OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Port probe on 6666
From: George H. Kyle IV (georgekDERMESSENTIALS.COM)
Date: Thu Jul 27 2000 - 16:13:44 CDT

Port 6666 is a default port for many text based MUDs, perhaps it was
a confused MUD client.

George H. Kyle IV
DermEssentials, Inc.

"Vachon, Scott" wrote:

> I hope this is the right forum for posting this. I had an attempt to connect
> to one of my systems last night and I am interested in opinions/insight from
> the incidents group.
>
> Information captured:
>
> An attempt was made to connect to port 6666 from the below listed IP
> address:
>
> notify-108.iap.bryant.webtv.net 209.240.199.146 on port 6666 UDP port
> 36063.
>
> I contacted the security folks at WebTV (Microsoft) and received the
> following response:
>
> There is a common misunderstanding concerning UDP Port 6666 probes.
>
> When WebTV Clients obtain an IP Address they are registered with that
> IP-Address in our system and stay registered until a timeout threshold is
> reached or are re-registered with a different IP-Address (whichever comes
> first.) If another system (Non-WebTV) obtains this same IP-Address
> previously used by a WebTV Client it may receive packets from our notify
> service attempting to tell the WebTV client it has mail.
>
> ***
> Security Analyst
> Microsoft
>
> Questions:
>
> 1) What is port 6666 (UDP port 36063) used for, if anything ?
> 2) Since the affected host (non WebTV) is not on the WebTV network, why
> would WebTV assume my host had been assigned an IP used formerly by one of
> their hosts ?
> 3) Has anyone else had this same experience from a WebTV host or service ?
>
> Thanks in advance.
>
> Scott Vachon
> Network Implementations Engineer
> Computer Network Services
> Paymentech, Inc.