[LINK] technical question: security alert

Kim Holburn kim at holburn.net
Thu Mar 5 23:22:52 AEDT 2009 

On 2009/Mar/05, at 12:17 PM, andrew clarke wrote:

> On Wed 2009-03-04 18:05:31 UTC+0100, Kim Holburn (kim at holburn.net)  
> wrote:
>
>> wikipedia has a list of common port numbers :
>>
>> http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
>>
>> and says 6882 is bittorrent.
>
> Just to clarify this...
>
> In the same way as you can set up a http server to listen on another
> port than the standard port 80, BitTorrent can use any TCP port
> number, and during a torrent download it's quite common to see
> connections to ports well outside the range of ports listed on the
> Wikipedia page above.  IIRC, when installing uTorrent (one of the
> popular BitTorrent clients) the installer will choose a quasi-random
> port to listen on.
>
>> If your ISP dynamically allocates you an IP address and it changes
>> every so often then it could be someone trying a reach a bittorrent
>> client that was previously at your IP address.  Alternatively it  
>> could
>> be someone scanning for a bittorrent client that has an exploitable
>> vulnerability.
>
> Much more likely to be the former.  But ultimately it's just "noise"
> that can be ignored, assuming there is no software listening on that
> port.

Actually I was thinking about this and went back to Jan's original log:

Fwd: NETGEAR Security Log [6d:c7:35]
> Tue, 2009-03-03 06:53:47 - UDP Packet - Source:209.249.45.47,6882
> Destination:121.44.211.10,38696 - [DOS]

The first thing that strikes me looking at that is that the source  
port is 6882 and the destination port is what you might call "random"  
which is very odd for an initialisation packet.  It looks more like a  
reply packet or something trying to look like a reply packet.

Then out of interest I looked up the source IP:

$ whois 209.249.45.47
Abovenet Communications, Inc ABOVENET-4 (NET-209-249-0-0-1)
                                   209.249.0.0 - 209.249.255.255
MediaSentry ABOV-T694-209-249-45-0-24 (NET-209-249-45-0-1)
                                   209.249.45.0 - 209.249.45.255

Wow.  I've definitely heard of them.  They are the PI firm that works  
for the RIAA.  So this is a scan or trace of some kind and not really  
random noise at all.

Not that I agree entirely about the noise thing.  There's lots of  
interesting stuff "out there".

-- 
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list