RE: Packets destined for ports 6970 and 6972

From: Bryan Allerdice (bryan_allerdiceat_private)
Date: Wed Jul 18 2001 - 16:07:59 PDT

  • Next message: Russell Fulton: "Re: streams of fragments..."

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    Ports 6970-7170 are used by to send advertisements to RealPlayer.
    
    I'd say that the people behind your firewall run RealPlayer, and your
    firewall is sparing them from useless ads.
    
    BRYAN
    
    - -----Original Message-----
    From: Elliott Perrin [mailto:eperrinat_private]
    Sent: Wednesday, July 18, 2001 11:20 AM
    To: INCIDENTSat_private
    Subject: Packets destined for ports 6970 and 6972
    
    
    For the past two days I have seen connection attempts to my firewall
    to
    UDP ports 6970 and 6972 in the order of about 3500 attempts from
    each of about 10 different IP's.
    
    Here is a quick snip.... (note I log in vain hence the reason these
    show up in my
    messages)
    
    Jul 18 10:00:06 fw1 /kernel: Connection attempt to UDP
    xxx.xxx.xxx.xxx:6970 from
    63.228.31.233:6972
    Jul 18 10:00:06 fw1 /kernel: Connection attempt to UDP
    xxx.xxx.xxx.xxx:6970 from
    63.228.31.233:6972
    Jul 18 10:00:06 fw1 /kernel: Connection attempt to UDP
    xxx.xxx.xxx.xxx:6972 from
    63.228.31.233:6972
    Jul 18 10:00:06 fw1 last message repeated 13 times
    
    Today's messages log which started at Midnight is already at 35,000
    lines
    with the same as above only from different hosts. There are no
    services
    running on my firewall, all servers run in a DMZ.
    
    Just wondering if anyone else has seen this activity and has an idea
    about
    what it may be, if this is a new attack or worm in the wild. My box
    is running
    FreeBSD 4.3-STABLE and IPFILTER.
    
    Cheers,
    _________________________________
    Elliott Perrin
    Senior Systems Administrator
    Biographix Corporation
    eperrinat_private
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    
    
    - ----------------------------------------------------------------------
    - ------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
    
    iQA/AwUBO1YWzoQImHalSbbtEQI3vQCg024Gusj99Htm9fXFcL7H6J6jiyQAn2Wn
    xYD4kjh7uvmmSb3Mg4VdB99t
    =rOhv
    -----END PGP SIGNATURE-----
    
    
    _________________________________________________________
    Do You Yahoo!?
    Get your free @yahoo.com address at http://mail.yahoo.com
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 20:54:51 PDT