Outbound to port 9000

Discussion in 'Computer Security' started by claudel, Sep 16, 2004.

  1. claudel

    claudel Guest

    Hi

    My local firewall has been blocking the occasional outbound TCP
    connection attempt from a random source port to port 9000 on
    an off-site server. Port 9000 is registered as "cslistener" and
    the limited info I've been able to dig up associates it with:

    Port 9000 tcp/udp
    CSlistener. Uses cslistener service.

    What is cslistener?

    Port 9000 tcp
    Netministrator

    ?

    Port 9000 tcp
    AltaVista HTTP Server may be an attempt to compromise
    an AltaVista HTTP (web) server.

    Do these still exist?

    Port 9000 tcp
    Sendmail Switch SDAPSendmail's "Switch" protocol listens on
    this TCP port. It also listens on port 8890.

    I wouldn't use a mail server at the logged destination address on purpose...

    None of these services seem to be anything that I would be
    purposefully wanting to access at random times. Does anyone
    know if there are any exploits involving this port?

    I tried telnetting to the server/port but get unknown host/service error.

    TIA


    Claude
     
    claudel, Sep 16, 2004
    #1
    1. Advertising

  2. claudel

    Moe Trin Guest

    In article <cicfmi$sju$>, claudel wrote:
    >My local firewall has been blocking the occasional outbound TCP
    >connection attempt from a random source port to port 9000 on
    >an off-site server. Port 9000 is registered as "cslistener" and
    >the limited info I've been able to dig up associates it with:


    non-relevant stuff. Please remember that there is nothing that _REQUIRES_
    that a service must use a specific port number (I know people who run
    web servers on port 190, just to get around ISP firewalls), AND that no
    other service can use a port that is "registered" for some specific
    service.

    Port 9000 TCP is not used by software normally installed by Microsoft,
    or the big-name software companies. Nor is it found on Apples or UNIX.
    This means that someone installed _EXTRA_ software that wants to
    connect to some remote host (would have been nice to see the log of a
    _single_ connection attempt). Now software doesn't magically appear on
    a computer unless the user is a total fool and has so terribly misset
    the operating system (in which case, turning the computer of to the
    Department of Sanitation as "toxic waste" is probably a good idea). So
    this means you or your user installed _something_ on the computer. What
    was it? Look at your system(s) and find out what YOU are running that
    wants to connect to port 9000 on that off-site server.

    >What is cslistener?


    Not relevanant - but ask the IANA contact at Cincom Systems.

    >None of these services seem to be anything that I would be
    >purposefully wanting to access at random times. Does anyone
    >know if there are any exploits involving this port?


    I'm assuming you checked at google - I don't see anything obvious. But
    the real question is not whether the port is good or bad, but why was
    software installed (or allowed to be installed) on your computer that
    wants to connect to that host on that port number.

    >I tried telnetting to the server/port but get unknown host/service error.


    "unknown host" usually means an incompetent network administrator who
    hasn't configured his DNS servers correctly. Did you do a 'whois' query
    to see who owns the IP block?

    Old guy
     
    Moe Trin, Sep 17, 2004
    #2
    1. Advertising

  3. claudel

    claudel Guest

    In article <>,
    Moe Trin <> wrote:
    >In article <cicfmi$sju$>, claudel wrote:
    >>My local firewall has been blocking the occasional outbound TCP
    >>connection attempt from a random source port to port 9000 on
    >>an off-site server. Port 9000 is registered as "cslistener" and
    >>the limited info I've been able to dig up associates it with:

    >
    >non-relevant stuff. Please remember that there is nothing that _REQUIRES_
    >that a service must use a specific port number (I know people who run
    >web servers on port 190, just to get around ISP firewalls), AND that no
    >other service can use a port that is "registered" for some specific
    >service.


    True. I was just including what info I'd already found, so that
    folks wouldn't feel obligated to repeat.

    >
    >Port 9000 TCP is not used by software normally installed by Microsoft,
    >or the big-name software companies. Nor is it found on Apples or UNIX.
    >This means that someone installed _EXTRA_ software that wants to
    >connect to some remote host (would have been nice to see the log of a
    >_single_ connection attempt). Now software doesn't magically appear on
    >a computer unless the user is a total fool and has so terribly misset
    >the operating system (in which case, turning the computer of to the
    >Department of Sanitation as "toxic waste" is probably a good idea). So
    >this means you or your user installed _something_ on the computer. What
    >was it? Look at your system(s) and find out what YOU are running that
    >wants to connect to port 9000 on that off-site server.


    There is nothing ongoing that is making the connection attempt, nor
    is anything running from cron at the time the attempt was made. There
    was only one attempt, and it was blocked and logged by an outbound filter.

    I _doubt_ if I've been trojanned, but I'm not 1000% certain.

