Re: TCP port 6346

From: Harri Nyman (harriat_private)
Date: Tue Jul 31 2001 - 10:29:24 PDT

Next message: Thompson, John J: "Possible trojaned wlogon.exe?"

Previous message: denis: "Re: Port 119 Scans"
In reply to: Dean Cunningham: "TCP port 6346"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Gnutella file sharing client - as the iana numbers show. That break
simply shows that someone went to sleep and then reactivated their
client, I bet it's misconfigured bearshare for win98 platform.

Harri Nyman
Midian Communications

Dean Cunningham wrote:
> 
> Any suggestions as to reason for this port to be used?
> 24.6.190.57 (cx659386-a.chspk1.va.home.com) has been knocking on my door for
> the last two days.
> About every 2 minutes, 01:00 GMT 11:00 GMT , a break of 14 hours and then
> they have started up again.
> This indicates (at least to me) they are not benign.
> 202.36.122.31 is a broadcast ip address for a portion of a subnetted IP, so
> no actual machine exists on our network.
> No NAT.
> Our proxy server sits on the same subnet?
> 
> Summary:
> Source:         24.6.190.57
> Destination:    202.36.122.31
> Time NZST:      31 Jul 2001 12:41 to 12:58 (+1200)
> Time GMT:       31 Jul 2001 00:41 to 00:58
> Protocols:      TCP port 6346
> 
> Iana (http://www.iana.org/assignments/port-numbers) shows
> 
> gnutella-svc    6346/tcp   gnutella-svc
> gnutella-svc    6346/udp   gnutella-svc
> gnutella-rtr    6347/tcp   gnutella-rtr
> gnutella-rtr    6347/udp   gnutella-rtr
> 
> Is it possible for a user at my site to be trying to run gnutella (we allow
> high ports out) and I am just getting a reflection?
> 
> your thoughts?
> 
> regards
> Dean
> ***************************************************
> This e-mail is  not an  official  statement of  the
> Waikato  Regional  Council unless otherwise stated.
> Visit our website http://www.ew.govt.nz
> ***************************************************
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Thompson, John J: "Possible trojaned wlogon.exe?"
Previous message: denis: "Re: Port 119 Scans"
In reply to: Dean Cunningham: "TCP port 6346"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 11:21:04 PDT