Security Incidents mailing list archives
Re: Port 6688 Traffic
From: Vern Paxson <vern () EE LBL GOV>
Date: Mon, 25 Sep 2000 13:47:28 PDT
I am seeing "suspicious" traffic on port 6688. I have not foundreferencesto this port in the ususal resources (/etc/services,My guess is that this is Gnutella
It's actually Napster, per the previous poster.
Try to type a http request for a file and see what happens. Gnutella works with a http-like protocol for downloading the files (don't know if it's completely http).
It's not completely HTTP - there's some initial handshaking, for one. For more on detecting Napster & Gnutella (and other protocols), see the paper: Detecting Backdoors Yin Zhang (Cornell) & Vern Paxson (ACIRI) Proc. USENIX Security Symposium, August 2000 http://www.aciri.org/vern/papers/backdoor-sec00.ps.gz http://www.aciri.org/vern/papers/backdoor/index.html - Vern
Current thread:
- Port 6688 Traffic Crist Clark (Sep 24)
- Re: Port 6688 Traffic Patrick van Zweden (Sep 25)
- Re: Port 6688 Traffic H D Moore (Sep 25)
- <Possible follow-ups>
- Re: Port 6688 Traffic Vern Paxson (Sep 26)