[opensuse] TCP port usage question - possibly uTorrent specific
All, I researching a intrusion and I have netflows that show activity that I can relate back to a rogue install of uTorrent. Many of the netflows show an outside client connecting to the server via the bound service port. (A non-standard one in this case.) But many of the netflows show uTorrent initiating outbound connections from that same port. Is that normal? Does it indicate anything unusual? I'm familiar with FTP have both active and passive opens for the data socket. Is this just the same thing but for torrents? Thanks Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, Dec 29, 2009 at 2:41 PM, Greg Freemyer
All,
I researching a intrusion and I have netflows that show activity that I can relate back to a rogue install of uTorrent.
Many of the netflows show an outside client connecting to the server via the bound service port. (A non-standard one in this case.)
But many of the netflows show uTorrent initiating outbound connections from that same port.
Is that normal? Does it indicate anything unusual?
I'm familiar with FTP have both active and passive opens for the data socket. Is this just the same thing but for torrents?
Thanks Greg
A follow on to this if anyone knows. In addition to the main bound port, I seem to have a random port being used. The random port seems to be restricted to 1025-4999. I suspect a true random number generator is being used to pick the port in that range because looking at a couple months of netflow data, each port seems to be used about 5 times. Is that too likely to be associated with utorrent? Thanks Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 12/29/2009 11:41 AM, Greg Freemyer wrote:
Many of the netflows show an outside client connecting to the server via the bound service port. (A non-standard one in this case.)
But many of the netflows show uTorrent initiating outbound connections from that same port.
Is that normal? Does it indicate anything unusual?
I think it is normal for uTorrent to connect outbound on the port it will subsequently use for incoming connections. Usually these are fleeting, and exist only for a short time before it converts the port to listen mode. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
Greg Freemyer -
John Andersen