Found service running during audit

UNIX HP-UX
1

Hello all!

During a network audit, I came across a host running a service on a high port (34604). Not recognizing the port, I used a tool called 'amap' (THC-AMAP - fast and reliable application fingerprint mapper) to fingerprint it.

This tool also did not fingerprint it correctly, but did manage to get a response from the service.

Here is the output:
0000: 0000 0001 412e 3031 2e31 3500 6674 7000 [ ....A.01.15.ftp. ]
0010: 6365 6420 4469 736b 2041 7272 6179 2073 [ ced Disk Array s ]
0020: 6572 6961 6c20 6e75 6d62 6572 203f 3a20 [ erial number ?: ]
0030: 4561 723a 3a4c 6973 7465 6e28 2930 3030 [ Ear::Listen()000 ]
0040: 3030 3132 3042 3846 3600 0000 000d 0000 [ 00120B8F6....... ]
0050: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
0060: 00bc 0004 1000 0000 0000 0000 0000 0000 [ ................ ]
0070: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
0080: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
0090: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
00a0: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
00b0: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
00c0: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
00d0: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
00e0: 0000 0000 0000 0000 0000 0000 0000 4003 [ ..............@. ]
00f0: 7980 0000 0000 0000 00b1 0003 0000 0000 [ y............... ]
0100: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
0110: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
0120: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
0130: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
0140: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
0150: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
0160: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
0170: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
0180: 0003 2f76 6172 2f6f 7074 2f68 7061 7272 [ ../var/opt/hparr ]
0190: 6179 2f61 646d 696e 2f30 3030 3030 3132 [ ay/admin/0000012 ]
01a0: 3042 3846 362e 0000 0000 0000 0000 0000 [ 0B8F6........... ]
01b0: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
01c0: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
01d0: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
01e0: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
01f0: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
0200: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
0210: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
0220: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
0230: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
0240: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
0250: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
0260: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
0270: 0000 0000 0000 0000 0000 0000 0000 0000 [ ................ ]
0280: 0000 0000 0000 00 [ ....... ]

I started googling around for the string "/var/opt/hparray" and I found a lot of resourced for AutoRAID controllers.

Unfortunately, i could not find any information about a remote client that could be used to connect this service. (ie. nothing with port numbers etc)

Does anyone know of such a piece of software, or am I on the complete wrong track here?

Much thanks!

-dan

2

Run:
lsof -i :34604
to see what process has that port open.

3

Unfortunately I do not have a login to the machine. As I said, I'm doing a network audit and ran across this. I'd love to learn more about this service so I can pass that knowledge on to my client.

I'm naturally going to advise a firewall, but I think having more information about what this service is would be very helpful.

Has anyone ever used a storage controller (san or otherwise) that has a remote management port?

Thanks everyone.

-dan