-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ports 6970-7170 are used by to send advertisements to RealPlayer. I'd say that the people behind your firewall run RealPlayer, and your firewall is sparing them from useless ads. BRYAN - -----Original Message----- From: Elliott Perrin [mailto:eperrinat_private] Sent: Wednesday, July 18, 2001 11:20 AM To: INCIDENTSat_private Subject: Packets destined for ports 6970 and 6972 For the past two days I have seen connection attempts to my firewall to UDP ports 6970 and 6972 in the order of about 3500 attempts from each of about 10 different IP's. Here is a quick snip.... (note I log in vain hence the reason these show up in my messages) Jul 18 10:00:06 fw1 /kernel: Connection attempt to UDP xxx.xxx.xxx.xxx:6970 from 63.228.31.233:6972 Jul 18 10:00:06 fw1 /kernel: Connection attempt to UDP xxx.xxx.xxx.xxx:6970 from 63.228.31.233:6972 Jul 18 10:00:06 fw1 /kernel: Connection attempt to UDP xxx.xxx.xxx.xxx:6972 from 63.228.31.233:6972 Jul 18 10:00:06 fw1 last message repeated 13 times Today's messages log which started at Midnight is already at 35,000 lines with the same as above only from different hosts. There are no services running on my firewall, all servers run in a DMZ. Just wondering if anyone else has seen this activity and has an idea about what it may be, if this is a new attack or worm in the wild. My box is running FreeBSD 4.3-STABLE and IPFILTER. Cheers, _________________________________ Elliott Perrin Senior Systems Administrator Biographix Corporation eperrinat_private ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - ---------------------------------------------------------------------- - ------ This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO1YWzoQImHalSbbtEQI3vQCg024Gusj99Htm9fXFcL7H6J6jiyQAn2Wn xYD4kjh7uvmmSb3Mg4VdB99t =rOhv -----END PGP SIGNATURE----- _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 20:54:51 PDT