[Dshield] Roadrunner (Long post, apologies)

Tony Maro tonym at nlisc.com
Tue Oct 30 13:50:12 GMT 2001


I ran Gnutella on my Linux server for about a week to toy with it some time
back.

I never SHARED any files, only browsed.

Six months later I was STILL getting probes for it.  I finally configured my
firewall to silently drop 6346.

This happens because someone who logged in WHILE YOU WERE ON, got you in
their list of available servers.  Six months later they log in again and
their client automatically looks for you.

Now, think about what happens with all those poor dial-up saps who log in
every day with a different IP, registering their entire subnet across
Gnutella...

The power of PTP!  LOL  Kinda reminds me of unprotected sex.

-----Original Message-----
From: Jeff Miller [mailto:jrm.wa at verizon.net] 

Weeks, at least.  I'm still getting them.

-----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of Johannes B. Ullrich

> ZALog.txt:FWIN,2001/10/28,20:00:16 +0:00 
> GMT,65.34.72.90:1341,213.105.159.132:6346,TCP (flags:S)

The target port is 6346 for all the lines. This is 'Gnutella', one of the
more agressive file sharing programs. You can see these hits for days after
someone used Gnutella at this IP address.




More information about the list mailing list