer. What
was it? Look at your system(s) and find out what YOU are running that
wants to connect to port 9000 on that off-site server.

>What is cslistener?


Not relevanant - but ask the IANA contact at Cincom Systems.

>None of these services seem to be anything that I would be
>purposefully wanting to access at random times. Does anyone
>know if there are any exploits involving this port?


I'm assuming you checked at google - I don't see anything obvious. But
the real question is not whether the port is good or bad, but why was
software installed (or allowed to be installed) on your computer that
wants to connect to that host on that port number.

>I tried telnetting to the server/port but get unknown host/service error.


"unknown host" usually means an incompetent network administrator who
hasn't configured his DNS servers correctly. Did you do a 'whois' query
to see who owns the IP block?

Old guy
 
Reply With Quote
 
 
 
 
claudel
Guest
Posts: n/a
 
      09-17-2004
In article <(E-Mail Removed)>,
Moe Trin <(E-Mail Removed)> wrote:
>In article <cicfmi$sju$(E-Mail Removed)>, claudel wrote:
>>My local firewall has been blocking the occasional outbound TCP
>>connection attempt from a random source port to port 9000 on
>>an off-site server. Port 9000 is registered as "cslistener" and
>>the limited info I've been able to dig up associates it with:

>
>non-relevant stuff. Please remember that there is nothing that _REQUIRES_
>that a service must use a specific port number (I know people who run
>web servers on port 190, just to get around ISP firewalls), AND that no
>other service can use a port that is "registered" for some specific
>service.


True. I was just including what info I'd already found, so that
folks wouldn't feel obligated to repeat.

>
>Port 9000 TCP is not used by software normally installed by Microsoft,
>or the big-name software companies. Nor is it found on Apples or UNIX.
>This means that someone installed _EXTRA_ software that wants to
>connect to some remote host (would have been nice to see the log of a
>_single_ connection attempt). Now software doesn't magically appear on
>a computer unless the user is a total fool and has so terribly misset
>the operating system (in which case, turning the computer of to the
>Department of Sanitation as "toxic waste" is probably a good idea). So
>this means you or your user installed _something_ on the computer. What
>was it? Look at your system(s) and find out what YOU are running that
>wants to connect to port 9000 on that off-site server.


There is nothing ongoing that is making the connection attempt, nor
is anything running from cron at the time the attempt was made. There
was only one attempt, and it was blocked and logged by an outbound filter.

I _doubt_ if I've been trojanned, but I'm not 1000% certain.

I'm having trouble remembering exactly what I was doing at the time
the attempt was logged...

>
>>What is cslistener?

>
>Not relevanant - but ask the IANA contact at Cincom Systems.


I'm mainly curious. Thanks for the pointer.

>
>>None of these services seem to be anything that I would be
>>purposefully wanting to access at random times. Does anyone
>>know if there are any exploits involving this port?

>
>I'm assuming you checked at google - I don't see anything obvious. But
>the real question is not whether the port is good or bad, but why was
>software installed (or allowed to be installed) on your computer that
>wants to connect to that host on that port number.


I did check with google, that's where I came up with the assignments
that I included in the original posting.

I'm not convinced that I actually have anything extra/bad installed.

It's entirely possible that I tried to access a webserver that
is still running AltaVista... I do remember a page or two that
just stayed blank and wouldn't load. I didn't think much of it
at the time and just moved on...

I'll try those pages again and see if I get the reject in my
logs at the same time...

>
>>I tried telnetting to the server/port but get unknown host/service error.

>
>"unknown host" usually means an incompetent network administrator who
>hasn't configured his DNS servers correctly. Did you do a 'whois' query
>to see who owns the IP block?


Yeah, it comes up "ATT WorldNet Services". That narrows it down... :^)


Thanks


Claude
 
Reply With Quote
 
David Shaw
Guest
Posts: n/a
 
      09-17-2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yeah; that's what I was going to suggest. Perhaps, even, the
receiving server doesn't even have a web server of any kind up. I'd
`whois` it, and figure out what to do from there. That's definitely
the course of action that I would take in this situation, but then
again... it's your network, not mine

ds

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com

iQA/AwUBQUt416v/4PyJdfGiEQIKWQCdHKcUygoWUQfsGeyeMzPyZO9TlS8AoLYq
pCH8o31aDtAhvYc1WDuY87VL
=UDrn
-----END PGP SIGNATURE-----
 
Reply With Quote
 
claudel
Guest
Posts: n/a
 
      09-18-2004
In article <(E-Mail Removed) >,
David Shaw <(E-Mail Removed)> wrote:
>
>Yeah; that's what I was going to suggest. Perhaps, even, the
>receiving server doesn't even have a web server of any kind up. I'd
>`whois` it, and figure out what to do from there. That's definitely
>the course of action that I would take in this situation, but then
>again... it's your network, not mine


I'm reasonably sure it was a web page that was linked to another
page on another site. It turns out to be benign, but the log
entry spun me up...


Claude
 
Reply With Quote
 
Moe Trin
Guest
Posts: n/a
 
      09-19-2004
In article <cifc99$70s$(E-Mail Removed)>, claudel wrote:
>There is nothing ongoing that is making the connection attempt, nor
>is anything running from cron at the time the attempt was made. There
>was only one attempt, and it was blocked and logged by an outbound filter.


OK, this was not inferred from your original posting:

>>>My local firewall has been blocking the occasional outbound TCP
>>>connection attempt from a random source port to port 9000 on
>>>an off-site server.


The word "occasional" was construed to mean "continuing on an irregular
basis".

>I _doubt_ if I've been trojanned, but I'm not 1000% certain.


Wise. The classic statement about the only secure computer...

