Port 7070?

[mparkin () PBI NET (PARKIN, MICHAEL (PBI))]

Morning, folks,

Recently I've seen a series of connection attempts to one of my boxen.  I
run a household LAN connected via cablemodem, and all but one of the
machines runs Linux in a relatively secure mode.  I have ipchains pipe
suspicious output to syslog and I monitor it frequently.  While I'm used to
seeing the subnet get scanned for 27374 (Sub7) and 12345 (NetBus) and the
ubiquitous 137 (NetBIOS) these connections to 7070 are recent.

I've considered the possibility that someone's just running a mis-configured
IRC client (there is an IRC server on this particular box, listening on the
usual ports, and 8500 for server connections) but I've seen these
connections from several different locations, and they all started within
the last week or so.  I've included one sample below.

Is anyone aware of a trojan living on this port?

The  box hasn't been compromised, and I strongly suspect the connections are
coming from Windows boxes, but haven't counterscanned to find out.  Notably,
none of the connections correspond to a legitimate user on the IRC network
this box is connected to.

Thanks,
Mike

messages:Jun 22 05:36:56 whyllie kernel: Packet log: input - eth0 PROTO=6
213.243.3.68:1514 24.142.170.81:7070 L=48 S=0x00 I=9778 F=0x4000 T=111 SYN
(#19)

messages:Jun 22 05:36:59 whyllie kernel: Packet log: input - eth0 PROTO=6
213.243.3.68:1514 24.142.170.81:7070 L=48 S=0x00 I=10034 F=0x4000 T=111 SYN
(#19)

messages:Jun 22 05:37:05 whyllie kernel: Packet log: input - eth0 PROTO=6
213.243.3.68:1514 24.142.170.81:7070 L=48 S=0x00 I=10546 F=0x4000 T=111 SYN
(#19)

Mike Parkin
Network Reliability Center
SBC Internet Services
415.442.5108