LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Snort, FIN Scans, and port 6346 (Gnutella)
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-16-2003, 08:56 PM   #1
green_dragon37
Member
 
Registered: Oct 2002
Location: Lower Alabama
Distribution: Slackware, OpenBSD 3.9
Posts: 344

Rep: Reputation: 31
Snort, FIN Scans, and port 6346 (Gnutella)

Well, I checked into my ACID yesterday, and there was 109 new alerts! Normally, I get about 5-6 a day, usually robots.txt access. All of the new alerts were of the same type: "(spp_stream4) STEALTH ACTIVITY (FIN scan) detection," and, oddly enough, headed for the same port: 6346(gnutella). So far, there were 114 occurences from 22 different hosts headed to that port. It seems to have tapered off somewhat.

I was wondering if anyone had any thoughts on this activity? Is the RIAA trying to keep track of me, although I haven't used gnutella in 3 months? Or, is this something else? OR, am I just being paranoid?

Ian
Last edited by green_dragon37; 11-16-2003 at 09:02 PM.
 
Old 11-17-2003, 07:30 AM   #2
zaphodiv
Member
 
Registered: Oct 2003
Distribution: Slackware
Posts: 388

Rep: Reputation: 30
Nothing major on the Incidents org report.

Mostly home machines? Over the period of minutes or hours?

I'd be surprised if it's a copyright enforcement agency.

Some new gnutella leech tool perhaps.

Someone who had the ip before you bringing their computer out of suspend
still thinking it has the old ip and trying to open connections to the machines you got FIN's from?

Perhaps some new worm that uses a security hole in a common gnutella client.
 
Old 11-17-2003, 08:52 AM   #3
green_dragon37
Member
 
Registered: Oct 2002
Location: Lower Alabama
Distribution: Slackware, OpenBSD 3.9
Posts: 344

Original Poster
Rep: Reputation: 31
Is a home box, the first 100 or so were in 24 hours, the rest came much slower. I've have a static IP for 3-4 months, so it can't be that... Thanks for the suggestions.

Ian
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
port scans - iptables epoo Linux - Security 9 07-19-2015 12:44 PM
unwanted port scans andy753421 Linux - Networking 1 09-28-2004 05:55 PM
snort not logging port scans? Should I use log or alert? lucastic Linux - Security 3 08-30-2004 04:34 AM
Port scans!!! tarballedtux Linux - Security 4 10-29-2002 07:18 AM
Port scans KevStA Linux - Networking 2 05-27-2002 05:38 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:42 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration