Odd router log...

That Guy · 05-20-2002, 11:44 AM

So I logged into my router (which also houses a minimal firewall) to check out the logs of who's been scanning and who's been nice. I came across this line several times:
<font face="courier" size=-1>Saturday May 18, 18:14:03 GMT-0300 (CST) 2002 Unrecognized access from 192.168.2.34:9702 to UDP port 6970</font>
Anyone know why someone would push out an IP like that, and why they were trying to hit my wimpy little router, especially at that port?

russotto · 05-21-2002, 02:44 PM

The IP is an obvious forgery, as it's in the class C private range. I imagine there's some trojan or another operating on port 6970.

MaggieL · 05-21-2002, 04:23 PM

RealAudio and QuickTime 4 uses ports starting at 6970 to send incoming audio streams. But the GateCrasher trojan typically uses 6969 and 6970. See http://www.nsclean.com/psc-gc.html

Prolly somebody is trolling for open Gatecrasher servers.

That Guy · 05-22-2002, 10:12 AM

Quote:

Originally posted by MaggieL
Prolly somebody is trolling for open Gatecrasher servers.

...Must be one of those Windows "features" that I didn't install on Win2k server. Maybe the server toolkit will have it.

Thanks for the info.

jaguar · 05-29-2002, 01:48 AM

On average do you people get scanned much? The theory is becase .au is one fo the first domains names (alphabetical) we cop loads of scans, i seem to average around 20 or so netbios portscans alone, and about 30 others on various common ports as well as some ICMP stuff and the occasional full 0-1024 portscan. Ah, iptables and snort, all is good =)

05-20-2002, 11:44 AM	#1
That Guy He who reads, sometimes writes. Join Date: Sep 2001 Location: at the keyboard Posts: 791	Odd router log... So I logged into my router (which also houses a minimal firewall) to check out the logs of who's been scanning and who's been nice. I came across this line several times: <font face="courier" size=-1>Saturday May 18, 18:14:03 GMT-0300 (CST) 2002 Unrecognized access from 192.168.2.34:9702 to UDP port 6970</font> Anyone know why someone would push out an IP like that, and why they were trying to hit my wimpy little router, especially at that port?

05-21-2002, 02:44 PM	#2
russotto Professor Join Date: Jan 2001 Posts: 1,788	Re: Odd router log... The IP is an obvious forgery, as it's in the class C private range. I imagine there's some trojan or another operating on port 6970.

05-21-2002, 04:23 PM	#3
MaggieL in the Hour of Scampering Join Date: Jan 2001 Location: Jeffersonville PA (15 mi NW of Philadelphia) Posts: 4,060	RealAudio and QuickTime 4 uses ports starting at 6970 to send incoming audio streams. But the GateCrasher trojan typically uses 6969 and 6970. See http://www.nsclean.com/psc-gc.html Prolly somebody is trolling for open Gatecrasher servers. __________________ "Neither can his Mind be thought to be in Tune,whose words do jarre; nor his reason In frame, whose sentence is preposterous..."

05-29-2002, 01:48 AM	#5
jaguar whig Join Date: Apr 2001 Posts: 5,075	On average do you people get scanned much? The theory is becase .au is one fo the first domains names (alphabetical) we cop loads of scans, i seem to average around 20 or so netbios portscans alone, and about 30 others on various common ports as well as some ICMP stuff and the occasional full 0-1024 portscan. Ah, iptables and snort, all is good =) __________________ Good friends, good books and a sleepy conscience: this is the ideal life. - Twain

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)