Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What's "pcttunneller? (port 2274)


  • Please log in to reply
5 replies to this topic

#1 longtex

longtex

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 27 February 2008 - 12:26 PM

What's "PCTTunneller? (Port 2274)

Looking at active connections on the LAN, I see a connection with 2274 sitting at three times the next highest rx bytes... IANA says 2274 is assigned to "PCTTunneller" and the contact is listed as info@pctworld.com but http'ing to pctworld.com or www.pctworld.com says there's no server there. While waiting to see if email responds, I'm wondering if anyone here's ever heard of this or seen it?

BC AdBot (Login to Remove)

 


m

#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,719 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:12 AM

Posted 29 February 2008 - 12:54 PM

Hello longtex and welcome to BC :flowers:

I asked some of the other folks here, and we've been researching the issue.

Given that you mentioned connections "on the LAN", I assume your computer is part of a local network. Is your computer part of a business network or something else?

By any chance, is there something called PCT Optimizer Suite on the network?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 longtex

longtex
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 29 February 2008 - 03:43 PM

Hello longtex and welcome to BC :flowers:

I asked some of the other folks here, and we've been researching the issue.

Given that you mentioned connections "on the LAN", I assume your computer is part of a local network. Is your computer part of a business network or something else?

By any chance, is there something called PCT Optimizer Suite on the network?

Orange Blossom :thumbsup:


It's a County Courthouse. I'm in the process of trying to lock out all the wankers idiots fine elected officials and their employees from watching boobtube crapola and surfing to various inappropriate spots... this is a very large (slightly larger than Connecticut and Rhode Island combined) but very poor (no oil, no gas, no agriculture) County with a very limited budget, so the IT stuff is one of my (too many) hats...

I'll have to go look for this PCT Optimizer - there's such a variety of crap stuff on these systems, I don't know right off hand.

It's going to be next week, though, because the power company is pulling the plug on the Courthouse in a few hours, and won't be back on until Saturday evening... and I've got enough to do trying to make sure everyone's got their computers disconnected - not to mention the HVAC and Department of Fatherland Sekkkurity goodies.

Thanks for the pointer - I'll let you know what I find (apparently the IANA-registered owner of the port does some sort of process control systems, so it's almost certainly not their software).

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,719 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:12 AM

Posted 29 February 2008 - 07:59 PM

Hello longtex,

One of the administrators put me onto a document that discusses PCT Optimizer Suite. Here is the link: http://www.leikon.de/downloads/PCT_LOS_Pro...tions_2Page.pdf

Near as I can figure out, this is a legit software. The question is whether it is on your network, and if so who was responsible. That is, did a legit software installer or IT person install it?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 longtex

longtex
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 08 March 2008 - 11:41 PM

Hello longtex,

One of the administrators put me onto a document that discusses PCT Optimizer Suite. Here is the link: http://www.leikon.de/downloads/PCT_LOS_Pro...tions_2Page.pdf

Near as I can figure out, this is a legit software. The question is whether it is on your network, and if so who was responsible. That is, did a legit software installer or IT person install it?

Orange Blossom :thumbsup:


Yep, this company in Germany is the only thing I found. I agree, it appears to be legit stuff...

HOWEVER... There is basically no way that I can see that this software is on any computer in the LAN - it's sure not on any of mine... this is a County government, not an automated manufacturing process plant, and - albeit I haven't investigated it closely - the software doesn't look like anything that would remotely interest anyone here with access to the LAN, at least not to the point of paying for it: bottom line is, I suppose it's POSSIBLE, just extremely unlikely... clearly the PCT folks are plant automationeers, which has less than zero applicability here.

My fear was (is) that some clever cracker has noted the existence of this legitimate but highly likely to not be used port and is using it for nefarious purposes...

I suppose the real question to my way of thinking is more like "has anyone seen port 2274 being used by bad guys?"

Hey, thanks for the effort - I guess I'm not going to worry about it a whole lot, unless it starts eating bandwidth... nobody's complaining, so it's probably the Department of Vaterland Sekuritat reading the Emergency Management Coordinator's mail or something like that.

I apologize for taking so long to get back, but as I mentioned, I wear too many hats, and I've been tied up with all kinds of crazy stuff, specs, broken computers (I'm tellin' ya again, <office deleted>, you've got to quit surfing to <inappropriate content sites> - get yourself a copy of Agent and download them pictures from usenet, and view 'em with FastStone, if that's what you think you need to do), all the everyday stuff that makes it so rewarding... thanks again!

#6 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:12 AM

Posted 09 March 2008 - 09:09 AM

It is a legitimate application. ICAN does not assign ports to malware.

the software doesn't look like anything that would remotely interest anyone here with access to the LAN,

You said that you have been trying to lock down the network. You don't suppose that someone may have installed a program to bypass those restrictions?

There is basically no way that I can see that this software is on any computer in the LAN - it's sure not on any of mine


Not that how you do your job is any of my business, but shouldn't you maybe be mapping ports to processes so that you are sure, or conducting audits of all systems on the LAN? Were there any question of a compromise, the first thing investigators are going to want to see are audit records. If you are sure it is not from your network, then your network has been compromised, meaning a crime has been committed. In this day and age, I would want to know who, and for what purpose.

so it's probably the Department of Vaterland Sekuritat reading the Emergency Management Coordinator's mail

What if those emails contain discussions of emergency response plans? Do you really want someone from the outside knowing how the county would respond to various threats? For that matter, do you really want someone from the outside able to use an email account that comes from your county? They would then have an email account that they could legitimately use to gather information from other resources, or as a springboard to compromise other computers.

Audit all of your systems. My guess is that there is some proxy software installed on someone's system.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users