|Sendmail will, by default, use an ident probe to gather additional information on any incoming message connection. While sendmail can be configured to not do this, the combination of this default behavior and many (erroneous) reports of port 113 probes from known mailservers suggests that perhaps the utility of this check is too low, leading to too many false positives (IMHO).
It's apparently one of 3 p2p clients:
I'm trying to figuring out what's going on. During the day I have up to 20 different machines trying to connect every few seconds on port 41170. Everything is getting blocked and I'm wondering if someone could be running one of these clients from the inside. I haven't seen anything going out on this port, but they could be tunnelling through port 80. It's buggin' me.
The backdoor malware has a server component and a client component. Its server component listens to a port 113 or a random port for connections from the client component. The server also notifies the hacker at a port 6667 and continues to do this until a connection is established.
The server component allows the user of the client component, which is usually a hacker, to send commands for it to execute on the target system.
This backdoor malware also enables the client component to access local Server databases and launch scanning for all open ports on a range of IP addresses.
|A friend :)
|We found a Trojan identified by McAfee as IRC/Flood.cd.dr
listening on this port recently.
Pid Process Port Proto Path
1352 h00d -> 113 TCP C:\winnt\system32\have\h00d.exe
It was also on;
1352 h00d -> 1076 TCP C:\winnt\system32\have\h00d.exe
1352 h00d -> 7683 TCP C:\winnt\system32\have\h00d.exe
There were other files hidden within the same folder.
|As scanning on this port is very unlikely to
turn up volunerable identd services, it is more
likely that scans on this port are used to identify
other vulnerable services that have been configured
to run as root.
|identd is a simple service to authenticate remote users. It can query which user on a remote system attempts to establish a connection.
This service is clear text and no longer in wide use. However, many mail servers will still query it. Some IRC servers use it to verify the userid.