Security Incidents mailing list archives

RE: Logging of connects to port 6346

From: LordInfidel <LordInfidel () vdat com>
Date: Tue, 15 Apr 2003 17:30:38 -0400
They (your ISP) are probably right.

If your IP changed on 4/3 and on 4/4 you started seeing increased connection
attempts
to tcp 6346.  Then the last owner of your IP probably had gnutella running,
broadcasting that IP.

You are just probably seeing the residual effects.  It looks like the
attempts occur 1 every 45 minutes from the same host.  Which is not
indicative of a widespread DoS attack.  The connection attempts would be
fast and furious.

from bearshare
Q: What is a host cache?
A: A host cache is a program which hands out IP addresses to gnutella
clients. When a gnutella client is started it needs to find some other
gnutella clients in order to connect to the network. The host cache provides
those IP's. The hostcache is usually the first place you connect to when
launching BearShare. Once you have received some addresses from the host
cache then you attempt to connect to those addresses. The only reason to
communicate with the host cache after that would be if all the IP addresses
you had were not working and you needed some more IP addresses to try

You really have 2 options.

1- if that port is not opened on your machine and is being dropped, then you
can create
   a rule on your firewall to reject attempts to that port.  Instead of
silently discarding
   them (drop).  Maybe the master list will get the hint and remove your
address.
   Keep your IP address for now and treat the attempts as frivolous port
scans.
   They are not getting in anyways.

2- If it really bothers you this much.  Disconnect from the net and then
reconnect, which
   should result in a new IP.

Unless you start seeing massive connection attempts at the rate of several
hundred min/sec.
Then i would not concern myself too much with it.  These are some of the
headaches that you have to deal with when you get your IP changes often.

Think of it as receiving mail (physical) to the person that used to live in
your house.

JMO

LordInfidel
____________
Long live the BOFH!

-----Original Message-----
From: kbergen () bellsouth net [mailto:kbergen () bellsouth net]
Sent: Monday, April 14, 2003 6:58 PM
To: incidents () securityfocus com
Subject: Logging of connects to port 6346


To all,

I have read all of the back information that I could find, and still do not
have my question answered. While I realize this is an old question, the
number of attempted connects that I get seem to be exorbitant.

I have logged 7520 attempted connects to my dynamic IP address between the
period of 04/03/03 at 09:03 and 04/10/03 at 16:15 ... or approximately 7 1/2
days. The logging is off of my Linksys router using the Kiwi syslogd
program.

I have tried writing to the ISP of some of more numerous attempts. Most say
that if you are talking about port 6346, then it is due to a dynamic IP
address change, and there is nothing they will do. This is because they are
assuming that you have recently taken over the IP address of a machine
running a Gnutella service such as Limewire.

I do not believe their answer, because I have been using an "always on"
connection. I have had the same IP address since 04/04/03 at 14:29.
Therefore, I counter that the connecting machines would not be connecting to
me for the reasons that the ISP believes.

I believe that the connection attempts must be stemming from another source.
The conspiratorial side of me thinks "What better way to attack people then
to attack a port that ISP's will ignore complaints on".

Has anybody else seen similar problems? Can anybody help me with information
on why these connection attempts are so numerous?

Regards,
Keith Bergen.

Here are some sample logs of the connects. Keep in mind that at this point
I've had the IP address since 04/03.

