RE: Traffic on UDP 1815

From: Sahr, Kenneth (ksahr@fiwc.navy.mil)
Date: 02/12/03

  • Next message: Mark E. Donaldson: "RE: Traffic on UDP 1815"
    Date: Wed, 12 Feb 2003 08:14:27 -0500
    From: "Sahr, Kenneth" <ksahr@fiwc.navy.mil>
    To: "Mark E. Donaldson" <markee@ridgecrest.ca.us>
    
    

    Actually, I was able to determine it's source late last night..It turns out that P2P software Kazaa was causing the connections to come back, I can't imagine what it uses UDP 1815 for, however, as I blocked all incoming queries to that port and was still able to search and download files..while doing so I saw many packets attempt to come in on the suspect port, but all were dropped by my firewall. Like I said, not sure why this traffic was occuring, but at least I know what was causing it.. Thanks everyone for your answers.

    KS

    -----Original Message-----
    From: Mark E. Donaldson [mailto:markee@ridgecrest.ca.us]
    Sent: Tuesday, February 11, 2003 11:51 PM
    To: Sahr, Kenneth; incidents@securityfocus.com
    Subject: RE: Traffic on UDP 1815

    It appears MMPFT is the acronym for "Multimedia Portables For Teachers".
    Not a heavily used service I would think. You say you these packets are
    coming to your home machine. Can we assume this is a dynamic IP connection
    and perhaps the packets are intended for the user assigned that IP from an
    earlier time? Unfortunately, UDP provides few clues and it is often hard to
    draw any conclusion unless full payload captures are available.

    -----Original Message-----
    From: Sahr, Kenneth [mailto:ksahr@fiwc.navy.mil]
    Sent: Tuesday, February 11, 2003 7:21 AM
    To: incidents@securityfocus.com
    Subject: Traffic on UDP 1815

    Hi all, longtime lurker, first time poster to this forum. I've been seeing
    a lot of traffic on my home Win2K pro machine lately from random IP's/high
    numbered source ports to UDP 1815, which is registered as "MMPFT"..this is
    all the information I can gather on it though..anybody have any insight into
    what this might be? I'm hoping someone's seen it before.. I also checked,
    there is no initial packets sent out from my machine to any of these source
    IP's..so I don't suspect any kind of callback, and I don't really expect any
    sort of intrusion at all..just curious as to what this service is..

    Thanks in advance for any replies

    K Sahr

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com