Solved

Odd traffic generated from PC; sending syn request to 0.0.3.0

Posted on 2008-10-06
7
679 Views
Last Modified: 2012-05-05
Odd traffic generated from PC; sending syn request to 0.0.3.0.  netstat is showing that it is sending to port 50797.  My watchguard firewall which is the default gateway is sending all kinds of errors on this.  I looked at taskmgr and the PID and matched them up but it matches to svchost service.

Any ideas?
0
Comment
Question by:PusciferManson
7 Comments
 
LVL 32

Expert Comment

by:Kamran Arshad
ID: 22652977
Hi,

Port 50797 is used by IP Office;

http://www.tek-tips.com/faqs.cfm?fid=6353
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22656961
There is a possibility of malwarel; if you wish you can create a service with explicitly denying this traffic outbound as below:
Custom-service-on-TCP-port-50797
Enabled and denied; from specific-machine-ip OR ANY; to ANY-External

Thank you.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 22657093
I'd bet on a webcam, myself.  50797 is not reserved for IP Office - it can be used by anything.

http://www.iana.org/assignments/port-numbers
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:PusciferManson
ID: 22661475
I guess my biggest concern is what would it be sending to that IP address considering it isnt a valid IP address.  Now we do use IP office and this could be in some relation to that but I do not think that we use the Tapi portion of the ipo.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22692629
AFAIK 0.0.3.0 is used in cisco access list to specify subnet mask; can you run wireshark or some other packet capture tools and try looking what port/protocol/IP addresses are actually used rather than some other tool.
Packet capture would give us complete details, along with data that is being transmitted.

Thank you.
0
 
LVL 1

Accepted Solution

by:
itsupportcci earned 500 total points
ID: 22909684
This is typcially used by Call Manager by the IP Office application. I see it on my firewall looking almost like a broadcast also. What we've ran into is the application used to access a public IP address but now is working on an internal. For some reason the software is still looking outgoing for that port. An uninstall and then reinstall fixed the issue. Seems as though just changing the IP didn't get rid of the old IP completely.

Port 50797 (IPO TAPI): From an IP Office TAPI user PC.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 36538092
The Internet Assigned Numbers Authority (IANA) has changed the link to the list of well-known/assigned ports...
(formerly http://www.iana.org/assignments/port-numbers )
here are the new URLs:

XML version - http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
Text version - http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt

The new versions have fields that note when the assignment was made and/or modified, along with a glossary of the acronymns used and a list of contact emails after the ports list.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Hello All, I have been training on Multicast for a while now and whenever I start the topic , I find out that my friends /  Colleagues mention that they do not know how to test Multicast Joins. As most of the multicast would be video traffic and …
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now