Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: port 56398

port 56398 13 years 1 month ago #1582

  • pndennie
  • pndennie's Avatar
  • Offline
  • Frequent Member
  • Posts: 29
  • Karma: 0
Hi everyone,
Are there any known attacks utilizing port 56398?
The administrator has disabled public write access.

Re: port 56398 13 years 1 month ago #1583

  • tfs
  • tfs's Avatar
  • Offline
  • Expert Member
  • Posts: 521
  • Karma: 0
Haven't seen one. Symantec doesn't have anything on that port.

What makes you think there might be one?
Thanks,

Tom
The administrator has disabled public write access.

Re: port 56398 13 years 1 month ago #1584

  • pndennie
  • pndennie's Avatar
  • Offline
  • Frequent Member
  • Posts: 29
  • Karma: 0
I had about 200 addresses trying to enter my firewall on that port, they were denied and logged......
The administrator has disabled public write access.

Re: port 56398 13 years 1 month ago #1598

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
Could you be more specific about the attempt, was it TCP or UDP, what was the source port ? Were all the IP's in a particular range or netblock (you can check with whois). Did it happen in one large flood or was it interspersed traffic

Hmm after a little basic research I found some software (?) that is used for equity share analysis that uses UDP 56389.. go to erlanger.com.. im posting something from their page

Continuum Ping or "Echo"

ContinuumClient sends and receives UDP ping packets to our servers on port 56398 or lower. Every new instance of ContinuumClient (created by other applications connecting to QFeed) will attempt to open port 56398 to send and receive listen for pings. If it can't, it listens on 56397, etc. This prevents ping collisions on that port. If this port is not open, the "echo" statistic reported in the ContinuumClient.ini file will be 65534 - the max reading - indicating it cannot reach that server on a ping.

I don't see why you should get those requests as it says 'to our servers'.. but its the only worthwhile thing that I can think of.. I personally know of know backdoors or trojans that use it. What machines were they trying to connect to ? Scan your internal network to see if any daemons are listening on that port, don't forget to UDP scan too.. you can use Nmap www.insecure.org/nmap

I really can't figure why you'd get so many requests.. I'm watching my firewall logs and haven't seen any of that kind of traffic.
I recommend you go here :
www.dshield.org/
and submit your firewall logs, if they haven't seen that activity then I really don't think you need to worry about it. If the traffic gets annoying and is in the same netblock then just email the abuse address from whois or the technical contact and tell them to sort it out or you'll be pissed off ;)

btw you could post a couple of entries here for analysis, may I suggest you post it as follows :

1. log entries when it starts including the last few entries before it
2. log entries in the middle of the attempts
3. log entries after it stops including some followup traffic.

If the destination IP is public you might want to sanitize the log details before posting -- it may sound paranoid, but would you post your home address here ;)

Frankly, I don't think you need to be bothered about it.

Cheers,



Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
The administrator has disabled public write access.

Re: port 56398 13 years 1 month ago #1600

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
Oh yeah just as an add-on at www.dshield.org you can type in a few of those IPs, it searches the complete database to see if they've been reported as attacking IPs.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
The administrator has disabled public write access.

Re: port 56398 13 years 1 month ago #1627

  • pndennie
  • pndennie's Avatar
  • Offline
  • Frequent Member
  • Posts: 29
  • Karma: 0
it is UDP port 56398. Have traced it back to lycos but still have no idea what is going on. The firewall was active for 2 hours trying to process the requests (denying them)
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.084 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup