On Tue, Dec 29, 2009 at 2:41 PM, Greg Freemyer
All,
I researching a intrusion and I have netflows that show activity that I can relate back to a rogue install of uTorrent.
Many of the netflows show an outside client connecting to the server via the bound service port. (A non-standard one in this case.)
But many of the netflows show uTorrent initiating outbound connections from that same port.
Is that normal? Does it indicate anything unusual?
I'm familiar with FTP have both active and passive opens for the data socket. Is this just the same thing but for torrents?
Thanks Greg
A follow on to this if anyone knows. In addition to the main bound port, I seem to have a random port being used. The random port seems to be restricted to 1025-4999. I suspect a true random number generator is being used to pick the port in that range because looking at a couple months of netflow data, each port seems to be used about 5 times. Is that too likely to be associated with utorrent? Thanks Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org