RE: Packets destined for ports 6970 and 6972

From: Bell, James (AZ76) (James.Bellat_private)
Date: Wed Jul 18 2001 - 13:14:09 PDT

  • Next message: Portnoy, Gary: "RE: streams of fragments..."

    That could be adware from RealAudio or Quicktime streaming server, I
    believe, although I've never gotten at much as you report here. Invariably,
    when I track the source, it's a streaming server that someone has been
    using.
    
    > -----Original Message-----
    > From: Elliott Perrin [mailto:eperrinat_private]
    > Sent: Wednesday, July 18, 2001 8:20 AM
    > To: INCIDENTSat_private
    > Subject: Packets destined for ports 6970 and 6972
    > 
    > 
    > For the past two days I have seen connection attempts to my 
    > firewall to
    > UDP ports 6970 and 6972 in the order of about 3500 attempts from
    > each of about 10 different IP's.
    > 
    > Here is a quick snip.... (note I log in vain hence the reason 
    > these show up in my
    > messages)
    > 
    > Jul 18 10:00:06 fw1 /kernel: Connection attempt to UDP 
    > xxx.xxx.xxx.xxx:6970 from
    > 63.228.31.233:6972
    > Jul 18 10:00:06 fw1 /kernel: Connection attempt to UDP 
    > xxx.xxx.xxx.xxx:6970 from
    > 63.228.31.233:6972
    > Jul 18 10:00:06 fw1 /kernel: Connection attempt to UDP 
    > xxx.xxx.xxx.xxx:6972 from
    > 63.228.31.233:6972
    > Jul 18 10:00:06 fw1 last message repeated 13 times
    > 
    > Today's messages log which started at Midnight is already at 
    > 35,000 lines
    > with the same as above only from different hosts. There are 
    > no services
    > running on my firewall, all servers run in a DMZ.
    > 
    > Just wondering if anyone else has seen this activity and has 
    > an idea about
    > what it may be, if this is a new attack or worm in the wild. 
    > My box is running
    > FreeBSD 4.3-STABLE and IPFILTER.
    > 
    > Cheers,
    > _________________________________
    > Elliott Perrin
    > Senior Systems Administrator
    > Biographix Corporation
    > eperrinat_private
    > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    > 
    > 
    > 
    > --------------------------------------------------------------
    > --------------
    > 
    > 
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see:
    > 
    > http://aris.securityfocus.com
    > 
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 13:38:08 PDT