[Dshield] Roadrunner (Long post, apologies)
tonym at nlisc.com
Tue Oct 30 13:50:12 GMT 2001
I ran Gnutella on my Linux server for about a week to toy with it some time
I never SHARED any files, only browsed.
Six months later I was STILL getting probes for it. I finally configured my
firewall to silently drop 6346.
This happens because someone who logged in WHILE YOU WERE ON, got you in
their list of available servers. Six months later they log in again and
their client automatically looks for you.
Now, think about what happens with all those poor dial-up saps who log in
every day with a different IP, registering their entire subnet across
The power of PTP! LOL Kinda reminds me of unprotected sex.
From: Jeff Miller [mailto:jrm.wa at verizon.net]
Weeks, at least. I'm still getting them.
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of Johannes B. Ullrich
> ZALog.txt:FWIN,2001/10/28,20:00:16 +0:00
> GMT,126.96.36.199:1341,188.8.131.52:6346,TCP (flags:S)
The target port is 6346 for all the lines. This is 'Gnutella', one of the
more agressive file sharing programs. You can see these hits for days after
someone used Gnutella at this IP address.
More information about the list