Security Incidents mailing list archives

Re: Port 6112

From: stuart () SILICONDEFENSE COM (Stuart Staniford-Chen)
Date: Mon, 20 Mar 2000 16:35:52 +0000


Robert Graham wrote:


The game Diablo running on BattleNet servers will use this port.
http://www.battle.net/support/faq/mac.shtml

Are you seeing such things as "scans" or just a bunch of connection
attempts? Remember that if you dialup the Internet, you will likely get
"scanned" the moment you logon. What is really happening is that your have
inheritted the IP address of somebody else who was playing a game or
chatting. Some products are very agressively at trying to reestablish the
connection, so you may be getting TCP connection requests or UDP packets
even 20 minutes later.


Here's a piece of the scan detect for your reading pleasure.
xxx.xxx.xxx.xxx is the same IP throughout.  This from a source IP where
game playing is both likely and permitted.

Stuart.

 Mar 17 19:56:39 xxx.xxx.xxx.xxx:1025 -> 216.35.27.7:6112 SYN **S*****
 Mar 17 19:56:39 xxx.xxx.xxx.xxx:1026 -> 209.67.136.174:6112 SYN
**S*****
 Mar 17 19:56:39 xxx.xxx.xxx.xxx:1028 -> 216.148.246.9:6112 SYN **S*****
 Mar 17 19:56:39 xxx.xxx.xxx.xxx:1029 -> 209.67.136.172:6112 SYN
**S*****
 Mar 17 19:56:39 xxx.xxx.xxx.xxx:1030 -> 206.79.254.192:6112 SYN
**S*****
 Mar 17 19:56:39 xxx.xxx.xxx.xxx:1031 -> 209.67.136.170:6112 SYN
**S*****
 Mar 17 19:56:39 xxx.xxx.xxx.xxx:1032 -> 64.14.113.138:6112 SYN **S*****
 Mar 17 19:56:39 xxx.xxx.xxx.xxx:1033 -> 216.148.246.7:6112 SYN **S*****
 Mar 17 19:56:39 xxx.xxx.xxx.xxx:1034 -> 203.248.250.72:6112 SYN
**S*****
 Mar 17 19:56:40 xxx.xxx.xxx.xxx:6112 -> 216.148.246.8:6112 UDP
 Mar 17 19:56:41 xxx.xxx.xxx.xxx:1036 -> 216.148.246.8:6112 SYN **S*****
 Mar 17 19:57:48 xxx.xxx.xxx.xxx:6112 -> 210.91.217.81:6112 UDP
 Mar 17 19:57:48 xxx.xxx.xxx.xxx:6112 -> 209.254.234.129:6112 UDP
 Mar 17 19:57:48 xxx.xxx.xxx.xxx:6112 -> 24.66.226.176:6112 UDP
 Mar 17 19:57:48 xxx.xxx.xxx.xxx:6112 -> 207.172.143.149:6112 UDP
 Mar 17 19:57:48 xxx.xxx.xxx.xxx:6112 -> 152.166.167.141:6112 UDP
 Mar 17 19:57:48 xxx.xxx.xxx.xxx:6112 -> 152.166.6.27:6112 UDP
 Mar 17 19:57:48 xxx.xxx.xxx.xxx:6112 -> 63.23.28.242:6112 UDP
 Mar 17 19:57:48 xxx.xxx.xxx.xxx:6112 -> 209.63.112.237:6112 UDP
 Mar 17 19:57:48 xxx.xxx.xxx.xxx:6112 -> 147.26.248.229:6112 UDP
 Mar 17 19:57:48 xxx.xxx.xxx.xxx:6112 -> 206.81.198.173:6112 UDP
 Mar 17 19:57:48 xxx.xxx.xxx.xxx:6112 -> 63.30.190.15:6112 UDP
 Mar 17 19:57:48 xxx.xxx.xxx.xxx:6112 -> 152.174.245.84:6112 UDP
 Mar 17 19:57:48 xxx.xxx.xxx.xxx:6112 -> 162.33.132.175:6112 UDP
 Mar 17 19:57:48 xxx.xxx.xxx.xxx:6112 -> 63.29.216.91:6112 UDP
 Mar 17 19:57:48 xxx.xxx.xxx.xxx:6112 -> 152.172.136.102:6112 UDP
 Mar 17 19:57:48 xxx.xxx.xxx.xxx:6112 -> 152.166.114.240:6112 UDP
 Mar 17 19:57:48 xxx.xxx.xxx.xxx:6112 -> 24.13.85.150:6112 UDP
