Re: Connections on port 1891 (TCP)

From: Stupified (neosadist@hotmail.com)
Date: 01/26/03 

From: "Stupified" <neosadist@hotmail.com>
Date: Sun, 26 Jan 2003 06:38:23 -0600

"Tim S. Knight" <spu_kcab@yahoo.com> wrote in message
news:39409fe24dd@yahoo.com...
> Does anyone know what these are for/from:
>
> [25/Jan/2003 12:50:29] Packet filter: ACL 3:11 The Internet: drop packet
in id=10592 : TCP 66.190.58.53:4241 -> xx.71.22.97:1891
> [25/Jan/2003 12:50:32] Packet filter: ACL 3:11 The Internet: drop packet
in id=10656 : TCP 66.190.58.53:4241 -> xx.71.22.97:1891
> [25/Jan/2003 12:50:37] Packet filter: ACL 3:11 The Internet: drop packet
in id=10734 : TCP 66.190.58.53:4241 -> xx.71.22.97:1891
> [25/Jan/2003 12:52:55] Packet filter: ACL 3:11 The Internet: drop packet
in id=14524 : TCP 66.190.58.53:4305 -> xx.71.22.97:1891
> [25/Jan/2003 12:52:58] Packet filter: ACL 3:11 The Internet: drop packet
in id=14588 : TCP 66.190.58.53:4305 -> xx.71.22.97:1891
> [25/Jan/2003 12:53:05] Packet filter: ACL 3:11 The Internet: drop packet
in id=14862 : TCP 66.190.58.53:4305 -> xx.71.22.97:1891
>
> [25/Jan/2003 12:53:19] Packet filter: ACL 3:11 The Internet: drop packet
in id=15459 : TCP 193.64.78.75:63416 -> xx.71.22.97:1891
> [25/Jan/2003 12:53:22] Packet filter: ACL 3:11 The Internet: drop packet
in id=15604 : TCP 193.64.78.75:63416 -> xx.71.22.97:1891
>

Acccording to IANA:

childkey-notif 1891/tcp ChildKey Notification
childkey-notif 1891/udp ChildKey Notification
childkey-ctrl 1892/tcp ChildKey Control
childkey-ctrl 1892/udp ChildKey Control

Ok, so probably not that.
First off, could be just about anything capable of using random ports, such
as peer to peer software, ftp, instant messengers, you name it. But since
it consistently picks that port, I'd assume it's some new trojan or
something.