NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2000-03

Subject: Re: Port 27960
From: David Groves (ggrovesF1RACING.CO.UK)
Date: Tue Mar 21 2000 - 07:09:51 CST

Next message: Rick Ballard: "Re: 8 hours of pinging"
Previous message: Jon Burdge: "Re: Generic checksums (MD5 DB)"
In reply to: Stuart Staniford-Chen: "Port 27960"
Next in thread: Sean Birkholz: "Re: Port 27960"
Reply: David Groves: "Re: Port 27960"
Reply: Sean Birkholz: "Re: Port 27960"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Nice and simple, its almost certainly Quake3.

Quake3 is simple to detect, even if being played on non standard
ports, since as part of an anti piracy procedure, it sends
key information to satan.idsoftware.com [192.246.40.37].

By blocking outgoing traffic to that you stop it from being played
on your internet connection, since it can't authenticate anymore.

David Groves
dgrovescs.strath.ac.uk

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTSSECURITYFOCUS.COM]On
Behalf Of Stuart Staniford-Chen
Sent: 17 March 2000 13:19
To: INCIDENTSSECURITYFOCUS.COM
Subject: Port 27960

I'm guessing this is another Internet game port. Anyone know for sure?

Here's a sample piece of a scan detect.

Stuart.

Mar 13 18:50:33 xxx.xxx.xxx.xxx:1510 -> 208.25.112.20:53 UDP
Mar 13 18:50:33 xxx.xxx.xxx.xxx:27960 -> 192.246.40.56:27950 UDP
Mar 13 18:50:34 xxx.xxx.xxx.xxx:27960 -> 24.28.21.205:27960 UDP
Mar 13 18:50:34 xxx.xxx.xxx.xxx:27960 -> 206.191.192.47:27960 UDP
Mar 13 18:50:34 xxx.xxx.xxx.xxx:27960 -> 207.127.210.34:27960 UDP
Mar 13 18:50:34 xxx.xxx.xxx.xxx:27960 -> 212.140.216.69:37963 UDP
Mar 13 18:50:34 xxx.xxx.xxx.xxx:27960 -> 212.140.216.69:37961 UDP
Mar 13 18:50:34 xxx.xxx.xxx.xxx:27960 -> 206.136.149.10:27960 UDP
Mar 13 18:50:34 xxx.xxx.xxx.xxx:27960 -> 207.238.206.13:27965 UDP
Mar 13 18:50:34 xxx.xxx.xxx.xxx:27960 -> 207.105.234.8:27960 UDP
Mar 13 18:50:34 xxx.xxx.xxx.xxx:27960 -> 210.97.228.42:27961 UDP
Mar 13 18:50:35 xxx.xxx.xxx.xxx:27960 -> 210.97.228.42:27963 UDP
Mar 13 18:50:34 xxx.xxx.xxx.xxx:27960 -> 216.202.141.69:27960 UDP
Mar 13 18:50:35 xxx.xxx.xxx.xxx:27960 -> 216.202.141.69:27963 UDP
Mar 13 18:50:34 xxx.xxx.xxx.xxx:27960 -> 195.250.175.164:27960 UDP
Mar 13 18:50:34 xxx.xxx.xxx.xxx:27960 -> 209.30.137.20:27960 UDP
Mar 13 18:50:34 xxx.xxx.xxx.xxx:27960 -> 200.27.132.9:26000 UDP
Mar 13 18:50:34 xxx.xxx.xxx.xxx:27960 -> 212.93.4.18:27962 UDP
Mar 13 18:50:34 xxx.xxx.xxx.xxx:27960 -> 216.46.240.6:27962 UDP

--
Stuart Staniford-Chen --- President --- Silicon Defense
                   stuartsilicondefense.com
(707) 822-4588                     (707) 826-7571 (FAX)

Next message: Rick Ballard: "Re: 8 hours of pinging"
Previous message: Jon Burdge: "Re: Generic checksums (MD5 DB)"
In reply to: Stuart Staniford-Chen: "Port 27960"
Next in thread: Sean Birkholz: "Re: Port 27960"
Reply: David Groves: "Re: Port 27960"
Reply: Sean Birkholz: "Re: Port 27960"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]