I been Getting latly a lot of scans on my network for port 3003 does any one know a vuln that goes with that port

No idea, but it seems like its a TCP port... svhost.exe?

A few links:

http://www.seifried.org/security/ports/3000/3003.html

http://www.securityfocus.com/archive/75/34...30/2003-12-06/0

...dunno if its something usefull..

I only found this (google)

3003 - tcp, udp - cgms - tiscom.uscg.mil

jeah that google stuff is also i know about it ... but i found a scan.txt with port 3003 scans on my machine.. was already some days old , and they lost connection cause of my dynamic ip(they got in via dameware-and i fixxed it now...)

but i am really interested what they tried to scan for... cause never saw anything with port 3003 before..... (was a irc script kiddy i think ...)

It's possible it's the hackers backdoor port.

is it svhost.exe that is running maybe
svhost.exe runs on 3003

My svhost doesn't run under port 3003...

isaiahi got the same port open in XP 3003, use the tcpview to see that conection

svchost.exe its a services, svhost.exe maybe its a backdoor look pid if = to port 135

TCP 3003 CGMS
don't have any idea what that could be

like nolimit says it might be a port created by the hacker [netcat port perhaps].

'svhost'

isnt a standard windows process

'svchost' is

if you have something called 'svhost' on your machine its something you or someone else has installed.

maby this can help you to find mor aboute port 3003 and Vul.

http://www.network-intelligence.com/suppor...xpsig_3003.html

On my network, where 3003 is listening, there is a Serv-U installed listening on 43958.

Unless of course he lost his list of his hacks.... and now he is trying to find them again

Of course, that would be really funny. Scanning for his Serv-U port....

Again more speculation. Could be two warring warez gangs. One trying to take over the others sites.

Well he could have some kinda autohacker which doesn't log the ip's it hacked.

In situations like this searching through web pages which although may appear to be relevant can sometimes lead you into the complete opposite direction.

Instead simply capture what is in the payload using tcpdump as below :

tcpdump -X port 3003 > gotcha.txt

Now you have the payload and can analyse the capture and search based on the contents and thus giving you more chance of identifying the scan.

Greetings.

x0x

Yeah , theres a very good possiblity the person is searching for his own hacks .. on the port .. coz i did it once too .. Mighta lost Ips .. So is prolly scanning for Ftp ports .

if you have servu on your machine that means you have a stro on your box
maybe port 3003 is used by the backdoor that the pirate installed and the othter port is the port used by servu..
look in your task manager for "servudaemon.exe" process but it could have been renamed, most hackers that make stros on other computers rename their servu process into "svchost.exe" because you can have more than one svchost.exe proces at the same time...
i think the port scan on port 3003 is just another warezer that is trying to scan for vulns.. maybe to own the stro
just try to find the servu home directory there are surely interesting things in it and look in system32 for the .ini file (to install you have to upp servudaemon.exe and servudaemon.ini to the remote-box and then, rename the exe and execute it.. i think you can't rename the ini)

Yep FakoLy, you're absolutely right, There were lots (many gigs) of interesting files available (but not now) for download, as well as the server files themselves!

FakoLy: wrong.
You can rename the service name, the exe and ini filename...
Search the forum for "mod servu" or something like this. Heres a tutorial.

I'm rather sure it's only a backd00r of another hacker

yeah servu listening on port 43958 is the default remote administrator that runs as part of servu.

as u already commented u had been hacked and abused

make sure you lock your box down a little better. get a firewall installed etc etc

as no one else mentioned 43958 I thought I'd post this reply sorry if its of no use to anyone.