Re: TCP port 6346

From: Harri Nyman (harriat_private)
Date: Tue Jul 31 2001 - 10:29:24 PDT

  • Next message: Thompson, John J: "Possible trojaned wlogon.exe?"

    Gnutella file sharing client - as the iana numbers show. That break
    simply shows that someone went to sleep and then reactivated their
    client, I bet it's misconfigured bearshare for win98 platform.
    
    Harri Nyman
    Midian Communications
    
    Dean Cunningham wrote:
    > 
    > Any suggestions as to reason for this port to be used?
    > 24.6.190.57 (cx659386-a.chspk1.va.home.com) has been knocking on my door for
    > the last two days.
    > About every 2 minutes, 01:00 GMT 11:00 GMT , a break of 14 hours and then
    > they have started up again.
    > This indicates (at least to me) they are not benign.
    > 202.36.122.31 is a broadcast ip address for a portion of a subnetted IP, so
    > no actual machine exists on our network.
    > No NAT.
    > Our proxy server sits on the same subnet?
    > 
    > Summary:
    > Source:         24.6.190.57
    > Destination:    202.36.122.31
    > Time NZST:      31 Jul 2001 12:41 to 12:58 (+1200)
    > Time GMT:       31 Jul 2001 00:41 to 00:58
    > Protocols:      TCP port 6346
    > 
    > Iana (http://www.iana.org/assignments/port-numbers) shows
    > 
    > gnutella-svc    6346/tcp   gnutella-svc
    > gnutella-svc    6346/udp   gnutella-svc
    > gnutella-rtr    6347/tcp   gnutella-rtr
    > gnutella-rtr    6347/udp   gnutella-rtr
    > 
    > Is it possible for a user at my site to be trying to run gnutella (we allow
    > high ports out) and I am just getting a reflection?
    > 
    > your thoughts?
    > 
    > regards
    > Dean
    > ***************************************************
    > This e-mail is  not an  official  statement of  the
    > Waikato  Regional  Council unless otherwise stated.
    > Visit our website http://www.ew.govt.nz
    > ***************************************************
    > 
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 11:21:04 PDT