What are these tcp ports?

Did an internal port scan on a number of Windows Server 2003 and found the
following ports, but they seems weired. Any
comments/suggestions/information are thankful.

85 (MIT ML Device)
264 (BGMP)
039 (Streamlined Blackhole)
1041 (AK2 Product)
1043 (BONIC Client Control)
$1051 (Optima VNET)
1052 (Dynamic DNS Tools)
1074 (FASTechnologies License Manager)
1098 (RMI Activation)
1106 (ISOIPSIGPORT-1)
1119 (Battle.net Chat/Game Protocol)
1208 (SEAGULL AIS)
1264 (PRAT)
1302 (Cl3-Software-2)
1360 (MIMER)
1366 (Novell NetWare Comm Service Platform) - We don't have Novell stuff on
our network!!
1378 Elan License Manager
4000 (Terabase)
5998 (Asp module for Apache servers(
6001 (Rainbow SuperPro Net network Services)
6071 (SSDTP)
6502 (BoKS Servm)
6503 (BoKS Clntd)
6504 ??

Best regards,

On Sun, 16 Oct 2005 19:24:49 -0400, "Doug Fox" <dfox138-no-spam@hotmail.com>
wrote:

>Did an internal port scan on a number of Windows Server 2003 and found the
>following ports, but they seems weired. Any
>comments/suggestions/information are thankful.
>
>85 (MIT ML Device)
>264 (BGMP)
>039 (Streamlined Blackhole)
>1041 (AK2 Product)
>1043 (BONIC Client Control)
>$1051 (Optima VNET)
>1052 (Dynamic DNS Tools)
>1074 (FASTechnologies License Manager)
>1098 (RMI Activation)
>1106 (ISOIPSIGPORT-1)
>1119 (Battle.net Chat/Game Protocol)
>1208 (SEAGULL AIS)
>1264 (PRAT)
>1302 (Cl3-Software-2)
>1360 (MIMER)
>1366 (Novell NetWare Comm Service Platform) - We don't have Novell stuff on
>our network!!
>1378 Elan License Manager
>4000 (Terabase)
>5998 (Asp module for Apache servers(
>6001 (Rainbow SuperPro Net network Services)
>6071 (SSDTP)
>6502 (BoKS Servm)
>6503 (BoKS Clntd)
>6504 ??

Doug,

Suspecting a malware problem, why not start by checking for malware.
<http://nitecruzr.blogspot.com/2005/05/dealing-with-malware-adware-spyware.html>

Knowing that malware will use any ports that it considers convenient, not
according to registration, look at those ports using TCPView (free) from
<http://www.sysinternals.com/ntw2k/source/tcpview.shtml>

Once you identify the process(es) that have opened those ports, find the
relevant program modules, and submit them for analysis to Jotti and VirusTotal.
Find all components of those processes using Process Explorer (also free), and
run interesting components thru Jottia dn VirusTotal too.
<http://virusscan.jotti.org/>
<http://www.virustotal.com/flash/index_en.html>
<http://www.sysinternals.com/ntw2k/freeware/procexp.shtml>

--
Cheers,
Chuck, MS-MVP [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.

Doug Fox wrote:
> Did an internal port scan on a number of Windows Server 2003 and found the
> following ports, but they seems weired. Any
> comments/suggestions/information are thankful.
>
> 85 (MIT ML Device)
> 264 (BGMP)
> 039 (Streamlined Blackhole)
> 1041 (AK2 Product)
> 1043 (BONIC Client Control)
> $1051 (Optima VNET)
> 1052 (Dynamic DNS Tools)
> 1074 (FASTechnologies License Manager)
> 1098 (RMI Activation)
> 1106 (ISOIPSIGPORT-1)
> 1119 (Battle.net Chat/Game Protocol)
> 1208 (SEAGULL AIS)
> 1264 (PRAT)
> 1302 (Cl3-Software-2)
> 1360 (MIMER)
> 1366 (Novell NetWare Comm Service Platform) - We don't have Novell stuff on
> our network!!
> 1378 Elan License Manager
> 4000 (Terabase)
> 5998 (Asp module for Apache servers(
> 6001 (Rainbow SuperPro Net network Services)
> 6071 (SSDTP)
> 6502 (BoKS Servm)
> 6503 (BoKS Clntd)
> 6504 ??
>
> Best regards,
>
>
Seems odd to me since by default server 2003 Is locked down requiring
ports to be opened specifically. What software is installed on system?
I see battlenet which indicates at least 1 game service. It is
running BOINC which is a distributed computing platform.
The novell stuff is required for IPX. there is a virtual net installed
on system.

All of the nfo can be googled. Seems pretty straight forward to me.

This appears to be someones game server, I suspect perhaps battlenet
itself, though I haven't checked. But there are some pricey toys
installed on system, seems like one who administered such a system would
know what was there.

Winged

"Doug Fox" <dfox138-no-spam@hotmail.com> wrote in message
news:2oGdnZruKfejfM_eRVn-ug@rogers.com...
> Did an internal port scan on a number of Windows Server 2003 and found the
> following ports, but they seems weired. Any
> comments/suggestions/information are thankful.

<snip>

http://www.codecutters.org/resources/knownports.html
http://www.codecutters.org/resources/regports.html

and their lik are the official lists: I would have half-suspected a mix-up
with ephermeral posts, but for that glaring port 85.

A few seconds in Google found this:
http://www.doshelp.com/Ports/Trojan_Ports.htm

There's a new -b parameter in XP's netstat - not sure if that's in 2003
(although I'd have thought so). systinternals.com provide duplicate
functionality, if you'd care to download.

HTH

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!