Port 1984/TCP “Big brother”

eLbot · 11 Feb 2007 at 19:51

Just ran an Nmap against my Vista x64 Ultimate machine and found this port open. Very suspicious name and port lead me to believe it was a Trojan, searched the web for details and it appears that it’s linked to a network monitoring tool. However, I’m certain i’ve never installed it.

Anyone have any ideas on what it is or how it got there?

Tony Williams · 11 Feb 2007 at 20:25

UDP port 1984 uses the Datagram Protocol, a communications protocol for the Internet network layer, transport layer, and session layer. This protocol when used over PORT 1984 makes possible the transmission of a datagram message from one computer to an application running in another computer. Like TCP (Transmission Control Protocol), UDP is used with IP (the Internet Protocol) but unlike TCP on Port 1984, UDP Port 1984 is connectionless and does not guarantee reliable communication; it's up to the application that received the message on Port 1984 to process any errors and verify correct delivery.

http://en.wikipedia.org/wiki/Big_Brother_(1984)

HTH

-edit-

http://www.bb4.org/features.html

Certainly looks bad.

Noxis · 11 Feb 2007 at 21:01

This port is not open on my vista.

eLbot · 11 Feb 2007 at 21:59

Very odd indeed, just tracked down its origin using Sysinternals TCPView and it looks like its listening for a request from an internal IP in my network. Which just so happens to be assigned to a laptop, the same laptop I ran Nmap from. So it could be a false positive but the ports it’s been sent requests from my laptop are 4641, 4772 4872 and 4957, all TCP.

Time to shift focus onto that then.

Clarkey · 11 Feb 2007 at 22:51

if its listening then its running on that machine, simple as.