Re: Outbound to port 9000

From: claudel (claudel_at_bolt.sonic.net)
Date: 09/19/04


Date: Sun, 19 Sep 2004 01:32:37 GMT

In article <slrnckpmv1.i2m.ibuprofin@atlantis.phx.az.us>,
Moe Trin <not.anymore@example.tld> wrote:
>In article <cifc99$70s$1@bolt.sonic.net>, claudel wrote:
>>There is nothing ongoing that is making the connection attempt, nor
>>is anything running from cron at the time the attempt was made. There
>>was only one attempt, and it was blocked and logged by an outbound filter.
>
>OK, this was not inferred from your original posting:
>
>>>>My local firewall has been blocking the occasional outbound TCP
>>>>connection attempt from a random source port to port 9000 on
>>>>an off-site server.
>
>The word "occasional" was construed to mean "continuing on an irregular
>basis".

I could have been more clear about this.
Actually, looking back in my logs from previous days I have
a total of 3 occurrences, all of which I can tie with reasonable
certainty ( same destination addy ) to the same web server.

>
>>I _doubt_ if I've been trojanned, but I'm not 1000% certain.
>
>Wise. The classic statement about the only secure computer...
>
>>>Not relevanant - but ask the IANA contact at Cincom Systems.
>>
>>I'm mainly curious. Thanks for the pointer.
>
>If you look at http://www.iana.org/assignments/port-numbers, which is
>where the "official" list live now, you are looking at something over
>twenty years of accumulated cruft. If you want a laugh, look at some of
>the older versions of "ASSIGNED NUMBERS" such as RFC0960 from December
>1985. At that point, the assignments were still nearly all below port
>127. Now in fact, port 9000 was not listed in RFC1700 (October 1994)
>which was the last document of that series (before being replace by
>the assignments web pages), but that is still nearly 10 years ago. A
>lot can happen in that time, and I'm not sure if all of the contacts
>listed still are at the same company, nevermind remembering what _that_
>project was ;-)
>

I did browse the IANA port listings.
The refs I inclded in my original posting all are different
things that use port 9000. I'm mainly curious at this point
as to what "csserver" is. A brief google doesn't provide much..

>>It's entirely possible that I tried to access a webserver that
>>is still running AltaVista... I do remember a page or two that
>>just stayed blank and wouldn't load. I didn't think much of it
>>at the time and just moved on...
>
>A possibility. I do see some pages that won't load, but that's because
>they're using some extensions beyond HTTP/1.0 which are either blocked
>here, or the browser never heard of them. I don't do windoze.

No windoze here either. OS X with my own ipfw ruleset on a laptop
behind a screening router. I normally block all externally initiated
inbound connections and only allow stateful outbound on a few ports.
Not 9000. I run logcheck once a day and this showed up in the mail
and caught my eye, so I thought I'd track it down.

I went back to the iffy website and a page I was looking at has
a redirect to another server that, sure enough, is listening on 9000
for some reason so that was it. I got another deny for the same
address/port at the time I clicked the link and the target page
wouldnt load. I was also reasonably certain that there was no
maliciousness involved so I turned off my local firewall and the
page loaded without any problems.

It just turns out to be an archaic server/configuration.

>
>>>Did you do a 'whois' query to see who owns the IP block?
>>
>>Yeah, it comes up "ATT WorldNet Services". That narrows it down... :^)
>
>On a onezy - that could be the web page author fumblefingered a URL,
>and typed in a non-existent (meaning reserved for future use) address.
>ATT is _usually_ fairly good at putting something into the DNS Zone
>files - it only takes a couple line script with a couple of for/to
>loops echoing data into a pair (forward and reverse) of files.
>

I think that it all was more or less a false alarm. It's good to keep
up with figuring stuff like this out though.

Thanks for the insights

Claude



Relevant Pages

  • Re: Still cant connect to RWW or OWA remotely
    ... it certainly appears to be something about the SBS configuration. ... Meridian.local Ethernet adapter Local Area Connection: ... Windows SMALL BUSINESS SERVER 2003 Windows IP Configuration ... 192.168.254.254) directly to a port on the router and then ...
    (microsoft.public.windows.server.sbs)
  • Re: Still cant connect to RWW or OWA remotely
    ... it certainly appears to be something about the SBS configuration. ... Meridian.local Ethernet adapter Local Area Connection: ... Windows SMALL BUSINESS SERVER 2003 Windows IP Configuration ... 192.168.254.254) directly to a port on the router and then ...
    (microsoft.public.windows.server.sbs)
  • RE: VBscript Error on SBS2k3
    ... DHCP Server turned of SonicWALL with VPN Pass through request for IP to ... the problem should be caused by the 4125 port. ... > | Accessories and Communications and Remote Desktop Connection? ... > | 2.In Internet Explorer on the workstation you are connecting from, ...
    (microsoft.public.windows.server.sbs)
  • Re: .Net Scalability problem
    ... LoadRunner will peak out a server with a few virtual users. ... To get an idea of load, ... Fire off the test client and watch the number of ... > So I think that the MTC generate concurrent connection and per ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: interfaces lo:1 lo:2 lo:3? (for remote ssh tunnels)
    ... That's the problem tunneling (port forwarding) solves. ... >>can't get past the client firewall. ... > I don't understand why the server would be making the ... server initiates another connection to the client -- in this ...
    (Debian-User)