Security Incidents mailing list archives

Re: Port probe on 6666

From: Bill Pennington <billp () ROCKETCASH COM>
Date: Thu, 27 Jul 2000 14:44:55 -0700

It is my understanding that WebTV clients use standard ISPs for dial-up.
I might be wrong since I have never touched one in my life. This would
explain why you might have gotten an IP that was once used by a webTV
client.

There explination seems very resonable and I would think of no reason to
doubt them (besides the fact that it is M$ :-) )

According to the e-mail you recieved port 6666 is used for WebTV notify
service, whatever tht is.

"Vachon, Scott" wrote:


I hope this is the right forum for posting this. I had an attempt to connect
to one of my systems last night and I am interested in opinions/insight from
the incidents group.

Information captured:

An attempt was made to connect to port 6666 from the below listed IP
address:

notify-108.iap.bryant.webtv.net  209.240.199.146 on port 6666 UDP port
36063.

I contacted the security folks at WebTV (Microsoft) and received the
following response:

There is a common misunderstanding concerning UDP Port 6666 probes.

When WebTV Clients obtain an IP Address they are registered with that
IP-Address in our system and stay registered until a timeout threshold is
reached or are re-registered with a different IP-Address (whichever comes
first.) If another system (Non-WebTV) obtains this same IP-Address
previously used by a WebTV Client it may receive packets from our notify
service attempting to tell the WebTV client it has mail.

***
Security Analyst
Microsoft

Questions:

1) What is port 6666 (UDP port 36063) used for, if anything ?
2) Since the affected host (non WebTV) is not on the WebTV network, why
would WebTV assume my host had been assigned an IP used formerly by one of
their hosts ?
3) Has anyone else had this same experience from a WebTV host or service ?

Thanks in advance.

Scott Vachon
Network Implementations Engineer
Computer Network Services
Paymentech, Inc.


--


Bill Pennington
Senior IT Manager
Rocketcash
billp () rocketcash com
http://www.rocketcash.com

Current thread:

Port probe on 6666 Vachon, Scott (Jul 27)
- Re: Port probe on 6666 Bill Pennington (Jul 28)
- Re: Port probe on 6666 George H. Kyle IV (Jul 28)
- <Possible follow-ups>
- Re: Port probe on 6666 Ed Padin (Jul 28)