Re: Can someone please explain...

[Talisker <Talisker () NETWORKINTRUSION CO UK>]

Matt

433 NNTP - Network News Transfer Protocol see rfc 977
http://www.faqs.org/rfcs/rfc977.html

438 dsfgw - didn't find much, the following maybe junk, as far as I can
discover this is a DEC protocol/service of some description, posted by Jim
Teague teague () zso dec com However there is no reference to it on the DEC
website
he has written a book for DEC, whether it includes dsfgw I don't know
title:   Distributing applications accross DCE and Windows NT
Authors:   Ward ROSENBERRY ; Jim TEAGUE ;
ISBN:    1-56592-047-3 This book provides a basic understanding for
developing
cross-environment applications in DCE and Windows NT.  It gives
an overview of RPC and also details the differences between DCE
RPC and Microsoft RPC.  Topics include writing interface
definitions, writing clients and servers, and remodeling local
applications.  It also describes the administration tasks on how
Microsoft clients and servers can interact with DCE services.
This book is for programmers and administrators who want to cross
platform boundaries and distribute applications across Windows NT
and DCE.

On a positive note I could find no exploits, trojans etc relating to either
port

the next step maybe to use a packet sniffer to capture some of these packets
I use do the following with rogue ports
<snipped from my website>
1.   Before going through the sites dedicated to identifying ports (below) I
prefer to go to www.google.com and try a standard search eg "port 19932" to
identify products that legitimately use the port.
If the number is fairly obscure such as 38293 and you are getting more hits
on the word port than the number, then try a search on just the number.
If you are getting numerous hits for legitimate uses for that port try "port
19932 exploit"
Infosyssec has numerous security search engines at the bottom of it's page.
If you are still drawing blanks try the standard port pages below though a
google search should have picked them up from these sites.

2.   Contact the vendors of your software products and ask what ports they
use, this is best done before you need the information, like NOW.

3.   Fire up a protocol analyser (packet sniffer) and look at the packet
content.

4.   When all else fails throw the query at the IDS or Firewall mailing
lists, if you are undergoing an attack the chances are you aren't alone.

http://advice.networkice.com/Advice/default.htm

http://advice.networkice.com/advice/Exploits/Ports/

http://www.robertgraham.com/pubs/firewall-seen.html

http://www.simovits.com/nyheter9902.html

http://www.chebucto.ns.ca/~rakerman/trojan-port-table.html   trojan ports

http://www.chebucto.ns.ca/~rakerman/port-table.html

http://www.isi.edu/in-notes/iana/assignments/port-numbers

http://www.amaranthnetworks.com/nat/ports.html

<end of snip>

www.networkintrusion.co.uk
                    '''
                 (0 0)
  ----oOO----(_)----------
  | The geek shall        |
  |  Inherit the earth     |
  -----------------oOO----
               |__|__|
                  || ||
              ooO Ooo


The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.





----- Original Message -----
From: "Matt Beck" <Mbeck () GIANTSTEP COM>
To: <INCIDENTS () securityfocus com>
Sent: Monday, July 31, 2000 5:28 PM
Subject: Can someone please explain...


> what UDP port numbers 433 and 438 are?  All I can find online are the
> acronyms nnsp and dsfgw.  I ask because someone detected a "scan"
containing
> these ports from inside my network and notified us.
>
> Thanks,
> Matt