That could be adware from RealAudio or Quicktime streaming server, I believe, although I've never gotten at much as you report here. Invariably, when I track the source, it's a streaming server that someone has been using. > -----Original Message----- > From: Elliott Perrin [mailto:eperrinat_private] > Sent: Wednesday, July 18, 2001 8:20 AM > To: INCIDENTSat_private > Subject: Packets destined for ports 6970 and 6972 > > > For the past two days I have seen connection attempts to my > firewall to > UDP ports 6970 and 6972 in the order of about 3500 attempts from > each of about 10 different IP's. > > Here is a quick snip.... (note I log in vain hence the reason > these show up in my > messages) > > Jul 18 10:00:06 fw1 /kernel: Connection attempt to UDP > xxx.xxx.xxx.xxx:6970 from > 63.228.31.233:6972 > Jul 18 10:00:06 fw1 /kernel: Connection attempt to UDP > xxx.xxx.xxx.xxx:6970 from > 63.228.31.233:6972 > Jul 18 10:00:06 fw1 /kernel: Connection attempt to UDP > xxx.xxx.xxx.xxx:6972 from > 63.228.31.233:6972 > Jul 18 10:00:06 fw1 last message repeated 13 times > > Today's messages log which started at Midnight is already at > 35,000 lines > with the same as above only from different hosts. There are > no services > running on my firewall, all servers run in a DMZ. > > Just wondering if anyone else has seen this activity and has > an idea about > what it may be, if this is a new attack or worm in the wild. > My box is running > FreeBSD 4.3-STABLE and IPFILTER. > > Cheers, > _________________________________ > Elliott Perrin > Senior Systems Administrator > Biographix Corporation > eperrinat_private > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > -------------------------------------------------------------- > -------------- > > > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: > > http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 13:38:08 PDT