Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Follow the Bouncing EMule SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Follow the Bouncing EMule
Robert Danford, one of the other ISC Handlers, happened to mention in the Sooper Secret ISC Handler Chat Room that a co-worker was investigating a local spike in traffic to port 1755 TCP.  In looking at the DShield data, we're seeing levels jumping all over the place.  By capturing packets, Robert's co-worker, Dan Frasnelli, was able to pin down what was flying by: eMule traffic.  Doing a little searching (Google is your friend), we found that the kidz (in response to Eeeeevil ISPs throttling P2P traffic) have decided to use 1755 TCP.  Why?  Well, because Windows Media Server lives on that port, and they believe that they'll stand less chance of getting throttled.  We've seen them move ports before: from 4662 -> 6662.

You know... if some of the people putting all of the thought and energy into obfuscating JavaScript, writing malware, getting P2P around ISPs, etc... want to stop by my house, I've got a "honey-do" list about 10 pages long that they could work on.

160 Posts
Dec 7th 2006

Sign Up for Free or Log In to start participating in the conversation!