Service running on 5555 is Data Protector

roug · September 11, 2023, 7:27am

The scan report told me to report an unknown service running on port 5555 in the forum and paste some output.

It is our backup software called (back then) HP Data Protector. The product has then been acquired by Micro Focus. We switched to another product several years ago and will remove the service from this host it was found on. I don’t

Method: get_httpHex
0x00: 48 00 50 00 20 00 44 00 61 00 74 00 61 00 20 00 H.P. .D.a.t.a. .
0x10: 50 00 72 00 6F 00 74 00 65 00 63 00 74 00 6F 00 P.r.o.t.e.c.t.o.
0x20: 72 00 20 00 41 00 2E 00 30 00 39 00 2E 00 30 00 r. .A…0.9…0.
0x30: 30 00 3A 00 20 00 49 00 4E 00 45 00 54 00 2C 00 0.:. .I.N.E.T.,.
0x40: 20 00 69 00 6E 00 74 00 65 00 72 00 6E 00 61 00 .i.n.t.e.r.n.a.
0x50: 6C 00 20 00 62 00 75 00 69 00 6C 00 64 00 20 00 l. .b.u.i.l.d. .
0x60: 31 00 30 00 31 00 2C 00 20 00 62 00 75 00 69 00 1.0.1.,. .b.u.i.
0x70: 6C 00 74 00 20 00 6F 00 6E 00 20 00 32 00 37 00 l.t. .o.n. .2.7.
0x80: 20 00 4F 00 63 00 74 00 6F 00 62 00 65 00 72 00 .O.c.t.o.b.e.r.
0x90: 20 00 32 00 30 00 31 00 34 00 2C 00 20 00 31 00 .2.0.1.4.,. .1.
0xA0: 33 00 3A 00 32 00 34 00 0A 00 00 00 3.:.2.4…
Nmap service detection (unknown) result for this port: omniinet

There are some vulnerabilities if you google the name.

cfi · September 12, 2023, 6:53am

Hello,

welcome to this community forums and thanks a lot for your posting.

While i wasn’t able to reproduce this so far against services responding like this (See *) i have extended the detection methods in Service Detection with 'GET' Request (OID: 1.3.6.1.4.1.25623.1.0.17975) and Service Detection with 'HELP' Request' (OID: 1.3.6.1.4.1.25623.1.0.11153) which could detect the service a “little bit” earlier.

These changes should arrive in the feeds and any feedback would be highly appreciated.

* The Micro Focus / HP / HPE (OpenView Storage) Data Protector Detection (OID: 1.3.6.1.4.1.25623.1.0.19601) always detected the product in all cases and thus no such unknown service is getting reported during my tests. It might be possible that the service (where the message above have been seen) was “overloaded” during the scan and thus a detection wasn’t possible so far.