Strange connections to ports 1214, 6346 and 28800

From: Jeroen Peters (rumpat_private)
Date: Fri Nov 02 2001 - 02:10:16 PST

Next message: Glenn Forbes Fleming Larratt: "Re: Strange connections to ports 1214, 6346 and 28800"

Previous message: Steve: "RE: Posting to Incidents list, was: Re: Help with Nimda.E?"
Next in thread: Glenn Forbes Fleming Larratt: "Re: Strange connections to ports 1214, 6346 and 28800"
Reply: Glenn Forbes Fleming Larratt: "Re: Strange connections to ports 1214, 6346 and 28800"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

Does anyone know what this could be:

Yesterday, my Internet connection went down. I have a cable modem
connection with an Amsterdam (the Netherlands) provider.
When I did an Ipconfig on the machine connected to the cable modem it
returned 0.0.0.0 for the external NIC. A renew didn't work. (The
external adapter receives it's address by DHCP, which stays normally the
same with every renew)).
Nothing strange so far.
However, when I opened Winroute (which operates as a NAT/Firewall for my
internal network) and took a look at the security log window, it was
going like a madman!
What I saw where lots and lots of connections to OTHER machines from
other machines to TCP port 1214, TCP port 6346 and UDP port 28800. Port
1214 was dominant in numbers. Was I running in promiscuous mode? When I
asked a friend who's on a different subnet with the same provider to
ping one of the targeted machines, his ping showed up in my log!!!!!
At this point, Ipconfig still showed 0.0.0.0 for my external adapter.
After 4 hours the connections seized, and I was able to renew my
external adapter. Strangely, it received a different IP address then
normal (in the same subnet).

A closer look to my log showed the following:

- 3024 unique IP address had connections (attempts?) to 4 unique IP
addresses to TCP port 1214,
- 6 unique IP addresses had connections to UDP port 28800 to 1 unique IP
address, 
- 47 unique IP addresses had connections to TCP port 6346 to 1 unique IP
address.
- All targeted machines where in my subnet, the source IP addresses came
from all over the world, dial ups, dot coms, dot edu, dot net etc.
- Non of the above mentioned hosts targeted my machine directly.

Right now, a trace route to the yesterday targeted machines returns
nothing. (normally it would at least show the 10.19.*.* from my cable
modem and upstream routers).

I would love some comments on this,

Regards,

Jeroen Peters

Amsterdam
the Netherlands


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Glenn Forbes Fleming Larratt: "Re: Strange connections to ports 1214, 6346 and 28800"
Previous message: Steve: "RE: Posting to Incidents list, was: Re: Help with Nimda.E?"
Next in thread: Glenn Forbes Fleming Larratt: "Re: Strange connections to ports 1214, 6346 and 28800"
Reply: Glenn Forbes Fleming Larratt: "Re: Strange connections to ports 1214, 6346 and 28800"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 02 2001 - 08:34:00 PST