krygen
join:2004-06-29
12342
1 edit | Inbound UDP packets (port 67) + Trojan?
I recently began forwarding port 6346 through my linksys router to be able to access the gnutella/edonkey2000 p2p network.
Even since, NIS2004 has been telling me a remote system has been trying to communicate with my system over port 67.
Here's the NIS log entry for the communication:
the user has chosen to "block" communications
Inbound UDP packet
Local address, service is (255.255.255.255,bootps(67))
Remote address, service is (0.0.0.0,bootpc(68))
Process name is "N/A"
BTW: I don't leave port 6346 forwarded 24/7, but only when I'm running p2p software. Also, why would this be happening on this port, which is unrelated to the one I forwarded? I get an alert about this communication about 7 times a day, even when 6346 in closed. Never happened before.
Is this a trojan or someone attempting to compromise my system? Am I just paranoid?
Edit: I set up a rule in NIS to tell me if it sees any communication on port 67 and it's told me several times that a program (no names mentioned) is attempting to use it.
Anyone's help greatly appreciated!
Thanks |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | see
»port 67 requests
Cudni |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
 ·AT&T Southeast
 ·Vonage
 ·Cingular Wireless
·AT&T CallVantage
| reply to krygen
Ports 67 and 68 are used by DHCP so it is probably nothing to worry about, especially since your firewall is blocking access. Go to 1.1 What are some common incoming TCP/UDP probes against my firewall? and scroll down to ports 67 a 68 for more information. |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| reply to krygen
Re: Inbound UDP packets on port 67
Do you have another computer behind the router, is it set to use DHCP. When a computer uses DHCP to obtain an IP on Boot/Reboot or release-renew it sends a packet to 255.255.255.255 from 0.0.0.0 since it does not have an IP address at that point. The packet could even be your own DHCP request routed back downstream. One way to tell would be by the source MAC address or the client hardware address (MAC) in the DHCP request.
--
Dog and Butterfly |
|
krygen
join:2004-06-29
12342 | reply to krygen
Re: Inbound UDP packets (port 67) + Trojan?
thanks for the help, i guess its harmless.
the only curious thing is: why would NIS be telling me this now? I've been on the same network with the same version for several monthes and nothing like this has ever occurred. |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN | reply to krygen
If this the same network discussed in your forum thread Isolating a System on a Home Network perhaps it is coming from the new subnet (if you have added it)? |
|
krygen
join:2004-06-29
12342 | reply to krygen
never added the new subnrt... |
|
