Re: exit counts by port number over 61 days

[Scott Bennett <bennett@xxxxxxxxxx>]

     On Tue, 14 Apr 2009 15:06:22 +0200 Sven Anderson <sven@xxxxxxxxxxx>
wrote:
>Am 13.04.2009 um 19:00 schrieb Scott Bennett:
>>
>> 	1)  Why is the nicname/whois port the most heavily used?  In fact,
>> 	why is it getting much use at all?
>
>My guess: spammers and profilers, scanning for email adresses and  
>other personal data.

     That's kind of what I was thinking, too.  However, I'm reluctant to
close the port because it also be used legitimately.  What do you think?
>
>> 	2) Why are there so many exits to the standard socks port?  It
>> 	seems kind of strange to go all the way through the tor network
>> 	fully encrypted, only to exit in the clear to a port somewhere
>> 	else for re-encryption.  Similarly, what about pptp?
>
>There are Trojans opening backdoors on that port.
>
>http://isc.sans.org/port.html?port=1080

     Hmm...very interesting.  Maybe I should close that one.
>
>> 	4) Who still uses RFS?  Didn't that die out a *long* time ago?
>> 	(The rfs port had 70 exits.)
>
>I bet nobody. That's why there seems to be somebody using the port for  
>something else.
>
     I have no idea what they are using it for.  Does anyone still support
RFS?  A vendor perhaps?  If it might be legitimate, I'll leave the port open.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************