Firewall Wizards mailing list archives

Re: port 17027

From: "Frank L. Heidt" <heidtf () psns navy mil>
Date: Wed, 12 Apr 2000 11:57:42 -0700

Ken et. al.

What you have going on here is *likely* to be a new-ish version of pkzip (or some such freeware) calling' home to mama 
to get a popup banner to display  during the execution of the app.  This is pretty much a method of realizing some 
revenue on
"free" software.    I assume the boxes generating the traffic are running NT.  Check out this link :  
http://www.pkware.com/sponsors.html for a more complete explanation.  As one would expect, Robert Graham has a link 
describing this behavior on
his fire wall FAQ ;-)  http://www.robertgraham.com/pubs/firewall-seen.html


Ken Fox wrote:

Has anyone seen heavy activity on port 17027 from boxes inside a firewall -- specifically, a number of users systems 
keep trying to send tcp packets to ip addresses in the 216.33.0.0 through 216.35.0.0 range with a desitination port 
of 17027.

That address range is owned by exodus.net , and further the individuals IP addresses are owned by
In the cases where we have contacted the owners of the systems sending these packets, they have been clearly clueless 
about the traffic emanating from thier computers.

HAs anyone else seen this?

Thanks, Ken


--
Frank L. Heidt  (Heidtf () psns navy mil) Office: (360) 476-3735
Alpha Geek (Puget Sound Naval Shipyard Project)
SRA Inc. Western Ops.

Current thread:

port 17027 Ken Fox (Apr 10)
- Re: port 17027 S. Jonah Pressman (Apr 13)
- Re: port 17027 Frank L. Heidt (Apr 18)
- <Possible follow-ups>
- Re: port 17027 Robert Graham (Apr 13)
- Re: port 17027 Bill_Royds (Apr 18)
  - Re: port 17027 Paul D. Robertson (Apr 20)
- Re: port 17027 ark (Apr 18)
- RE: port 17027 Ray, Garrett - Mclean (Apr 20)
- Re: port 17027 Bill_Royds (Apr 24)