2003-04-09 22:03:13     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 63.202.234.52 2162 65.81.41.141 6346<010>
commonModelId 
2003-04-09 22:10:13     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 172.184.54.229 4133 65.81.41.141 6346<010>
commonModelId 
2003-04-09 22:14:34     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 213.93.197.49 52180 65.81.41.141 6346<010>
commonModelId 
2003-04-09 22:17:41     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 66.93.128.118 56471 65.81.41.141 6346<010>
commonModelId 
2003-04-09 22:21:54     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 63.202.234.52 4375 65.81.41.141 6346<010>
commonModelId 
2003-04-09 22:26:58     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 209.217.122.150 4698 65.81.41.141 6346<010>
commonModelId 
2003-04-09 22:38:20     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 66.93.128.118 58305 65.81.41.141 6346<010>
commonModelId 
2003-04-09 22:44:49     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 81.224.231.248 64548 65.81.41.141 6346<010>
commonModelId 
2003-04-09 22:54:42     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 63.202.234.52 4652 65.81.41.141 6346<010>
commonModelId 
2003-04-09 22:58:55     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 66.93.128.118 60201 65.81.41.141 6346<010>
commonModelId 
2003-04-09 23:02:17     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 24.61.163.93 41634 65.81.41.141 6346<010>
commonModelId 
2003-04-09 23:10:21     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 209.217.122.150 3120 65.81.41.141 6346<010>
commonModelId 
2003-04-09 23:10:57     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 63.98.148.93 2984 65.81.41.141 6346<010>
commonModelId 
2003-04-09 23:13:16     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 199.222.161.102 59116 65.81.41.141 6346<010>
commonModelId 
2003-04-09 23:15:10     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 63.202.234.52 3234 65.81.41.141 6346<010>
commonModelId 
2003-04-09 23:19:30     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 66.93.128.118 33887 65.81.41.141 6346<010>
commonModelId 
2003-04-09 23:34:57     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 63.202.234.52 1347 65.81.41.141 6346<010>
commonModelId 
2003-04-09 23:54:13     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 209.217.122.150 1883 65.81.41.141 6346<010>
commonModelId 
2003-04-09 23:54:36     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 63.202.234.52 4478 65.81.41.141 6346<010>
commonModelId 
2003-04-10 00:14:06     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 63.202.234.52 4309 65.81.41.141 6346<010>
commonModelId 
2003-04-10 00:39:06     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 209.217.122.150 4273 65.81.41.141 6346<010>
commonModelId 
2003-04-10 00:41:01     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 199.222.161.102 25513 65.81.41.141 6346<010>
commonModelId 
2003-04-10 01:00:03     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 81.224.231.248 64925 65.81.41.141 6346<010>
commonModelId 
2003-04-10 01:22:50     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 80.142.44.128 4713 65.81.41.141 6346<010>
commonModelId 
2003-04-10 01:23:50     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 209.217.122.150 2632 65.81.41.141 6346<010>
commonModelId 
2003-04-10 02:07:55     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 209.217.122.150 4958 65.81.41.141 6346<010>
commonModelId 
2003-04-10 02:09:05     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 62.119.135.194 1118 65.81.41.141 6346<010>
commonModelId 
2003-04-10 02:21:43     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 212.239.186.34 1952 65.81.41.141 6346<010>
commonModelId 
2003-04-10 02:35:44     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 24.61.163.93 56279 65.81.41.141 6346<010>
commonModelId 
2003-04-10 02:52:12     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 209.217.122.150 3327 65.81.41.141 6346<010>
commonModelId 
2003-04-10 03:05:05     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 81.224.231.248 65420 65.81.41.141 6346<010>
commonModelId 
2003-04-10 03:25:44     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 80.136.105.197 3944 65.81.41.141 6346<010>
commonModelId 
2003-04-10 03:35:45     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 209.217.122.150 1826 65.81.41.141 6346<010>
commonModelId 
2003-04-10 03:38:41     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 66.93.128.118 38561 65.81.41.141 6346<010>
commonModelId 
2003-04-10 04:19:37     Local7.Error    192.168.1.1
1.3.6.1.4.1.3955.1.1.0 @in 209.217.122.150 4176 65.81.41.141 6346<010>
commonModelId 



----------------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-incidents2
Download your free fully functional
trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
----------------------------------------------------------------------------

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------
Current thread:

Logging of connects to port 6346 kbergen (Apr 15)
- Re: Logging of connects to port 6346 Nicolas Couture (Apr 17)
- <Possible follow-ups>
- RE: Logging of connects to port 6346 LordInfidel (Apr 17)