This question, and also the last one on the same theme (port 199) *could* both be caused by the computer that previously used the same IP address. If the previous user of the IP address had a FTP session (or server) to the named machine, then this may be an attempt to establish a data connection. RPC also dynamically assigns port numbers ... If there are a large number of IP addresses involved, then it is possible that the last user of the IP address was running a server (back orifice?:) which was used by a large number of machines. Alternative, one (or none) of those IP addresses is the machine that is performing a general port scan for something like: Trinoo_Bcast 27444/udp # Trinoo distributed attack tool Master -> Bcast Daemon communicationTrinoo_Master 27665/tcp # Trinoo distributed attack tool Master server control port Quake3Server 27960/udp # Quake 3 Arena Server (How can one get packets going to port 199? ssh will establish an outgoing connection from a priveleged port, unless you ask it not to...) &:-) also sprach Les Catterall (Today, 14:22): (shamelessly plagiarised)
Hi,
I'm curious about numerous (actually 25 in all) TCP connection attempts recently from unprivileged ports to port 27374. Looking at my firewall logs, I see that numerous source IP addresses have been used (generally 3 or 4 attempts per source address) over the last couple of weeks or so. I have a dial-up connection.
Searching a recent copy of IANA's port numbers file I see that ports in the range 27008-27998 are unassigned.
I'm just curious, my firewall's "deny"-ing the connection attempts. Anyone aware of any reason why port 27374 is being probed?
Cheers - Les Catterall