Hosting Provided By

RE: Firewall logging port 6346

From: Christopher Wagner <chrisw(at)pacaids.com>
Date: Wed Jan 29 2003 - 19:02:03 EST

If you are using a dynamic ip then the obvious answer is the correct one. Most likely the person on that IP before you was sitting on the Gnutella network for some time. I know of no specific malware that uses this port (I don't know everything though!!!!) I would be unconcerned. It does not mean the network is broken there in Italy, it just means that the client on that end is attempting to resume a download they were transferring before from that client (instead of searching again to find different sources).

Christopher Wagner chrisw@pacaids.com

Packaging Aids Corporation - Information Systems P.O. Box 9144
San Rafael, CA 94912-9144
http://www.pacaids.com/
(415) 454-4868 x116

-----Original Message-----

From: Jos Kirps|EducDesign [mailto:jos.kirps@educdesign.lu] Sent: Wednesday, January 29, 2003 3:22 PM To: incidents@securityfocus.com
Subject: Firewall logging port 6346

My firewall has logged 131.114.2.90 trying to connect to my port 6346, this has been happening for quite some time now, about once a minute.

I know that this is the standard port for Gnutella (it also says gnutella-svc), but I would like to know if this is just a server trying to connect to the wrong machine (I'm using a modem to connect to the internet, dynamic IP, maybe someone was communicating with 131.114.2.90 before I connected using this IP?), or could this be some malware?

I traced the 131.114.2.90 machine back to ser-fib.unipi.it (131.114.191.50), but traceroute couldn't get any further. Could this mean that the network is slow / broken down there in Italy (I suppose it's Italy).

Best regards,

Jos Kirps

EducDesign S.A.
Where Learning and Technology meet

Do you need help?

20, rue de l'Ecole, L-3233 Bettembourg
Luxembourg (Europe)
tel. +352 51 66 52
fax. +352 52 26 76

http://www.educdesign.lu
info@educdesign.lu

IT-Services
Intranet-Internet Solutions & Multimedia Innovation Managment & Project Development Consulting, Training & Coaching in IT and Education

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

SPAM: ---- Start SpamAssassin results
SPAM: 0 hits, 5 required;
SPAM: 
SPAM: ---- End of SpamAssassin results


----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu Jan 30 13:02:22 2003

This message: [ Message body ]
Next message: Vestal, David: "Re: Firewall logging port 6346"
Previous message: Bruce McLeod: "RE: MSDE contained in..."
Maybe in reply to: Jos Kirps|EducDesign: "Firewall logging port 6346"
Reply: Vestal, David: "Re: Firewall logging port 6346"
Reply: David Hickman: "Re: Firewall logging port 6346"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:56 EDT