Re: Outbound to port 9000

From: claudel (
Date: 09/19/04

Date: Sun, 19 Sep 2004 01:32:37 GMT

In article <>,
Moe Trin <not.anymore@example.tld> wrote:
>In article <cifc99$70s$>, claudel wrote:
>>There is nothing ongoing that is making the connection attempt, nor
>>is anything running from cron at the time the attempt was made. There
>>was only one attempt, and it was blocked and logged by an outbound filter.
>OK, this was not inferred from your original posting:
>>>>My local firewall has been blocking the occasional outbound TCP
>>>>connection attempt from a random source port to port 9000 on
>>>>an off-site server.
>The word "occasional" was construed to mean "continuing on an irregular

I could have been more clear about this.
Actually, looking back in my logs from previous days I have
a total of 3 occurrences, all of which I can tie with reasonable
certainty ( same destination addy ) to the same web server.

>>I _doubt_ if I've been trojanned, but I'm not 1000% certain.
>Wise. The classic statement about the only secure computer...
>>>Not relevanant - but ask the IANA contact at Cincom Systems.
>>I'm mainly curious. Thanks for the pointer.
>If you look at, which is
>where the "official" list live now, you are looking at something over
>twenty years of accumulated cruft. If you want a laugh, look at some of
>the older versions of "ASSIGNED NUMBERS" such as RFC0960 from December
>1985. At that point, the assignments were still nearly all below port
>127. Now in fact, port 9000 was not listed in RFC1700 (October 1994)
>which was the last document of that series (before being replace by
>the assignments web pages), but that is still nearly 10 years ago. A
>lot can happen in that time, and I'm not sure if all of the contacts
>listed still are at the same company, nevermind remembering what _that_
>project was ;-)

I did browse the IANA port listings.
The refs I inclded in my original posting all are different
things that use port 9000. I'm mainly curious at this point
as to what "csserver" is. A brief google doesn't provide much..

>>It's entirely possible that I tried to access a webserver that
>>is still running AltaVista... I do remember a page or two that
>>just stayed blank and wouldn't load. I didn't think much of it
>>at the time and just moved on...
>A possibility. I do see some pages that won't load, but that's because
>they're using some extensions beyond HTTP/1.0 which are either blocked
>here, or the browser never heard of them. I don't do windoze.

No windoze here either. OS X with my own ipfw ruleset on a laptop
behind a screening router. I normally block all externally initiated
inbound connections and only allow stateful outbound on a few ports.
Not 9000. I run logcheck once a day and this showed up in the mail
and caught my eye, so I thought I'd track it down.

I went back to the iffy website and a page I was looking at has
a redirect to another server that, sure enough, is listening on 9000
for some reason so that was it. I got another deny for the same
address/port at the time I clicked the link and the target page
wouldnt load. I was also reasonably certain that there was no
maliciousness involved so I turned off my local firewall and the
page loaded without any problems.

It just turns out to be an archaic server/configuration.

>>>Did you do a 'whois' query to see who owns the IP block?
>>Yeah, it comes up "ATT WorldNet Services". That narrows it down... :^)
>On a onezy - that could be the web page author fumblefingered a URL,
>and typed in a non-existent (meaning reserved for future use) address.
>ATT is _usually_ fairly good at putting something into the DNS Zone
>files - it only takes a couple line script with a couple of for/to
>loops echoing data into a pair (forward and reverse) of files.

I think that it all was more or less a false alarm. It's good to keep
up with figuring stuff like this out though.

Thanks for the insights