Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: TCP/UDP Port Activity - Internet Security | DShield TCP/UDP Port Activity

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port Information
Protocol Service Name
tcp auth ident tap Authentication Service
udp auth ident tap Authentication Service
tcp InvisibleIdentdDaemon [trojan] Invisible Identd Daemon
tcp InvisibleIdentdDeamon [trojan] Invisible Identd Deamon
tcp Kazimas [trojan] Kazimas
tcp korgo [trojan] W32.Korgo.A and B
tcp BackDoor-AUZ [trojan] BackDoor-AUZ
[get complete service list]
User Comments
Submitted By Date
mik 2006-03-04 03:03:14
Sendmail will, by default, use an ident probe to gather additional information on any incoming message connection. While sendmail can be configured to not do this, the combination of this default behavior and many (erroneous) reports of port 113 probes from known mailservers suggests that perhaps the utility of this check is too low, leading to too many false positives (IMHO).
2004-05-13 05:50:34
It's apparently one of 3 p2p clients: I'm trying to figuring out what's going on. During the day I have up to 20 different machines trying to connect every few seconds on port 41170. Everything is getting blocked and I'm wondering if someone could be running one of these clients from the inside. I haven't seen anything going out on this port, but they could be tunnelling through port 80. It's buggin' me.
George Assai 2004-01-30 19:54:22
BKDR_GRASKET.A The backdoor malware has a server component and a client component. Its server component listens to a port 113 or a random port for connections from the client component. The server also notifies the hacker at a port 6667 and continues to do this until a connection is established. The server component allows the user of the client component, which is usually a hacker, to send commands for it to execute on the target system. This backdoor malware also enables the client component to access local Server databases and launch scanning for all open ports on a range of IP addresses.
A friend :) 2003-12-18 03:09:28
We found a Trojan identified by McAfee as IRC/ listening on this port recently. Pid Process Port Proto Path 1352 h00d -> 113 TCP C:\winnt\system32\have\h00d.exe It was also on; 1352 h00d -> 1076 TCP C:\winnt\system32\have\h00d.exe 1352 h00d -> 7683 TCP C:\winnt\system32\have\h00d.exe There were other files hidden within the same folder.
Joshua Hudson 2003-03-21 00:43:55
As scanning on this port is very unlikely to turn up volunerable identd services, it is more likely that scans on this port are used to identify other vulnerable services that have been configured to run as root.
Johannes Ullrich 2003-01-29 22:14:15
identd is a simple service to authenticate remote users. It can query which user on a remote system attempts to establish a connection. This service is clear text and no longer in wide use. However, many mail servers will still query it. Some IRC servers use it to verify the userid.
Add a comment
CVE Links
CVE # Description