RE: Packets destined for ports 6970 and 6972

From: Bell, James (AZ76) (James.Bellat_private)
Date: Wed Jul 18 2001 - 13:14:09 PDT

Next message: Portnoy, Gary: "RE: streams of fragments..."

Previous message: Marc Maiffret: "RE: "Code Red" worm questions"
Maybe in reply to: Elliott Perrin: "Packets destined for ports 6970 and 6972"
Next in thread: Bryan Allerdice: "RE: Packets destined for ports 6970 and 6972"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

That could be adware from RealAudio or Quicktime streaming server, I
believe, although I've never gotten at much as you report here. Invariably,
when I track the source, it's a streaming server that someone has been
using.

> -----Original Message-----
> From: Elliott Perrin [mailto:eperrinat_private]
> Sent: Wednesday, July 18, 2001 8:20 AM
> To: INCIDENTSat_private
> Subject: Packets destined for ports 6970 and 6972
> 
> 
> For the past two days I have seen connection attempts to my 
> firewall to
> UDP ports 6970 and 6972 in the order of about 3500 attempts from
> each of about 10 different IP's.
> 
> Here is a quick snip.... (note I log in vain hence the reason 
> these show up in my
> messages)
> 
> Jul 18 10:00:06 fw1 /kernel: Connection attempt to UDP 
> xxx.xxx.xxx.xxx:6970 from
> 63.228.31.233:6972
> Jul 18 10:00:06 fw1 /kernel: Connection attempt to UDP 
> xxx.xxx.xxx.xxx:6970 from
> 63.228.31.233:6972
> Jul 18 10:00:06 fw1 /kernel: Connection attempt to UDP 
> xxx.xxx.xxx.xxx:6972 from
> 63.228.31.233:6972
> Jul 18 10:00:06 fw1 last message repeated 13 times
> 
> Today's messages log which started at Midnight is already at 
> 35,000 lines
> with the same as above only from different hosts. There are 
> no services
> running on my firewall, all servers run in a DMZ.
> 
> Just wondering if anyone else has seen this activity and has 
> an idea about
> what it may be, if this is a new attack or worm in the wild. 
> My box is running
> FreeBSD 4.3-STABLE and IPFILTER.
> 
> Cheers,
> _________________________________
> Elliott Perrin
> Senior Systems Administrator
> Biographix Corporation
> eperrinat_private
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> 
> 
> --------------------------------------------------------------
> --------------
> 
> 
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see:
> 
> http://aris.securityfocus.com
> 


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: Portnoy, Gary: "RE: streams of fragments..."
Previous message: Marc Maiffret: "RE: "Code Red" worm questions"
Maybe in reply to: Elliott Perrin: "Packets destined for ports 6970 and 6972"
Next in thread: Bryan Allerdice: "RE: Packets destined for ports 6970 and 6972"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 13:38:08 PDT