Port Details - Port 113

Jan 10 217 Jan 11 1,321 Jan 12 590 Jan 13 663 Jan 14 600 Jan 15 1,156 Jan 16 489 Jan 17 291 Jan 18 1,362 Jan 19 1,086 Jan 20 614 Jan 21 576 Jan 22 1,372 Jan 23 236 Jan 24 247 Jan 25 1,092 Jan 26 718 Jan 27 622 Jan 28 912 Jan 29 1,210 Jan 30 216 Jan 31 207 Feb 01 1,565 Feb 02 1,524 Feb 03 621 Feb 04 550 Feb 05 1,747 Feb 06 478 Feb 07 168 Feb 08 2,977 Feb 09 936 Jan 10 93 Jan 11 181 Jan 12 121 Jan 13 127 Jan 14 129 Jan 15 127 Jan 16 131 Jan 17 69 Jan 18 100 Jan 19 133 Jan 20 122 Jan 21 111 Jan 22 114 Jan 23 74 Jan 24 144 Jan 25 125 Jan 26 112 Jan 27 92 Jan 28 110 Jan 29 104 Jan 30 71 Jan 31 77 Feb 01 96 Feb 02 97 Feb 03 89 Feb 04 117 Feb 05 107 Feb 06 71 Feb 07 54 Feb 08 85 Feb 09 43
[show ascii data]
  • Start Date:
  • End Date:
  • Port:
  • Left Graph:
  • Right Graph:
  • Show Range:Yes No

Port Information

ProtocolServiceName
tcpauthident tap Authentication Service
udpauthident tap Authentication Service
tcpInvisibleIdentdDaemon[trojan] Invisible Identd Daemon
tcpInvisibleIdentdDeamon[trojan] Invisible Identd Deamon
tcpKazimas[trojan] Kazimas
tcpkorgo[trojan] W32.Korgo.A and B
tcpBackDoor-AUZ[trojan] BackDoor-AUZ
[get complete service list]

User Comment

Submitted ByDate
Comment
mik2006-03-04 03:03:14
Sendmail will, by default, use an ident probe to gather additional information on any incoming message connection. While sendmail can be configured to not do this, the combination of this default behavior and many (erroneous) reports of port 113 probes from known mailservers suggests that perhaps the utility of this check is too low, leading to too many false positives (IMHO).
2004-05-13 05:50:34
It's apparently one of 3 p2p clients: http://www.slyck.com/mp2p.php I'm trying to figuring out what's going on. During the day I have up to 20 different machines trying to connect every few seconds on port 41170. Everything is getting blocked and I'm wondering if someone could be running one of these clients from the inside. I haven't seen anything going out on this port, but they could be tunnelling through port 80. It's buggin' me.
George Assai2004-01-30 19:54:22
BKDR_GRASKET.A http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_GRASKET.A The backdoor malware has a server component and a client component. Its server component listens to a port 113 or a random port for connections from the client component. The server also notifies the hacker at a port 6667 and continues to do this until a connection is established. The server component allows the user of the client component, which is usually a hacker, to send commands for it to execute on the target system. This backdoor malware also enables the client component to access local Server databases and launch scanning for all open ports on a range of IP addresses.
A friend :)2003-12-18 03:09:28
We found a Trojan identified by McAfee as IRC/Flood.cd.dr listening on this port recently. Pid Process Port Proto Path 1352 h00d -> 113 TCP C:\winnt\system32\have\h00d.exe It was also on; 1352 h00d -> 1076 TCP C:\winnt\system32\have\h00d.exe 1352 h00d -> 7683 TCP C:\winnt\system32\have\h00d.exe There were other files hidden within the same folder.
Joshua Hudson2003-03-21 00:43:55
As scanning on this port is very unlikely to turn up volunerable identd services, it is more likely that scans on this port are used to identify other vulnerable services that have been configured to run as root.
Johannes Ullrich2003-01-29 22:14:15
identd is a simple service to authenticate remote users. It can query which user on a remote system attempts to establish a connection. This service is clear text and no longer in wide use. However, many mail servers will still query it. Some IRC servers use it to verify the userid.
Add a comment

CVE Links

CVE #Description