Security Incidents mailing list archives

RE: Firewall logging port 6346

From: Christopher Wagner <chrisw () pacaids com>
Date: Wed, 29 Jan 2003 16:02:03 -0800

If you are using a dynamic ip then the obvious answer is the correct one.
Most likely the person on that IP before you was sitting on the Gnutella
network for some time.  I know of no specific malware that uses this port (I
don't know everything though!!!!)  I would be unconcerned.  It does not mean
the network is broken there in Italy, it just means that the client on that
end is attempting to resume a download they were transferring before from
that client (instead of searching again to find different sources).

- Christopher Wagner
chrisw () pacaids com

Packaging Aids Corporation - Information Systems
P.O. Box 9144
San Rafael, CA 94912-9144
http://www.pacaids.com/
(415) 454-4868 x116
 

-----Original Message-----
From: Jos Kirps|EducDesign [mailto:jos.kirps () educdesign lu]
Sent: Wednesday, January 29, 2003 3:22 PM
To: incidents () securityfocus com
Subject: Firewall logging port 6346


My firewall has logged 131.114.2.90 trying to connect to
my port 6346, this has been happening for quite some time
now, about once a minute.

I know that this is the standard port for Gnutella (it also
says gnutella-svc), but I would like to know if this is just
a server trying to connect to the wrong machine (I'm using
a modem to connect to the internet, dynamic IP, maybe
someone was communicating with 131.114.2.90 before
I connected using this IP?), or could this be some malware?

I traced the 131.114.2.90 machine back to ser-fib.unipi.it
(131.114.191.50), but traceroute couldn't get any further.
Could this mean that the network is slow / broken down
there in Italy (I suppose it's Italy).

Best regards,

Jos Kirps

-----------------------------------------------------
EducDesign S.A.
Where Learning and Technology meet

20, rue de l'Ecole, L-3233 Bettembourg
Luxembourg (Europe)
tel. +352 51 66 52
fax. +352 52 26 76
-----------------------------------------------------
http://www.educdesign.lu
info () educdesign lu
-----------------------------------------------------
IT-Services
Intranet-Internet Solutions & Multimedia
Innovation Managment & Project Development
Consulting, Training & Coaching in IT and Education
-----------------------------------------------------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


SPAM: ---- Start SpamAssassin results
SPAM: 0 hits, 5 required;
SPAM: 
SPAM: ---- End of SpamAssassin results

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Firewall logging port 6346 Jos Kirps|EducDesign (Jan 29)
- Re: Firewall logging port 6346 Vestal, David (Jan 30)
- <Possible follow-ups>
- RE: Firewall logging port 6346 Christopher Wagner (Jan 30)