If you are using a dynamic ip then the obvious answer is the correct one. Most likely the person on that IP before you was sitting on the Gnutella network for some time. I know of no specific malware that uses this port (I don't know everything though!!!!) I would be unconcerned. It does not mean the network is broken there in Italy, it just means that the client on that end is attempting to resume a download they were transferring before from that client (instead of searching again to find different sources). - Christopher Wagner chriswat_private Packaging Aids Corporation - Information Systems P.O. Box 9144 San Rafael, CA 94912-9144 http://www.pacaids.com/ (415) 454-4868 x116 -----Original Message----- From: Jos Kirps|EducDesign [mailto:jos.kirpsat_private] Sent: Wednesday, January 29, 2003 3:22 PM To: incidentsat_private Subject: Firewall logging port 6346 My firewall has logged 131.114.2.90 trying to connect to my port 6346, this has been happening for quite some time now, about once a minute. I know that this is the standard port for Gnutella (it also says gnutella-svc), but I would like to know if this is just a server trying to connect to the wrong machine (I'm using a modem to connect to the internet, dynamic IP, maybe someone was communicating with 131.114.2.90 before I connected using this IP?), or could this be some malware? I traced the 131.114.2.90 machine back to ser-fib.unipi.it (131.114.191.50), but traceroute couldn't get any further. Could this mean that the network is slow / broken down there in Italy (I suppose it's Italy). Best regards, Jos Kirps ----------------------------------------------------- EducDesign S.A. Where Learning and Technology meet 20, rue de l'Ecole, L-3233 Bettembourg Luxembourg (Europe) tel. +352 51 66 52 fax. +352 52 26 76 ----------------------------------------------------- http://www.educdesign.lu infoat_private ----------------------------------------------------- IT-Services Intranet-Internet Solutions & Multimedia Innovation Managment & Project Development Consulting, Training & Coaching in IT and Education ----------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com SPAM: ---- Start SpamAssassin results SPAM: 0 hits, 5 required; SPAM: SPAM: ---- End of SpamAssassin results ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 09:56:39 PST