|
Posted by kain on March 22, 2005, 11:12 pm
If you were Registered and logged in, you could reply and use other advanced thread options
hi there,
yesterday I wanted to experiment something with iptables, so I set up
my cisco soho 77 to become transparent and route all inbound traffic
to a pc on my lan, 10.10.10.33 .
So I opened Amule and tried to connect to a server, then shut down it
in about two minutes (just to analyze some packet).
Amule was set to 4662 TCP/UDP to have a highid (active connection)
however, it's about three hours that I've shut down the application,
and I see a load of packets dropped, in linux with iptables and in
windows.
here's an extract from windows firewall:
2005-03-23 07:56:30 DROP UDP 81.36.209.69 10.10.10.33 4672 4662 55 - -
- - - - - RECEIVE
2005-03-23 07:56:31 DROP UDP 62.117.11.252 10.10.10.33 4672 4662 63 -
- - - - - - RECEIVE
2005-03-23 07:56:32 DROP TCP 83.165.67.76 10.10.10.33 2614 4662 48 S
2199089281 0 16384 - - - RECEIVE
2005-03-23 07:56:34 DROP UDP 80.236.55.185 10.10.10.33 4672 4662 63 -
- - - - - - RECEIVE
2005-03-23 07:56:35 DROP UDP 80.14.54.72 10.10.10.33 4672 4662 63 - -
- - - - - RECEIVE
2005-03-23 07:56:38 DROP TCP 83.165.67.76 10.10.10.33 2614 4662 48 S
2199089281 0 16384 - - - RECEIVE
2005-03-23 07:56:40 DROP UDP 82.225.20.30 10.10.10.33 5672 4662 63 - -
- - - - - RECEIVE
2005-03-23 07:56:40 DROP UDP 80.130.209.195 10.10.10.33 4672 4662 63 -
- - - - - - RECEIVE
2005-03-23 07:56:41 DROP UDP 61.144.196.191 10.10.10.33 58958 4662 63
- - - - - - - RECEIVE
2005-03-23 07:56:41 DROP UDP 83.135.74.17 10.10.10.33 65293 4662 55 -
- - - - - - RECEIVE
2005-03-23 07:56:43 DROP UDP 84.4.124.219 10.10.10.33 4672 4662 55 - -
- - - - - RECEIVE
2005-03-23 07:56:44 DROP UDP 81.38.223.77 10.10.10.33 4672 4662 55 - -
- - - - - RECEIVE
2005-03-23 07:56:47 DROP UDP 62.179.76.3 10.10.10.33 4672 4662 55 - -
- - - - - RECEIVE
2005-03-23 07:56:49 DROP UDP 82.231.32.163 10.10.10.33 4672 4662 55 -
- - - - - - RECEIVE
2005-03-23 07:56:52 DROP UDP 218.28.104.9 10.10.10.33 4672 4662 63 - -
- - - - - RECEIVE
2005-03-23 07:56:52 DROP UDP 82.64.143.82 10.10.10.33 4672 4662 63 - -
- - - - - RECEIVE
The funny thing is that *mule uses per default tcp/4662 - udp/4672,
I've changed this value in preferences (tcp-udp/4662 same port), and
as we can see packets arrive on udp 4662, as my choice.
I'm wondering why I still receive those packets, *mule applications
are not running from hours, do you have any explanations? There aren't
any machines active on my internal network than mine.
Thanks
|
|
Posted by Jbob on March 23, 2005, 4:05 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Just a guess but I assume since you did run it for a few hours there are
still servers looking back at your IP address still expecting it to be
sharing files. After a bit it will die down again.
My son runs a Bittorrent client downloading anime movies. Even with his
computer down for a while my router still logs hits on the appropriate TCP
ports. Guess this is the same thing.
|
|
Posted by Jose Maria Lopez Hernandez on March 23, 2005, 8:35 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> The funny thing is that *mule uses per default tcp/4662 - udp/4672,
> I've changed this value in preferences (tcp-udp/4662 same port), and
> as we can see packets arrive on udp 4662, as my choice.
eMule/aMule use all this ports: 4661/tcp 4662/tcp 4672/udp 4665/udp
4711/tcp 4242/tcp
I took it from a page on how to configure a firewall to use eMule,
but my experience trying just the opposite, stop it, it's that it
uses even more ports.
Regards.
--
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAŅA
The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"
|
| Similar Threads | Posted | | Repeated access attempts from my machine to 0.0.12.0:137 | February 8, 2005, 10:05 pm |
| Repeated connection request | July 24, 2004, 10:15 am |
| Repeated inbound to access svchost.exe | February 4, 2005, 1:26 pm |
| Barrage of repeated requests for large files on my server from bots... what to do? | May 6, 2008, 10:48 pm |
| Intrusion attempts - are they for real? | March 16, 2006, 8:35 pm |
| Subject: Newbie with ssh-server running... Hacking attempts against me... | May 10, 2008, 7:07 pm |
|
XML site map