Matt Barton <mattat_private> wrote: > We have a server that has been experiencing some odd behavior. It is > running Microsoft Windows 2000 Server, Service Pack 2 with IIS 5. So far > twice inetinfo.exe has stopped for no reason. In trying to investigate > the issue, I ran fport and noticed that inetinfo.exe was bound to port > 1843/tcp, which seems very odd to me. > > Searches on Google have not revealed anything useful (other than some > information on how that port is used with some Netopia products). When started, IIS 5 registers RPC services. These RPC services can be reached, among other protocol sequences, via TCP/IP. TCP and UDP Ports allocated to RPC services are dynamic and can be found using the endpoint mapper (portmapper) RPC service, running on port 135 (in case of DCE/RPC, the RPC standard implemented on Windows systems). If you want to check if a given port is used by RPC services, you can use a program that asks for all registered RPC services. This kind of programs are typically named rpcdump. In the output of rpcdump, you will find that the same RPC service is reachable via different protocol sequences (typically, ncalrpc (local RPC), ncacn_np (named pipes, carried in SMB/CIFS), ncacn_ip_tcp (TCP/IP) or ncadg_ip_udp (UDP/IP)). In IIS 5, the named pipe \pipe\inetinfo is the endpoint of ncacn_np protocol sequences for IIS RPC services. On a test system (IIS5 under Windows 2000, with HTTP and SMTP services), the rcpdump output filtered to show only IIS RPC services on ncacn_ip_tcp and ncadg_ip_udp is: C:\WINNT>rpcdump -p ncacn_ip_tcp 127.0.0.1 [...] IfId: 82ad4280-036b-11cf-972c-00aa006887b0 version 2.0 Annotation: UUID: 00000000-0000-0000-0000-000000000000 Binding: ncacn_ip_tcp:192.70.106.143[1027] IfId: 82ad4280-036b-11cf-972c-00aa006887b0 version 2.0 Annotation: UUID: 00000000-0000-0000-0000-000000000000 Binding: ncacn_np:\\\\FENETRE-2K-DFLT[\\PIPE\\INETINFO] [...] IfId: 8cfb5d70-31a4-11cf-a7d8-00805f48a135 version 3.0 Annotation: UUID: 00000000-0000-0000-0000-000000000000 Binding: ncacn_ip_tcp:192.70.106.143[1027] IfId: 8cfb5d70-31a4-11cf-a7d8-00805f48a135 version 3.0 Annotation: UUID: 00000000-0000-0000-0000-000000000000 Binding: ncacn_np:\\\\FENETRE-2K-DFLT[\\PIPE\\INETINFO] [...] IfId: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a version 1.0 Annotation: UUID: 00000000-0000-0000-0000-000000000000 Binding: ncacn_ip_tcp:192.70.106.143[1027] IfId: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a version 1.0 Annotation: UUID: 00000000-0000-0000-0000-000000000000 Binding: ncacn_np:\\\\FENETRE-2K-DFLT[\\PIPE\\INETINFO] [...] IfId: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a version 1.0 Annotation: UUID: 00000000-0000-0000-0000-000000000000 Binding: ncacn_np:\\\\FENETRE-2K-DFLT[\\PIPE\\SMTPSVC] IfId: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a version 1.0 Annotation: UUID: 00000000-0000-0000-0000-000000000000 Binding: ncadg_ip_udp:192.70.106.143[1028] As names of named pipes are quite explicit (inetinfo, smtpsvc), they can be used to find the IfId of RPC services. Once you've found the interface identifier of a given RPC service, you can look for ncacn_ip_tcp and ncadg_ip_udp endpoints to find TCP and UDP ports. Another method to determine if a given port is allocated to RPC service is to ask directly what interface identifiers are supported on this endpoint. Programs to achieve this are typically named ifids. For example, in your case, you could use the following command: ifids -p ncacn_ip_tcp -e 1843 ip_adress_of_your_server If the command returns a list of interface identifiers, it confirms that the port is used by RPC services. In the list, you should find one (or more) interface identifiers of IIS RPC Services. If you are running Windows, you can try Todd Sabin's rpctools suite (it contains rpcdump and ifids): http://razor.bindview.com/tools/desc/rpctools1.0-readme.html If you are running Unix, latest version of Dave Aitel's SPIKE toolkit contains dcedump (equivalent of rpcdump) and ifids: http://www.immunitysec.com/spike.html Finally, if you are familiar with french, you can take a look at this article that describes the technical details of the different network services on Windows systems: http://www.hsc.fr/ressources/articles/srv_res_win/ Hope this helps, Jean-Baptiste Marchand -- Jean-Baptiste.Marchandat_private Hervé Schauer Consultants http://www.hsc.fr/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 01 2002 - 12:41:01 PDT