|
Security Incidents
mailing list archives
Re: 27015 probe increase??
From: bhc2 () cornell edu
Date: Wed, 11 Jul 2001 17:09:17 -0400 (EDT)
On Tue, 10 Jul 2001, cg wrote:
I've seen increased activity on port 27015. In the last half hour I've
gotten the following probes. I'm just a lowley dsl user, not even pingable
from outside.
Rule "gather" blocked (xx.xxx.xxx.xx,27015). Details:
Port 27015 is the port used for the game "Half-Life," a First Person
Shooter. I doubt you have much to worry about, from the fact that this
was a two minute log and judging by the number of hits I would havt to
guess that your IP (possibly it is assigned using DHCP?) was listed
either online at a webpage or one one of the half life servers as hosting
a game. Thus users would insruct their machines to connect to yours, in
order to play.
The IPs I regonize from the states all appear to be of Cable/DSL origin:
Remote address,service is (24.24.150.52,2756)
we-24-24-150-52.we.mediaone.net
Remote address,service is (24.250.96.93,22952
ci170011-a.athen1.ga.home.com
Remote address,service is (65.81.53.244,22952)
adsl-81-53-244.asm.bellsouth.net
The gaming community is well known as early adopter of Broadband in the
pursuit of lower PING times to the server.
If in fact your IP is assigned dynamically (DHCP, etc.) then this sounds
very familiar to the port 6346 DOS reported last week; 6346 is actually
the port used for the GNutella network; where a user with this IP
previously had started and "announced"/broadcast services which you do
not support. I hope this calms your fears slightly. It is always good to
be diligent about security.
-B
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:
http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
| 
Intro
