Has anyone seen TCP destination port 3171 used by any specific malware?
After isolating a server we suspect of infection to its own segment, we see
pretty clearly on the firewall console that it attempts TCP port 3171 as
destination on another internal server. The server it is targeting is one
that it should not be interacting with at all.

--
Will

On Thu, 15 Feb 2007 00:36:36 -0800, Will wrote:
> Has anyone seen TCP destination port 3171 used by any specific malware?
> After isolating a server we suspect of infection to its own segment, we see
> pretty clearly on the firewall console that it attempts TCP port 3171 as
> destination on another internal server. The server it is targeting is one
> that it should not be interacting with at all.
>

http://lists.thedatalist.com/portlist/lookup.php?port=3171
http://isc.sans.org/port.html?port=3171

On Thu, 15 Feb 2007 00:36:36 -0800, Will wrote:

> Has anyone seen TCP destination port 3171 used by any specific malware?
> After isolating a server we suspect of infection to its own segment, we see
> pretty clearly on the firewall console that it attempts TCP port 3171 as
> destination on another internal server. The server it is targeting is one
> that it should not be interacting with at all.

I saw you had posted this question at:
http://www.webservertalk.com/message1815413.html

There is an interesting article that talks about Port 3171 being involved
in FTP transmissions: http://www.securityfocus.com/infocus/1222

IANA shows:

IANA ports lists information:

Port Number: 3171
Protocol: tcp
Name: serverview-gf
Description: SERVERVIEW-GF

IANA ports lists information:

Port Number: 3171
Protocol: udp
Name: serverview-gf
Description: SERVERVIEW-GF

I don't find any information regarding specific malware targeting this
port, but that doesn't mean some malware wouldn't use it.

--
Posted via a free Usenet account from http://www.teranews.com

On Feb 15, 4:36 am, "Will" <westes-... [at] noemail.nospam> wrote:
> Has anyone seen TCP destination port 3171 used by any specific malware?
> After isolating a server we suspect of infection to its own segment, we see
> pretty clearly on the firewall console that it attempts TCP port 3171 as
> destination on another internal server. The server it is targeting is one
> that it should not be interacting with at all.
>
> --
> Will

Why not slap Wireshark on one of the systems and have a look at the
traffic? Or setup a span port on the switch one of them is plugged
into and have a look at the traffic.

On Mar 13, 12:20 pm, kingtho... [at] gmail.com wrote:
> On Feb 15, 4:36 am, "Will" <westes-... [at] noemail.nospam> wrote:
>
> > Has anyone seen TCP destination port 3171 used by any specific malware?
> > After isolating a server we suspect of infection to its own segment, we see
> > pretty clearly on the firewall console that it attempts TCP port 3171 as
> > destination on another internal server. The server it is targeting is one
> > that it should not be interacting with at all.
>
> > --
> > Will
>

Hmmm looks like ServerView is a Fujitsu package:
http://www.fujitsu-siemens.com/products/unix_servers/system_ management/pw_serverview_suite.html
http://www.fujitsu-siemens.com/products/standard_servers/sys tem_management/control.html