 Mar 17 19:57:48 xxx.xxx.xxx.xxx:6112 -> 216.215.33.8:6112 UDP
 Mar 17 19:57:48 xxx.xxx.xxx.xxx:6112 -> 166.62.140.19:6112 UDP
 Mar 17 19:57:48 xxx.xxx.xxx.xxx:6112 -> 63.28.190.5:6112 UDP
 Mar 17 19:58:46 xxx.xxx.xxx.xxx:1037 -> 216.148.246.8:6112 SYN **S*****
 Mar 17 19:58:47 xxx.xxx.xxx.xxx:6112 -> 209.254.234.129:6112 UDP
 Mar 17 19:58:47 xxx.xxx.xxx.xxx:6112 -> 4.4.176.126:6112 UDP
 Mar 17 19:58:47 xxx.xxx.xxx.xxx:6112 -> 24.48.139.29:6112 UDP
 Mar 17 19:58:47 xxx.xxx.xxx.xxx:6112 -> 152.166.167.141:6112 UDP
 Mar 17 19:58:47 xxx.xxx.xxx.xxx:6112 -> 207.30.21.65:6112 UDP
 Mar 17 19:58:47 xxx.xxx.xxx.xxx:6112 -> 24.66.150.3:6112 UDP
 Mar 17 19:58:47 xxx.xxx.xxx.xxx:6112 -> 63.24.200.1:6112 UDP
 Mar 17 19:58:47 xxx.xxx.xxx.xxx:6112 -> 207.144.97.163:6112 UDP
 Mar 17 19:58:47 xxx.xxx.xxx.xxx:6112 -> 24.68.38.20:6112 UDP
 Mar 17 19:58:47 xxx.xxx.xxx.xxx:6112 -> 204.244.206.15:6112 UDP
 Mar 17 19:58:47 xxx.xxx.xxx.xxx:6112 -> 63.28.138.45:6112 UDP
 Mar 17 19:58:47 xxx.xxx.xxx.xxx:6112 -> 216.100.155.178:6112 UDP
 Mar 17 19:58:47 xxx.xxx.xxx.xxx:6112 -> 209.180.136.227:6112 UDP
 Mar 17 19:58:47 xxx.xxx.xxx.xxx:6112 -> 216.190.205.32:6112 UDP
 Mar 17 19:58:47 xxx.xxx.xxx.xxx:6112 -> 156.56.120.210:6112 UDP
 Mar 17 19:58:47 xxx.xxx.xxx.xxx:6112 -> 63.23.230.23:6112 UDP
 Mar 17 19:58:47 xxx.xxx.xxx.xxx:6112 -> 207.172.126.130:6112 UDP
 Mar 17 19:58:47 xxx.xxx.xxx.xxx:6112 -> 199.174.210.189:6112 UDP
 Mar 17 19:58:47 xxx.xxx.xxx.xxx:6112 -> 24.1.208.102:6112 UDP
 Mar 17 19:58:47 xxx.xxx.xxx.xxx:6112 -> 171.209.98.248:6112 UDP
 Mar 17 19:58:47 xxx.xxx.xxx.xxx:6112 -> 208.15.98.230:6112 UDP
 Mar 17 19:58:58 xxx.xxx.xxx.xxx:6112 -> 128.59.4.139:6112 UDP
 Mar 17 19:58:58 xxx.xxx.xxx.xxx:6112 -> 209.161.233.253:6112 UDP
 Mar 17 19:58:58 xxx.xxx.xxx.xxx:6112 -> 63.28.93.129:6112 UDP
 Mar 17 19:58:58 xxx.xxx.xxx.xxx:6112 -> 209.90.240.62:6112 UDP
 Mar 17 19:58:58 xxx.xxx.xxx.xxx:6112 -> 63.178.66.43:6112 UDP
 Mar 17 19:58:58 xxx.xxx.xxx.xxx:6112 -> 171.219.112.186:6112 UDP
 Mar 17 19:58:58 xxx.xxx.xxx.xxx:6112 -> 209.156.14.185:6112 UDP
 Mar 17 19:58:58 xxx.xxx.xxx.xxx:6112 -> 152.205.42.226:6112 UDP
 Mar 17 19:58:58 xxx.xxx.xxx.xxx:6112 -> 152.173.141.208:6112 UDP
 Mar 17 19:58:58 xxx.xxx.xxx.xxx:6112 -> 24.94.233.78:6112 UDP
 Mar 17 19:58:59 xxx.xxx.xxx.xxx:6112 -> 24.48.139.29:6112 UDP
 Mar 17 19:59:01 xxx.xxx.xxx.xxx:6112 -> 24.48.139.29:6112 UDP
 Mar 17 19:59:03 xxx.xxx.xxx.xxx:6112 -> 210.117.124.96:6112 UDP
 Mar 17 19:59:03 xxx.xxx.xxx.xxx:6112 -> 24.48.139.29:6112 UDP
 Mar 17 19:59:04 xxx.xxx.xxx.xxx:6112 -> 24.94.233.78:6112 UDP
 Mar 17 19:59:05 xxx.xxx.xxx.xxx:6112 -> 24.94.233.78:6112 UDP
 Mar 17 19:59:05 xxx.xxx.xxx.xxx:6112 -> 199.174.147.52:6112 UDP
 Mar 17 19:59:07 xxx.xxx.xxx.xxx:6112 -> 24.94.233.78:6112 UDP
 Mar 17 19:59:07 xxx.xxx.xxx.xxx:6112 -> 199.174.147.52:6112 UDP
