Skip to main content

port 56398

More
21 years 3 weeks ago #1582 by pndennie
port 56398 was created by pndennie
Hi everyone,
Are there any known attacks utilizing port 56398?
More
21 years 3 weeks ago #1583 by tfs
Replied by tfs on topic Re: port 56398
Haven't seen one. Symantec doesn't have anything on that port.

What makes you think there might be one?

Thanks,

Tom
More
21 years 3 weeks ago #1584 by pndennie
Replied by pndennie on topic Re: port 56398
I had about 200 addresses trying to enter my firewall on that port, they were denied and logged......
More
21 years 3 weeks ago #1598 by sahirh
Replied by sahirh on topic Re: port 56398
Could you be more specific about the attempt, was it TCP or UDP, what was the source port ? Were all the IP's in a particular range or netblock (you can check with whois). Did it happen in one large flood or was it interspersed traffic

Hmm after a little basic research I found some software (?) that is used for equity share analysis that uses UDP 56389.. go to erlanger.com.. im posting something from their page

Continuum Ping or "Echo"

ContinuumClient sends and receives UDP ping packets to our servers on port 56398 or lower. Every new instance of ContinuumClient (created by other applications connecting to QFeed) will attempt to open port 56398 to send and receive listen for pings. If it can't, it listens on 56397, etc. This prevents ping collisions on that port. If this port is not open, the "echo" statistic reported in the ContinuumClient.ini file will be 65534 - the max reading - indicating it cannot reach that server on a ping.

I don't see why you should get those requests as it says 'to our servers'.. but its the only worthwhile thing that I can think of.. I personally know of know backdoors or trojans that use it. What machines were they trying to connect to ? Scan your internal network to see if any daemons are listening on that port, don't forget to UDP scan too.. you can use Nmap www.insecure.org/nmap

I really can't figure why you'd get so many requests.. I'm watching my firewall logs and haven't seen any of that kind of traffic.
I recommend you go here :
www.dshield.org/
and submit your firewall logs, if they haven't seen that activity then I really don't think you need to worry about it. If the traffic gets annoying and is in the same netblock then just email the abuse address from whois or the technical contact and tell them to sort it out or you'll be pissed off ;)

btw you could post a couple of entries here for analysis, may I suggest you post it as follows :

1. log entries when it starts including the last few entries before it
2. log entries in the middle of the attempts
3. log entries after it stops including some followup traffic.

If the destination IP is public you might want to sanitize the log details before posting -- it may sound paranoid, but would you post your home address here ;)

Frankly, I don't think you need to be bothered about it.

Cheers,



Cheers,

Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
More
21 years 3 weeks ago #1600 by sahirh
Replied by sahirh on topic Re: port 56398
Oh yeah just as an add-on at www.dshield.org you can type in a few of those IPs, it searches the complete database to see if they've been reported as attacking IPs.

Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
More
21 years 2 weeks ago #1627 by pndennie
Replied by pndennie on topic Re: port 56398
it is UDP port 56398. Have traced it back to lycos but still have no idea what is going on. The firewall was active for 2 hours trying to process the requests (denying them)
Time to create page: 0.131 seconds