Re: Logging of connects to port 6346

From: Nicolas Couture (ncat_private)
Date: Tue Apr 15 2003 - 10:16:38 PDT

Next message: Thomas Vincent: "Port 6666 Scans"

Previous message: Molony, Duncan: "port 5168"
In reply to: kbergenat_private: "Logging of connects to port 6346"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2003-04-14 at 18:58, kbergenat_private wrote:
> To all,

...

> I have tried writing to the ISP of some of more numerous attempts. Most say
> that if you are talking about port 6346, then it is due to a dynamic IP
> address change, and there is nothing they will do. This is because they are
> assuming that you have recently taken over the IP address of a machine
> running a Gnutella service such as Limewire.

They're right.
 
> I do not believe their answer, because I have been using an "always on"
> connection. I have had the same IP address since 04/04/03 at 14:29.
> Therefore, I counter that the connecting machines would not be connecting to
> me for the reasons that the ISP believes.

ISPs doesn't belives. An other fact would be that the exowner of the IP
address you're using was using the Gnutella network to share big files
and a descent amount of people had their download incomplete for what
ever reason. Now if they try to resume their download(s), your
"firewall/router" will detect the connection attempts and you will
receive this information for an undefined amount of time. 
 
> I believe that the connection attempts must be stemming from another source.
> The conspiratorial side of me thinks "What better way to attack people then
> to attack a port that ISP's will ignore complaints on".
> 
> Has anybody else seen similar problems? Can anybody help me with information
> on why these connection attempts are so numerous?



----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------

Next message: Thomas Vincent: "Port 6666 Scans"
Previous message: Molony, Duncan: "port 5168"
In reply to: kbergenat_private: "Logging of connects to port 6346"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 17 2003 - 14:26:43 PDT