[Dshield] Port 7730

Chris Wright dshield at yaps4u.net
Fri Feb 17 16:58:47 GMT 2006


> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of 
> Valdis.Kletnieks at vt.edu
> Sent: 17 February 2006 16:04
> To: General DShield Discussion List
> Subject: Re: [Dshield] Port 7730
> 
> On Fri, 17 Feb 2006 14:29:19 GMT, Chris Wright said:
> > Does anyone know of any apps that use Port 7730? 
> > I've googled it to death with no luck.
> 
> When trying to shoot one of these, it *always* helps if you 
> specify whether it's a TCP or UDP packet, and can get a 
> packet trace that includes full packet headers and payload, 
> even if it's only the first packet or two (most of these 
> things will give up after a few packets when they don't 
> receive the expected response).  If it retransmits a packet, 
> *that* can be helpful data as well - anybody who can't tell 
> if the source system is likely a Windows or Unix box by the 
> retransmit pattern of a TCP SYN packet needs to take the SANS 
> Intrusion Detection class.. ;) 
> 
> For UDP, just use 'tcpdump' or 'ethereal' or similar tool to 
> catch the first packet.  For TCP, you'll also need to set up 
> a 'netcat' listener so something answers the 3-packet 
> handshake and you see the first data packet.
> 
> UDP;   tcpdump -w /tmp/capture udp port 7730
> 
> TCP:   nc -l 7730 > /dev/null; tcpdump -w /tmp/capture tcp port 7730
> 
> Hopefully that info helps somebody...
> 


In this case it was Kiwi that I noticed the syslog messages in from my
Netgear DG834GT, so the packets never actually made it onto my network.
The traffic was so high that it bordered on a DOS attack since I couldn't
access the web with any great speed.

Unfortuately, I assumed it was afterglow, because of the lack of reports on
Dshield, but was curious as to what app was causing it.

Usually, I will forward that port to my linux box and capture the traffic,
but this time I didn't think it was malicious enough to do that.
Apologies. I should have made it clearer that I was really after the app
causing the afterglow.

As it appears to be a Kazaa related app, perhaps the recent Brit Pop 2006
Awards has caused a demand for music in the past few days.

Regards

Chris



More information about the list mailing list