[Dshield] Getting a lot of port 3651

John Sage jsage at finchhaven.com
Sat Sep 20 05:00:13 GMT 2003

On Fri, Sep 19, 2003 at 10:02:11PM -0400, Dan wrote:
> -----Original Message-----
> From: John Sage
> To: General DShield Discussion List <list at dshield.org>
> Date: Friday, September 19, 2003 5:38 PM
> Subject: Re: [Dshield] Getting a lot of port 3651
> >Dan:
> >
> >On Fri, Sep 19, 2003 at 04:14:06PM -0400, Dan wrote:
> >> Hello all,
> >> I am getting a lot of hits on port 3651 from a LOT of different sources.
> >> Anyone else seeing this?

This is context? You couldn't hardly ask a question with less
information in it. You give a port; no protocol; and no information
about whether you're at home, a SOHO, or a Fortune 500 company sitting
behind the best defenses money can buy...

And what's "a lot of hits"? 50? 500? 5000? 50000?

And "a LOT of different sources"? Within the same netblock? Uniformly
scattered through IP space? What?

> >>
> >> -Dan
> >
> >You give no context, whatsoever..
> Correction, I gave the context that was needed.  The current IP has nothing
> to do with getting certain hits on a certain port (at least in general, I
> was just asking a simple question).  And yes the machine in question is on
> DSL.  However I did not get a new IP address and it has been hitting
> steadily all day long.

Since you did *not* give any context, one of the first answers for
people who ask your very general sort of question is that what you're
seeing is, in fact, the remnant of a prior P2P conversation.

> And yes I realize that when one gets a reassigned IP, sometimes you get a
> lot of hits looking for the previous computer that was previously connected
> to the systems now bouncing off your firewall.  However, I had personally
> not seen this port before and since there were quite a few hits I thought
> that I would ask on the list if anyone else was seeing this activity.  And
> if you recall, the last time I asked about such activity it was a result of
> the MSBlaster worm, which at the time I asked was only released a few hours
> previous was unknown, unclassified, and people were trying to obtain samples
> for analysis.

Well, speaking of packets, *you* didn't give us any packets to work
with. A packet dump would have been really handy. I mean, really, a
port number (and no protocol) tells us just about next to nothing...

> One other interesting thing, it started about 12noon and peaked in the
> afternoon about 5pm and has went down a bit since then some 4 hours later.
> Generally what you suggested does not increase several hours later after
> changing IP's.

Bzzztt.. Wrong. The P2P connections that still remain a best-guess
answer for the little information you provided most certainly do
"increase several hours later" because there will be ebbs and flows as
the hosts on the other end of a P2P transaction come back online. They
will seem to appear out of nowhere. Believe me, I've seen it time and
time again.

> Anyway since no one else has seen this activity I shall assume it is just me
> and disregard it.

And remember, I did say:

> >One thought, anyway...
> >
> >
> >
> >- John

Not at all the final answer to your very vague question...

- John
"Warning: time of day goes back, taking countermeasures."
John Sage
InfoSec Groupie
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
ATTENTION: this message is privileged communication. If you read it
even though you aren't supposed to, you're a poopy-head.

More information about the list mailing list