Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: TCP/UDP Port Activity - SANS Internet Storm Center TCP/UDP Port Activity

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
[show ascii data]


Port Information
Protocol Service Name
udp win-rpc Windows RPC
tcp blackjack network blackjack
tcp listen listener RFS remote_file_sharing
tcp shoppro ShopPro accounting software
tcp FraggleRock [trojan] Fraggle Rock
tcp md5Backdoor [trojan] md5 Backdoor
tcp NetSpy [trojan] NetSpy
tcp RemoteStorm [trojan] Remote Storm
[get complete service list]
User Comments
Submitted By Date
Johannes Ullrich 2009-10-04 18:45:22
see MSFT Knowledge Base:;en-us;q280132 port 1025 is assigned to a port of the "Active Directory logon and directory replication interface"
2009-10-04 18:45:22
Microsoft Windows RPC malformed message buffer overflow vulnerability (TCP ports 135, 445, 1025) exploited by "Win32.Lioten Family" virus:
Ryan Janke 2009-10-04 18:45:22
On a Linux box, Snort identifies this traffic as the same kind which WinXP machines without either: 1) The "Messenger" service disabled or 2) The "Shoot the Messenger" patch from installed or 3) A patch supplied by Microsoft to correct the "Messenger" issue register as ads and display on a user's screen. (IE: "Your registry is corrupted. . ." etc. etc.)
2007-05-08 13:43:07
Dudes: Port 1025 is used by Application Layer Gateway ALG.EXE. Disabling that service will close it. Travis
Johannes Ullrich 2007-05-01 03:31:53
April 15th 2007, a RinBot variant started scanning this port for the DNS-RPC vulnerability. see
Compo 2006-03-24 03:46:43
This port is also used by Avanquests ViaComs SystemSuite Ver 5 & 6 (at least) for the MX Tast as the 'background task server' and is completly legal for this program. Compo
F-Secure 2005-12-20 05:48:18
New network worm Win32/Dasher.A seems to use this port while exploiting MS05-051.
Jeni Li 2005-04-06 10:36:55
TCP 1025 is used by many Web hosting providers as an alternate SMTP port for their customers to reach their SMTP servers. Necessitated by big-name ISPs including MSN and Cox Cable blocking or restricting outbound TCP 25.
2004-07-08 11:17:58
Justin Singh 2004-06-27 02:24:33
1025 seems to be used by some VOIP devices like Net2phone's yapjack. Blocking access to this port on a firewall could cause this service to fail when the user tries to initiate more than one consecutive call on a single internet session.
Ulrich Weber 2004-05-23 04:15:51
Port 1025 is officially assigned to network blackjack and nothing else. In fact it will be used by the first program or service that tries to establish an outgoing or internal connection after a system boot. Concerning a non-compromised, stand-alone XP System this will usually be the svchost process respectively the system process itself, more or less chosen by chance.
2004-04-27 23:44:53
port 1025 is by default used by task scheduler rpc component
Add a comment
CVE Links
CVE # Description