RE: Packets destined for ports 6970 and 6972

From: Bryan Allerdice (bryan_allerdiceat_private)
Date: Wed Jul 18 2001 - 16:07:59 PDT

Next message: Russell Fulton: "Re: streams of fragments..."

Previous message: McCammon, Keith: "IIS/FrontPage Script?"
In reply to: Elliott Perrin: "Packets destined for ports 6970 and 6972"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ports 6970-7170 are used by to send advertisements to RealPlayer.

I'd say that the people behind your firewall run RealPlayer, and your
firewall is sparing them from useless ads.

BRYAN

- -----Original Message-----
From: Elliott Perrin [mailto:eperrinat_private]
Sent: Wednesday, July 18, 2001 11:20 AM
To: INCIDENTSat_private
Subject: Packets destined for ports 6970 and 6972


For the past two days I have seen connection attempts to my firewall
to
UDP ports 6970 and 6972 in the order of about 3500 attempts from
each of about 10 different IP's.

Here is a quick snip.... (note I log in vain hence the reason these
show up in my
messages)

Jul 18 10:00:06 fw1 /kernel: Connection attempt to UDP
xxx.xxx.xxx.xxx:6970 from
63.228.31.233:6972
Jul 18 10:00:06 fw1 /kernel: Connection attempt to UDP
xxx.xxx.xxx.xxx:6970 from
63.228.31.233:6972
Jul 18 10:00:06 fw1 /kernel: Connection attempt to UDP
xxx.xxx.xxx.xxx:6972 from
63.228.31.233:6972
Jul 18 10:00:06 fw1 last message repeated 13 times

Today's messages log which started at Midnight is already at 35,000
lines
with the same as above only from different hosts. There are no
services
running on my firewall, all servers run in a DMZ.

Just wondering if anyone else has seen this activity and has an idea
about
what it may be, if this is a new attack or worm in the wild. My box
is running
FreeBSD 4.3-STABLE and IPFILTER.

Cheers,
_________________________________
Elliott Perrin
Senior Systems Administrator
Biographix Corporation
eperrinat_private
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



- ----------------------------------------------------------------------
- ------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO1YWzoQImHalSbbtEQI3vQCg024Gusj99Htm9fXFcL7H6J6jiyQAn2Wn
xYD4kjh7uvmmSb3Mg4VdB99t
=rOhv
-----END PGP SIGNATURE-----


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: Russell Fulton: "Re: streams of fragments..."
Previous message: McCammon, Keith: "IIS/FrontPage Script?"
In reply to: Elliott Perrin: "Packets destined for ports 6970 and 6972"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 20:54:51 PDT