[John Strung]

All of a sudden I am getting inundated with incoming probes on port 9173. I can't find any reports of this being a known Trojan port. Any idea what this is? A portion of my logs are below:

Date Time Src Src_Port Dest Dest_Port
03/25/2004 12:38:47 213.170.235.146 1786 67.68.52.109 9173
03/25/2004 12:38:49 196.42.61.61 48772 67.68.52.109 9173
03/25/2004 12:38:50 213.170.235.146 1786 67.68.52.109 9173
03/25/2004 12:38:50 80.53.223.182 62971 67.68.52.109 9173
03/25/2004 12:38:50 205.173.47.254 19732 67.68.52.109 9173
03/25/2004 12:38:53 196.42.61.61 48772 67.68.52.109 9173
03/25/2004 12:38:53 205.173.47.254 19732 67.68.52.109 9173
03/25/2004 12:38:56 213.170.235.146 1786 67.68.52.109 9173
03/25/2004 12:38:58 196.42.61.61 48772 67.68.52.109 9173
03/25/2004 12:38:59 205.173.47.254 19732 67.68.52.109 9173
03/25/2004 12:39:14 12.215.90.253 37582 67.68.52.109 9173
03/25/2004 12:39:16 80.53.223.182 63177 67.68.52.109 9173
03/25/2004 12:39:17 12.215.90.253 37582 67.68.52.109 9173
03/25/2004 12:39:19 80.53.223.182 63177 67.68.52.109 9173
03/25/2004 12:39:22 12.215.90.253 37590 67.68.52.109 9173
03/25/2004 12:39:25 80.53.223.182 63177 67.68.52.109 9173
03/25/2004 12:39:34 213.170.235.146 1922 67.68.52.109 9173
03/25/2004 12:39:34 196.42.61.61 50402 67.68.52.109 9173
03/25/2004 12:39:35 205.173.47.254 21965 67.68.52.109 9173
03/25/2004 12:39:36 213.170.235.146 1922 67.68.52.109 9173
03/25/2004 12:39:37 80.53.223.182 63177 67.68.52.109 9173
03/25/2004 12:39:37 196.42.61.61 50402 67.68.52.109 9173
03/25/2004 12:39:38 205.173.47.254 21965 67.68.52.109 9173
03/25/2004 12:39:43 213.170.235.146 1922 67.68.52.109 9173

[ghporter]

First, I'd edit that post so your actual IP isn't shown. Second, it looks like your ISP is getting scanned for anything that will respond to a request to port 9173. It doesn't mean that your computer has something that will respond. Instead, it probably means that somebody's planted something in a virus that they expect to respond, and now they're fishing for victims.

HELLO WORLD! Now is a good time to block port 9173!!!! I haven't found anything that references or depends on this port, but maybe it's only just showing up. Be safe! Block that port!

[John Strung]

That's about what I figured, GH. I am on DSL and my IP changes frequently, so I was not too concerned about posting my IP. I am also behind a router, so all ports are closed and stealthed (the log I posted was from the router), but I was curious about this sudden rash of probes on one port. What made it more mysterious is that the reports were coming in every couple of seconds from a variety of different IP's in different domains, then stopped as suddenly as they began.

My real concern was that we might have some sort of trojan on one of the 40 odd computers on our LAN which was inviting this response. We have uptodate enterprise virus software on our computers, so this would be a remote possibility unless the virus or trojan was too new to be caught by our virus signature files (which are updated daily). As a few days have passed and no viruses have been reported on our LAN, I would assume that was not the case.

I had also searched virus datatase at http://www.sarc.com and http://support.ca.com/smap/home.map as sell as a general Google search, but could find no reference to trojans or worms using that port.