    I'm having trouble remembering exactly what I was doing at the time
    the attempt was logged...

    >
    >>What is cslistener?

    >
    >Not relevanant - but ask the IANA contact at Cincom Systems.


    I'm mainly curious. Thanks for the pointer.

    >
    >>None of these services seem to be anything that I would be
    >>purposefully wanting to access at random times. Does anyone
    >>know if there are any exploits involving this port?

    >
    >I'm assuming you checked at google - I don't see anything obvious. But
    >the real question is not whether the port is good or bad, but why was
    >software installed (or allowed to be installed) on your computer that
    >wants to connect to that host on that port number.


    I did check with google, that's where I came up with the assignments
    that I included in the original posting.

    I'm not convinced that I actually have anything extra/bad installed.

    It's entirely possible that I tried to access a webserver that
    is still running AltaVista... I do remember a page or two that
    just stayed blank and wouldn't load. I didn't think much of it
    at the time and just moved on...

    I'll try those pages again and see if I get the reject in my
    logs at the same time...

    >
    >>I tried telnetting to the server/port but get unknown host/service error.

    >
    >"unknown host" usually means an incompetent network administrator who
    >hasn't configured his DNS servers correctly. Did you do a 'whois' query
    >to see who owns the IP block?


    Yeah, it comes up "ATT WorldNet Services". That narrows it down... :^)


    Thanks


    Claude
     
    claudel, Sep 17, 2004
    #3
  4. claudel

    David Shaw Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Yeah; that's what I was going to suggest. Perhaps, even, the
    receiving server doesn't even have a web server of any kind up. I'd
    `whois` it, and figure out what to do from there. That's definitely
    the course of action that I would take in this situation, but then
    again... it's your network, not mine ;)

    ds

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1 - not licensed for commercial use: www.pgp.com

    iQA/AwUBQUt416v/4PyJdfGiEQIKWQCdHKcUygoWUQfsGeyeMzPyZO9TlS8AoLYq
    pCH8o31aDtAhvYc1WDuY87VL
    =UDrn
    -----END PGP SIGNATURE-----
     
    David Shaw, Sep 18, 2004
    #4
  5. claudel

    claudel Guest

    In article <>,
    David Shaw <> wrote:
    >
    >Yeah; that's what I was going to suggest. Perhaps, even, the
    >receiving server doesn't even have a web server of any kind up. I'd
    >`whois` it, and figure out what to do from there. That's definitely
    >the course of action that I would take in this situation, but then
    >again... it's your network, not mine ;)


    I'm reasonably sure it was a web page that was linked to another
    page on another site. It turns out to be benign, but the log
    entry spun me up...


    Claude
     
    claudel, Sep 18, 2004
    #5
  6. claudel

    Moe Trin Guest

    In article <cifc99$70s$>, claudel wrote:
    >There is nothing ongoing that is making the connection attempt, nor
    >is anything running from cron at the time the attempt was made. There
    >was only one attempt, and it was blocked and logged by an outbound filter.


    OK, this was not inferred from your original posting:

    >>>My local firewall has been blocking the occasional outbound TCP
    >>>connection attempt from a random source port to port 9000 on
    >>>an off-site server.


    The word "occasional" was construed to mean "continuing on an irregular
    basis".

    >I _doubt_ if I've been trojanned, but I'm not 1000% certain.


    Wise. The classic statement about the only secure computer...

    >>Not relevanant - but ask the IANA contact at Cincom Systems.

    >
    >I'm mainly curious. Thanks for the pointer.


    If you look at http://www.iana.org/assignments/port-numbers, which is
    where the "official" list live now, you are looking at something over
    twenty years of accumulated cruft. If you want a laugh, look at some of
    the older versions of "ASSIGNED NUMBERS" such as RFC0960 from December
    1985. At that point, the assignments were still nearly all below port
    127. Now in fact, port 9000 was not listed in RFC1700 (October 1994)
    which was the last document of that series (before being replace by
    the assignments web pages), but that is still nearly 10 years ago. A
    lot can happen in that time, and I'm not sure if all of the contacts
    listed still are at the same company, nevermind remembering what _that_
    project was ;-)

    >It's entirely possible that I tried to access a webserver that
    >is still running AltaVista... I do remember a page or two that
    >just stayed blank and wouldn't load. I didn't think much of it
    >at the time and just moved on...


    A possibility. I do see some pages that won't load, but that's because
    they're using some extensions beyond HTTP/1.0 which are either blocked
    here, or the browser never heard of them. I don't do windoze.

    >>Did you do a 'whois' query to see who owns the IP block?

