[Dshield] Ports 27015, 55000, 6881, 7008 and 65534

Joel Esler eslerj at gmail.com
Thu Jan 5 17:33:57 GMT 2006


I would probably venture a guess that those people that are reporting  
6881 and 27015 have bittorrent or halflife clients on their network,  
and are just sending in their logs.

happens to me when i use bittorrent (for legal purposes of course!),  
I have a high influx of 6881 in my firewall logs, thusly, submitted.

J


On Jan 5, 2006, at 11:35 AM, Jon R. Kibler wrote:

> Greetings,
>
> A curiosity question... if you are reporting to DShield hits on any  
> of the following ports:
>
> 	halflife        27015
> 	(unknown)       55000
> 	bittorrent      6881
> 	afs3-update     7008
> 	sbininitd       65534
>
> It would be real informative to everyone to know exactly what is  
> going on. For the past couple of days, these ports have been among  
> the top 10 ports (and for months, bittorrent has been in that  
> group). However, unlike most ports where there are a large number  
> of sources and and even larger number of targets, for these ports  
> there are a modest number of sources and a trivial (< 50 most days)  
> number of targets.
>
> So if you are among the couple of dozen sites reporting getting  
> whacked on these ports, can you please answer these questions?
> 	Are these ports under attack -- DDoS?
> 	If not, why are you attracting so much bogus traffic to these ports?
>
> Intuition tells me that this must indicate some sort of attack...  
> and I would like to know if I am right or not.
>
> Thanks for your reply!
>
> Jon Kibler
> -- 
> Jon R. Kibler
> Chief Technical Officer
> A.S.E.T., Inc.
> Charleston, SC  USA
> (843) 849-8214
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your  
> own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http:// 
> www.dshield.org/mailman/listinfo/list



More information about the list mailing list