 Mar 17 19:59:11 xxx.xxx.xxx.xxx:6112 -> 24.94.233.78:6112 UDP
 Mar 17 19:59:12 xxx.xxx.xxx.xxx:6112 -> 24.1.171.77:6112 UDP
 Mar 17 19:59:12 xxx.xxx.xxx.xxx:6112 -> 63.14.172.234:6112 UDP
 Mar 17 19:59:12 xxx.xxx.xxx.xxx:6112 -> 24.95.246.202:6112 UDP
 Mar 17 19:59:12 xxx.xxx.xxx.xxx:6112 -> 24.13.68.73:6112 UDP
 Mar 17 19:59:12 xxx.xxx.xxx.xxx:6112 -> 216.107.148.69:6112 UDP
 Mar 17 19:59:12 xxx.xxx.xxx.xxx:6112 -> 24.7.242.214:6112 UDP
 Mar 17 19:59:12 xxx.xxx.xxx.xxx:6112 -> 209.156.241.136:6112 UDP
 Mar 17 19:59:12 xxx.xxx.xxx.xxx:6112 -> 171.216.212.180:6112 UDP
 Mar 17 19:59:12 xxx.xxx.xxx.xxx:6112 -> 209.204.142.163:6112 UDP
 Mar 17 19:59:12 xxx.xxx.xxx.xxx:6112 -> 207.176.153.207:6112 UDP
 Mar 17 19:59:12 xxx.xxx.xxx.xxx:6112 -> 63.17.37.57:6112 UDP
 Mar 17 19:59:12 xxx.xxx.xxx.xxx:6112 -> 209.161.233.253:6112 UDP
 Mar 17 19:59:12 xxx.xxx.xxx.xxx:6112 -> 152.201.172.22:6112 UDP
 Mar 17 19:59:12 xxx.xxx.xxx.xxx:6112 -> 152.205.42.226:6112 UDP
 Mar 17 19:59:12 xxx.xxx.xxx.xxx:6112 -> 209.90.240.62:6112 UDP
 Mar 17 19:59:12 xxx.xxx.xxx.xxx:6112 -> 63.28.93.129:6112 UDP
 Mar 17 19:59:12 xxx.xxx.xxx.xxx:6112 -> 171.219.112.186:6112 UDP
 Mar 17 19:59:12 xxx.xxx.xxx.xxx:6112 -> 63.178.66.43:6112 UDP
 Mar 17 19:59:12 xxx.xxx.xxx.xxx:6112 -> 209.156.14.185:6112 UDP
 Mar 17 20:04:24 xxx.xxx.xxx.xxx:6112 -> 209.182.157.145:6112 UDP
 Mar 17 20:04:24 xxx.xxx.xxx.xxx:6112 -> 171.211.85.160:6112 UDP
 Mar 17 20:04:24 xxx.xxx.xxx.xxx:6112 -> 208.13.25.48:6112 UDP
 Mar 17 20:04:24 xxx.xxx.xxx.xxx:6112 -> 204.164.170.122:6112 UDP
 Mar 17 20:04:24 xxx.xxx.xxx.xxx:6112 -> 161.184.196.247:6112 UDP
 Mar 17 20:04:24 xxx.xxx.xxx.xxx:6112 -> 152.175.196.47:6112 UDP
 Mar 17 20:04:24 xxx.xxx.xxx.xxx:6112 -> 216.165.144.86:6112 UDP
 Mar 17 20:04:24 xxx.xxx.xxx.xxx:6112 -> 171.218.216.152:6112 UDP
 Mar 17 20:04:24 xxx.xxx.xxx.xxx:6112 -> 171.215.2.124:6112 UDP
 Mar 17 20:04:24 xxx.xxx.xxx.xxx:6112 -> 205.164.144.115:6112 UDP
 Mar 17 20:04:24 xxx.xxx.xxx.xxx:6112 -> 152.171.3.140:6112 UDP
 Mar 17 20:04:24 xxx.xxx.xxx.xxx:6112 -> 24.115.4.193:6112 UDP
 Mar 17 20:04:24 xxx.xxx.xxx.xxx:6112 -> 24.161.36.113:6112 UDP
 Mar 17 20:04:24 xxx.xxx.xxx.xxx:6112 -> 63.210.72.125:6112 UDP
 Mar 17 20:04:24 xxx.xxx.xxx.xxx:6112 -> 63.11.218.188:6112 UDP
 Mar 17 20:04:24 xxx.xxx.xxx.xxx:6112 -> 24.188.60.37:6112 UDP
 Mar 17 20:04:24 xxx.xxx.xxx.xxx:6112 -> 205.164.240.137:6112 UDP
 Mar 17 20:04:24 xxx.xxx.xxx.xxx:6112 -> 152.167.165.111:6112 UDP
 Mar 17 20:04:24 xxx.xxx.xxx.xxx:6112 -> 38.30.31.2:6112 UDP
 Mar 17 20:04:24 xxx.xxx.xxx.xxx:6112 -> 209.66.35.42:6112 UDP
 Mar 17 20:04:27 xxx.xxx.xxx.xxx:6112 -> 4.54.115.150:6112 UDP
 Mar 17 20:04:27 xxx.xxx.xxx.xxx:6112 -> 206.133.209.107:6112 UDP
 Mar 17 20:04:27 xxx.xxx.xxx.xxx:6112 -> 206.107.145.215:6112 UDP
 Mar 17 20:04:27 xxx.xxx.xxx.xxx:6112 -> 208.32.28.112:6112 UDP


