Security Incidents mailing list archives

Re: TCP port 6346

From: Harri Nyman <harri () midian net>
Date: Tue, 31 Jul 2001 20:29:24 +0300

Gnutella file sharing client - as the iana numbers show. That break
simply shows that someone went to sleep and then reactivated their
client, I bet it's misconfigured bearshare for win98 platform.

Harri Nyman
Midian Communications

Dean Cunningham wrote:


Any suggestions as to reason for this port to be used?
24.6.190.57 (cx659386-a.chspk1.va.home.com) has been knocking on my door for
the last two days.
About every 2 minutes, 01:00 GMT 11:00 GMT , a break of 14 hours and then
they have started up again.
This indicates (at least to me) they are not benign.
202.36.122.31 is a broadcast ip address for a portion of a subnetted IP, so
no actual machine exists on our network.
No NAT.
Our proxy server sits on the same subnet?

Summary:
Source:         24.6.190.57
Destination:    202.36.122.31
Time NZST:      31 Jul 2001 12:41 to 12:58 (+1200)
Time GMT:       31 Jul 2001 00:41 to 00:58
Protocols:      TCP port 6346

Iana (http://www.iana.org/assignments/port-numbers) shows

gnutella-svc    6346/tcp   gnutella-svc
gnutella-svc    6346/udp   gnutella-svc
gnutella-rtr    6347/tcp   gnutella-rtr
gnutella-rtr    6347/udp   gnutella-rtr

Is it possible for a user at my site to be trying to run gnutella (we allow
high ports out) and I am just getting a reflection?

your thoughts?

regards
Dean
***************************************************
This e-mail is  not an  official  statement of  the
Waikato  Regional  Council unless otherwise stated.
Visit our website http://www.ew.govt.nz
***************************************************

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

TCP port 6346 Dean Cunningham (Jul 31)
- Re: TCP port 6346 Harri Nyman (Jul 31)