[Dshield] Getting a lot of port 3651
dan at dbdigitalweb.com
Sat Sep 20 02:02:11 GMT 2003
From: John Sage
To: General DShield Discussion List <list at dshield.org>
Date: Friday, September 19, 2003 5:38 PM
Subject: Re: [Dshield] Getting a lot of port 3651
>On Fri, Sep 19, 2003 at 04:14:06PM -0400, Dan wrote:
>> Hello all,
>> I am getting a lot of hits on port 3651 from a LOT of different sources.
>> Anyone else seeing this?
>You give no context, whatsoever..
Correction, I gave the context that was needed. The current IP has nothing
to do with getting certain hits on a certain port (at least in general, I
was just asking a simple question). And yes the machine in question is on
DSL. However I did not get a new IP address and it has been hitting
steadily all day long.
And yes I realize that when one gets a reassigned IP, sometimes you get a
lot of hits looking for the previous computer that was previously connected
to the systems now bouncing off your firewall. However, I had personally
not seen this port before and since there were quite a few hits I thought
that I would ask on the list if anyone else was seeing this activity. And
if you recall, the last time I asked about such activity it was a result of
the MSBlaster worm, which at the time I asked was only released a few hours
previous was unknown, unclassified, and people were trying to obtain samples
One other interesting thing, it started about 12noon and peaked in the
afternoon about 5pm and has went down a bit since then some 4 hours later.
Generally what you suggested does not increase several hours later after
Anyway since no one else has seen this activity I shall assume it is just me
and disregard it.
>I'm betting you're on DSL.
>By chance did you just get a new IP address?
>Could be what I call "dialup cruft": P2P or filesharing of somesort
>intended for the previous occupant of the IP address you have now.
>One thought, anyway...
More information about the list