    >
    >Yeah, it comes up "ATT WorldNet Services". That narrows it down... :^)


    On a onezy - that could be the web page author fumblefingered a URL,
    and typed in a non-existent (meaning reserved for future use) address.
    ATT is _usually_ fairly good at putting something into the DNS Zone
    files - it only takes a couple line script with a couple of for/to
    loops echoing data into a pair (forward and reverse) of files.

    Old guy
     
    Moe Trin, Sep 19, 2004
    #6
  7. claudel

    claudel Guest

    In article <>,
    Moe Trin <> wrote:
    >In article <cifc99$70s$>, claudel wrote:
    >>There is nothing ongoing that is making the connection attempt, nor
    >>is anything running from cron at the time the attempt was made. There
    >>was only one attempt, and it was blocked and logged by an outbound filter.

    >
    >OK, this was not inferred from your original posting:
    >
    >>>>My local firewall has been blocking the occasional outbound TCP
    >>>>connection attempt from a random source port to port 9000 on
    >>>>an off-site server.

    >
    >The word "occasional" was construed to mean "continuing on an irregular
    >basis".


    I could have been more clear about this.
    Actually, looking back in my logs from previous days I have
    a total of 3 occurrences, all of which I can tie with reasonable
    certainty ( same destination addy ) to the same web server.

    >
    >>I _doubt_ if I've been trojanned, but I'm not 1000% certain.

    >
    >Wise. The classic statement about the only secure computer...
    >
    >>>Not relevanant - but ask the IANA contact at Cincom Systems.

    >>
    >>I'm mainly curious. Thanks for the pointer.

    >
    >If you look at http://www.iana.org/assignments/port-numbers, which is
    >where the "official" list live now, you are looking at something over
    >twenty years of accumulated cruft. If you want a laugh, look at some of
    >the older versions of "ASSIGNED NUMBERS" such as RFC0960 from December
    >1985. At that point, the assignments were still nearly all below port
    >127. Now in fact, port 9000 was not listed in RFC1700 (October 1994)
    >which was the last document of that series (before being replace by
    >the assignments web pages), but that is still nearly 10 years ago. A
    >lot can happen in that time, and I'm not sure if all of the contacts
    >listed still are at the same company, nevermind remembering what _that_
    >project was ;-)
    >


    I did browse the IANA port listings.
    The refs I inclded in my original posting all are different
    things that use port 9000. I'm mainly curious at this point
    as to what "csserver" is. A brief google doesn't provide much..

    >>It's entirely possible that I tried to access a webserver that
    >>is still running AltaVista... I do remember a page or two that
    >>just stayed blank and wouldn't load. I didn't think much of it
    >>at the time and just moved on...

    >
    >A possibility. I do see some pages that won't load, but that's because
    >they're using some extensions beyond HTTP/1.0 which are either blocked
    >here, or the browser never heard of them. I don't do windoze.


    No windoze here either. OS X with my own ipfw ruleset on a laptop
    behind a screening router. I normally block all externally initiated
    inbound connections and only allow stateful outbound on a few ports.
    Not 9000. I run logcheck once a day and this showed up in the mail
    and caught my eye, so I thought I'd track it down.

    I went back to the iffy website and a page I was looking at has
    a redirect to another server that, sure enough, is listening on 9000
    for some reason so that was it. I got another deny for the same
    address/port at the time I clicked the link and the target page
    wouldnt load. I was also reasonably certain that there was no
    maliciousness involved so I turned off my local firewall and the
    page loaded without any problems.

    It just turns out to be an archaic server/configuration.

    >
    >>>Did you do a 'whois' query to see who owns the IP block?

    >>
    >>Yeah, it comes up "ATT WorldNet Services". That narrows it down... :^)

    >
    >On a onezy - that could be the web page author fumblefingered a URL,
    >and typed in a non-existent (meaning reserved for future use) address.
    >ATT is _usually_ fairly good at putting something into the DNS Zone
    >files - it only takes a couple line script with a couple of for/to
    >loops echoing data into a pair (forward and reverse) of files.
    >


    I think that it all was more or less a false alarm. It's good to keep
    up with figuring stuff like this out though.

    Thanks for the insights

    Claude
     
    claudel, Sep 19, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ccie_san
    Replies:
    0
    Views:
    378
    ccie_san
    Dec 7, 2003
  2. Chad Whitten
    Replies:
    2
    Views:
    4,029
    Chad Whitten
    May 4, 2004
  3. JSparksNHR

    MDS 9000 DS-C9509

    JSparksNHR, May 6, 2004, in forum: Cisco
    Replies:
    0
    Views:
    545
    JSparksNHR
    May 6, 2004
  4. Dorian
    Replies:
    1
    Views:
    1,696
    Walter Roberson
    Sep 3, 2004
  5. brickwalls19
    Replies:
    1
    Views:
    477
    brickwalls19
    Feb 28, 2008
Loading...

Share This Page