Re: Strange connections to ports 1214, 6346 and 28800
From: Glenn Forbes Fleming Larratt (glratt@rice.edu)Date: 11/02/01
- Previous message: Jeroen Peters: "Strange connections to ports 1214, 6346 and 28800"
- In reply to: Jeroen Peters: "Strange connections to ports 1214, 6346 and 28800"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 2 Nov 2001 10:47:45 -0600 (CST) From: Glenn Forbes Fleming Larratt <glratt@rice.edu> To: <incidents@securityfocus.com> Subject: Re: Strange connections to ports 1214, 6346 and 28800 Message-ID: <Pine.GSO.4.33.0111021040210.20117-100000@san-gabriel.is.rice.edu>
Don't know the details of your provider's cable modem network.
(The bad news is that it's an open question whether your provider does,
either. :| )
TCP 1214 is the default port for KaZaA, an mp3 etc. sharing program.
TCP 6346 is the default port for Gnutella, an mp3 etc. sharing program.
UDP 28800 is the default port for a first-person multiuser network game -
I don't remember which one (UDP 28800, 6112, and 27015 are similarly
present in our analog dialup pool).
-g
On Fri, 2 Nov 2001, Jeroen Peters wrote:
> Hello,
>
> Does anyone know what this could be:
>
> Yesterday, my Internet connection went down. I have a cable modem
> connection with an Amsterdam (the Netherlands) provider.
> When I did an Ipconfig on the machine connected to the cable modem it
> returned 0.0.0.0 for the external NIC. A renew didn't work. (The
> external adapter receives it's address by DHCP, which stays normally the
> same with every renew)).
> Nothing strange so far.
> However, when I opened Winroute (which operates as a NAT/Firewall for my
> internal network) and took a look at the security log window, it was
> going like a madman!
> What I saw where lots and lots of connections to OTHER machines from
> other machines to TCP port 1214, TCP port 6346 and UDP port 28800. Port
> 1214 was dominant in numbers. Was I running in promiscuous mode? When I
> asked a friend who's on a different subnet with the same provider to
> ping one of the targeted machines, his ping showed up in my log!!!!!
> At this point, Ipconfig still showed 0.0.0.0 for my external adapter.
> After 4 hours the connections seized, and I was able to renew my
> external adapter. Strangely, it received a different IP address then
> normal (in the same subnet).
>
> A closer look to my log showed the following:
>
> - 3024 unique IP address had connections (attempts?) to 4 unique IP
> addresses to TCP port 1214,
> - 6 unique IP addresses had connections to UDP port 28800 to 1 unique IP
> address,
> - 47 unique IP addresses had connections to TCP port 6346 to 1 unique IP
> address.
> - All targeted machines where in my subnet, the source IP addresses came
> from all over the world, dial ups, dot coms, dot edu, dot net etc.
> - Non of the above mentioned hosts targeted my machine directly.
>
> Right now, a trace route to the yesterday targeted machines returns
> nothing. (normally it would at least show the 10.19.*.* from my cable
> modem and upstream routers).
>
> I would love some comments on this,
>
> Regards,
>
> Jeroen Peters
>
> Amsterdam
> the Netherlands
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
Glenn Forbes Fleming Larratt
Rice University Network Management
glratt@rice.edu
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Jeroen Peters: "Strange connections to ports 1214, 6346 and 28800"
- In reply to: Jeroen Peters: "Strange connections to ports 1214, 6346 and 28800"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