>>Not relevanant - but ask the IANA contact at Cincom Systems.

>
>I'm mainly curious. Thanks for the pointer.


If you look at http://www.iana.org/assignments/port-numbers, which is
where the "official" list live now, you are looking at something over
twenty years of accumulated cruft. If you want a laugh, look at some of
the older versions of "ASSIGNED NUMBERS" such as RFC0960 from December
1985. At that point, the assignments were still nearly all below port
127. Now in fact, port 9000 was not listed in RFC1700 (October 1994)
which was the last document of that series (before being replace by
the assignments web pages), but that is still nearly 10 years ago. A
lot can happen in that time, and I'm not sure if all of the contacts
listed still are at the same company, nevermind remembering what _that_
project was

>It's entirely possible that I tried to access a webserver that
>is still running AltaVista... I do remember a page or two that
>just stayed blank and wouldn't load. I didn't think much of it
>at the time and just moved on...


A possibility. I do see some pages that won't load, but that's because
they're using some extensions beyond HTTP/1.0 which are either blocked
here, or the browser never heard of them. I don't do windoze.

>>Did you do a 'whois' query to see who owns the IP block?

>
>Yeah, it comes up "ATT WorldNet Services". That narrows it down... :^)


On a onezy - that could be the web page author fumblefingered a URL,
and typed in a non-existent (meaning reserved for future use) address.
ATT is _usually_ fairly good at putting something into the DNS Zone
files - it only takes a couple line script with a couple of for/to
loops echoing data into a pair (forward and reverse) of files.

Old guy
 
Reply With Quote
 
claudel
Guest
Posts: n/a
 
      09-19-2004
In article <(E-Mail Removed)>,
Moe Trin <(E-Mail Removed)> wrote:
>In article <cifc99$70s$(E-Mail Removed)>, claudel wrote:
>>There is nothing ongoing that is making the connection attempt, nor
>>is anything running from cron at the time the attempt was made. There
>>was only one attempt, and it was blocked and logged by an outbound filter.

>
>OK, this was not inferred from your original posting:
>
>>>>My local firewall has been blocking the occasional outbound TCP
>>>>connection attempt from a random source port to port 9000 on
>>>>an off-site server.

>
>The word "occasional" was construed to mean "continuing on an irregular
>basis".


I could have been more clear about this.
Actually, looking back in my logs from previous days I have
a total of 3 occurrences, all of which I can tie with reasonable
certainty ( same destination addy ) to the same web server.

>
>>I _doubt_ if I've been trojanned, but I'm not 1000% certain.

>
>Wise. The classic statement about the only secure computer...
>
>>>Not relevanant - but ask the IANA contact at Cincom Systems.

>>
>>I'm mainly curious. Thanks for the pointer.

>
>If you look at http://www.iana.org/assignments/port-numbers, which is
>where the "official" list live now, you are looking at something over
>twenty years of accumulated cruft. If you want a laugh, look at some of
>the older versions of "ASSIGNED NUMBERS" such as RFC0960 from December
>1985. At that point, the assignments were still nearly all below port
>127. Now in fact, port 9000 was not listed in RFC1700 (October 1994)
>which was the last document of that series (before being replace by
>the assignments web pages), but that is still nearly 10 years ago. A
>lot can happen in that time, and I'm not sure if all of the contacts
>listed still are at the same company, nevermind remembering what _that_
>project was
>


I did browse the IANA port listings.
The refs I inclded in my original posting all are different
things that use port 9000. I'm mainly curious at this point
as to what "csserver" is. A brief google doesn't provide much..

>>It's entirely possible that I tried to access a webserver that
>>is still running AltaVista... I do remember a page or two that
>>just stayed blank and wouldn't load. I didn't think much of it
>>at the time and just moved on...

>
>A possibility. I do see some pages that won't load, but that's because
>they're using some extensions beyond HTTP/1.0 which are either blocked
>here, or the browser never heard of them. I don't do windoze.


No windoze here either. OS X with my own ipfw ruleset on a laptop
behind a screening router. I normally block all externally initiated
inbound connections and only allow stateful outbound on a few ports.
Not 9000. I run logcheck once a day and this showed up in the mail
and caught my eye, so I thought I'd track it down.

I went back to the iffy website and a page I was looking at has
a redirect to another server that, sure enough, is listening on 9000
for some reason so that was it. I got another deny for the same
address/port at the time I clicked the link and the target page
wouldnt load. I was also reasonably certain that there was no
maliciousness involved so I turned off my local firewall and the
page loaded without any problems.

It just turns out to be an archaic server/configuration.

>
>>>Did you do a 'whois' query to see who owns the IP block?

>>
>>Yeah, it comes up "ATT WorldNet Services". That narrows it down... :^)

>
>On a onezy - that could be the web page author fumblefingered a URL,
>and typed in a non-existent (meaning reserved for future use) address.
>ATT is _usually_ fairly good at putting something into the DNS Zone
>files - it only takes a couple line script with a couple of for/to
>loops echoing data into a pair (forward and reverse) of files.
>


I think that it all was more or less a false alarm. It's good to keep
up with figuring stuff like this out though.

Thanks for the insights

Claude

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
outbound port 80 redirect to specific destination address brickwalls19 Cisco 1 02-28-2008 01:07 PM
Help! ... Outbound Port Getting Shut Down TC ASP .Net 3 06-08-2007 06:58 AM
Outbound port on sockets bmearns Python 25 09-18-2006 02:23 AM
Outbound Port Redirection on Cisco PIX 515e Dorian Cisco 1 09-03-2004 03:01 AM
acl for restricting access to outbound port 25 Chad Whitten Cisco 2 05-04-2004 09:50 PM



Advertisments