Security Incidents mailing list archives
Re: Port 7070?
From: Bill_Royds () PCH GC CA (Bill Royds)
Date: Thu, 22 Jun 2000 22:41:39 -0400
7070/udp is used by the RealAudio trnasport mechanism. Are you running RealAudio by chance? "PARKIN, MICHAEL (PBI)" <mparkin () PBI NET> on 06/22/2000 13:26:54 Please respond to "PARKIN, MICHAEL (PBI)" <mparkin () PBI NET> To: INCIDENTS () SECURITYFOCUS COM cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: Port 7070? Morning, folks, Recently I've seen a series of connection attempts to one of my boxen. I run a household LAN connected via cablemodem, and all but one of the machines runs Linux in a relatively secure mode. I have ipchains pipe suspicious output to syslog and I monitor it frequently. While I'm used to seeing the subnet get scanned for 27374 (Sub7) and 12345 (NetBus) and the ubiquitous 137 (NetBIOS) these connections to 7070 are recent. I've considered the possibility that someone's just running a mis-configured IRC client (there is an IRC server on this particular box, listening on the usual ports, and 8500 for server connections) but I've seen these connections from several different locations, and they all started within the last week or so. I've included one sample below. Is anyone aware of a trojan living on this port? The box hasn't been compromised, and I strongly suspect the connections are coming from Windows boxes, but haven't counterscanned to find out. Notably, none of the connections correspond to a legitimate user on the IRC network this box is connected to. Thanks, Mike messages:Jun 22 05:36:56 whyllie kernel: Packet log: input - eth0 PROTO=6 213.243.3.68:1514 24.142.170.81:7070 L=48 S=0x00 I=9778 F=0x4000 T=111 SYN (#19) messages:Jun 22 05:36:59 whyllie kernel: Packet log: input - eth0 PROTO=6 213.243.3.68:1514 24.142.170.81:7070 L=48 S=0x00 I=10034 F=0x4000 T=111 SYN (#19) messages:Jun 22 05:37:05 whyllie kernel: Packet log: input - eth0 PROTO=6 213.243.3.68:1514 24.142.170.81:7070 L=48 S=0x00 I=10546 F=0x4000 T=111 SYN (#19) Mike Parkin Network Reliability Center SBC Internet Services 415.442.5108
Current thread:
- Re: Port 7070? Bill Royds (Jun 22)