The Spam Diaries

News and musings about the fight against spam.
 by Edward Falk

Thursday, April 05, 2007

Not a new botnet after all

Last week I mentioned mysterious network activity which had been seen on ports 1720 and 1863 from both Windows and Linux systems. Analysts were worried that this was a new botnet coming on line, although no actual network traffic had been observed. I noted that port 1720 was associated with video conferencing and perhaps the observed behavior simply represented video conferencing software waiting for incoming connections. (Also, port 1863 is associated with file-sharing software.)

Turns out I wasn't far off. It seems that the network activity came not from the host computers, but from a firewall product which was acknowledging network connections from the outside on the behalf of the hosts on the inside of the firewall. This sort of makes perfect sense since both video conferencing and file sharing are peer-to-peer protocols that require that client software find a way around the firewalls.

Arguably, this is very bad form, but it's not malicious. Nothing to see here; we can all go home now.


Blogger Rockeiro said...

My mail server is being hammered by botnet spammers. After reading copious amounts of web pages leading me nearly nowhere I decided to use a simple port scanner and scan them back. I scanned up to port 2000 and 4 out the 4 I scanned came back with these ports reported. Hmm.. 21 389 1002 1720 21 389 1002 1573 1720 21 389 1002 1720 21 389 1002 1720

I think there's defintely a new bot around.

12:23 AM  

Post a Comment

<< Home