Re: port 17027

[Robert Graham <robert_david_graham () yahoo com>]

This is quite common. Shareware authors can bind an advertising component to
their programs that connects to these servers. It will pull down advertising
and display it on the user's machine. This means that users behind your
firewall are download this software.

More is at:
http://www.robertgraham.com/pubs/firewall-seen.html#port17027

--- Ken Fox <kenfox () starlinx com> wrote:
> Has anyone seen heavy activity on port 17027 from boxes inside a firewall --
> specifically, a number of users systems keep trying to send tcp packets to ip
> addresses in the 216.33.0.0 through 216.35.0.0 range with a desitination port
> of 17027.
>
> That address range is owned by exodus.net , and further the individuals IP
> addresses are owned by
>
> %rwhois V-1.5:003fff:00 rwhois.exodus.net (by Network Solutions, Inc.
> V-1.5.3)
>     network:Auth-Area:216.33.0.0/16
>     network:Class-Name:network
>     network:Network-Name:216.33.208.0
>     network:IP-Network:216.33.208.0/20
>     network:Organization;I:DIALTONE INTERNET
>     network:Address-1;I:18331 Pines Blvd
>     network:Address-2;I:Pembroke Pines, FL 33029
>     network:Admin-Contact;I:DNS () DIALTONEINTERNET NET
>     network:Tech-Contact;I:DNS () DIALTONEINTERNET NET
>     network:Created:99-MAY-20
>     network:Updated-By:dave
>
> This company provides Datacenter capabilities. Co-location ...  
>
>
> We have been hypothesizing that this could be some ICQ type app or some
> malicious bug that someone(s) has/have caught by surfing in the wrong places.
>
> In the cases where we have contacted the owners of the systems sending these
> packets, they have been clearly clueless about the traffic emanating from
> thier computers.
>
> HAs anyone else seen this? 
>
> Thanks, Ken

=====
Robert Graham  http://www.robertgraham.com/pubs

__________________________________________________
Do You Yahoo!?
Send online invitations with Yahoo! Invites.
http://invites.yahoo.com