|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: RE: [fw-wiz] port 17027
From: Jon (jspeed
sympatico.ca)Date: Wed Apr 12 2000 - 05:57:29 CDT
- Next message: Tobias Gierke: "Re: [fw-wiz] Slightly off-topic: Any good/bad experiences with High-Availability Linux clusters ?"
- Previous message: sean.kellylanston.com: "RE: [fw-wiz] NAT"
- Next in thread: Bill_Roydspch.gc.ca: "Re: [fw-wiz] port 17027"
- Maybe reply: Jon: "RE: [fw-wiz] port 17027"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Per http://www.robertgraham.com/pubs/firewall-seen.html#port17027
"Conducent.
Outbound: This is seen on outbound connections. It is caused by users inside
the corporation who have installed shareware programs using the Conducent
"adbot" wrapper. This wrapper shows advertisments to users of the shareware.
A popular shareware program that uses this is PKware. Bill Royds mentions
that in his experience, you can block this outbound connection with no
problem, but if you block the IP addresses themselves, then the adbots can
overload the link trying to reach the servers by continually connecting many
times per second.
The machines will attempt to resolve the DNS name "ads.conducent.com", which
resolve to the IP addresses:
216.33.210.40
216.33.199.77
216.33.199.80
216.33.199.81
216.33.210.41
These addresses are hosted by Exodus. "
> -----Original Message-----
> From: owner-firewall-wizardslists.nfr.net
> [mailto:owner-firewall-wizardslists.nfr.net]On Behalf Of Ken Fox
> Sent: March 30, 2000 1:17 PM
> To: firewall-wizardsnfr.net
> Cc: kenfoxstarlinx.com
> Subject: [fw-wiz] port 17027
>
>
> Has anyone seen heavy activity on port 17027 from boxes
> inside a firewall -- specifically, a number of users systems
> keep trying to send tcp packets to ip addresses in the
> 216.33.0.0 through 216.35.0.0 range with a desitination port of 17027.
>
> That address range is owned by exodus.net , and further the
> individuals IP addresses are owned by
>
> %rwhois V-1.5:003fff:00 rwhois.exodus.net (by Network
> Solutions, Inc. V-1.5.3)
> network:Auth-Area:216.33.0.0/16
> network:Class-Name:network
> network:Network-Name:216.33.208.0
> network:IP-Network:216.33.208.0/20
> network:Organization;I:DIALTONE INTERNET
> network:Address-1;I:18331 Pines Blvd
> network:Address-2;I:Pembroke Pines, FL 33029
> network:Admin-Contact;I:DNSDIALTONEINTERNET.NET
> network:Tech-Contact;I:DNSDIALTONEINTERNET.NET
> network:Created:99-MAY-20
> network:Updated-By:dave
>
> This company provides Datacenter capabilities. Co-location ...
>
>
> We have been hypothesizing that this could be some ICQ type
> app or some malicious bug that someone(s) has/have caught by
> surfing in the wrong places.
>
> In the cases where we have contacted the owners of the
> systems sending these packets, they have been clearly
> clueless about the traffic emanating from thier computers.
>
> HAs anyone else seen this?
>
> Thanks, Ken
>
>
- Next message: Tobias Gierke: "Re: [fw-wiz] Slightly off-topic: Any good/bad experiences with High-Availability Linux clusters ?"
- Previous message: sean.kellylanston.com: "RE: [fw-wiz] NAT"
- Next in thread: Bill_Roydspch.gc.ca: "Re: [fw-wiz] port 17027"
- Maybe reply: Jon: "RE: [fw-wiz] port 17027"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]