Firewall Wizards mailing list archives

Re: port 17027

From: Bill_Royds () pch gc ca
Date: Wed, 12 Apr 2000 08:09:08 -0400

You have people who have installed "adware" with ads from Conducent, shareware
programs that go get advertising to show on the desktop from these sites.  IF
you check HTTP traffic to those same IP's you will find a lot more, but if you
block the HTTP, the programs will try to blow away your network with about 10-15
connect attemtps a second. Best to have companty policy to not install shareware
without permission.
Look in the clients registry for entries for Conducent, Timesink or Aureate.




"Ken Fox" <kenfox () starlinx com> on

Please respond to "Ken Fox" <kenfox () starlinx com>
                                                              
                                                              
                                                              
 To:      firewall-wizards () nfr net                            
                                                              
 cc:      kenfox () starlinx com(bcc: Bill                       
          Royds/HullOttawa/PCH/CA)                            
                                                              
                                                              
                                                              
 Subject: [fw-wiz] port 17027                                 
                                                              





Has anyone seen heavy activity on port 17027 from boxes inside a firewall --
specifically, a number of users systems keep trying to send tcp packets to ip
addresses in the 216.33.0.0 through 216.35.0.0 range with a desitination port of
17027.

That address range is owned by exodus.net , and further the individuals IP
addresses are owned by

%rwhois V-1.5:003fff:00 rwhois.exodus.net (by Network Solutions, Inc. V-1.5.3)
    network:Auth-Area:216.33.0.0/16
    network:Class-Name:network
    network:Network-Name:216.33.208.0
    network:IP-Network:216.33.208.0/20
    network:Organization;I:DIALTONE INTERNET
    network:Address-1;I:18331 Pines Blvd
    network:Address-2;I:Pembroke Pines, FL 33029
    network:Admin-Contact;I:DNS () DIALTONEINTERNET NET
    network:Tech-Contact;I:DNS () DIALTONEINTERNET NET
    network:Created:99-MAY-20
    network:Updated-By:dave

This company provides Datacenter capabilities. Co-location ...


We have been hypothesizing that this could be some ICQ type app or some
malicious bug that someone(s) has/have caught by surfing in the wrong places.

In the cases where we have contacted the owners of the systems sending these
packets, they have been clearly clueless about the traffic emanating from thier
computers.

HAs anyone else seen this?

Thanks, Ken

Current thread:

port 17027 Ken Fox (Apr 10)
- Re: port 17027 S. Jonah Pressman (Apr 13)
- Re: port 17027 Frank L. Heidt (Apr 18)
- <Possible follow-ups>
- Re: port 17027 Robert Graham (Apr 13)
- Re: port 17027 Bill_Royds (Apr 18)
  - Re: port 17027 Paul D. Robertson (Apr 20)
- Re: port 17027 ark (Apr 18)
- RE: port 17027 Ray, Garrett - Mclean (Apr 20)
- Re: port 17027 Bill_Royds (Apr 24)