--
Stuart Staniford-Chen --- President --- Silicon Defense
                   stuart () silicondefense com
(707) 822-4588                     (707) 826-7571 (FAX)

Current thread:

Re: sgi-dgl scanning, (continued)
- - - Re: sgi-dgl scanning E. Larry Lidz (Mar 28)
    - Syn attacks ? Klavs Klavsen (Mar 28)
    - Re: lots of interest in port 109 (POP2) markus tromday (Mar 22)
- Re: lots of interest in port 109 (POP2) Donald McLachlan (Mar 07)
  - Re: lots of interest in port 109 (POP2) Paul Rice (Mar 13)
  - Munged Napster Sessions Stephen P. Berry (Mar 13)
    - Looking for Squid Proxies Cy Schubert - ITSD Open Systems Group (Mar 16)
    - Re: Munged Napster Sessions Vanja Hrustic (Mar 16)
    - Port 6112 Stuart Staniford-Chen (Mar 17)
    - Re: Port 6112 Robert Graham (Mar 20)
    - Re: Port 6112 Stuart Staniford-Chen (Mar 20)
    - nbname scans Rick Tortorella (Mar 20)
    - Port 27960 Stuart Staniford-Chen (Mar 17)
    - Re: Port 27960 steve balla (Mar 20)
    - Re: Port 27960 Odd Arne Beck (Mar 20)
    - Re: Port 27960 David Groves (Mar 21)
    - Re: Port 27960 Sean Birkholz (Mar 25)
    - Followup Analysis of a Shaft DDoS Node and Master Richard Wash (Mar 28)
    - Re: Port 27960 steve balla (Mar 28)
    - Re: Port 27960 TJ Jablonowski (Mar 28)
    - Re: Munged Napster Sessions simond () IRRELEVANT ORG (Mar 17)

(Thread continues...)