- Posts: 29
- Thank you received: 0
port 56398
20 years 10 months ago #1598
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: port 56398
Could you be more specific about the attempt, was it TCP or UDP, what was the source port ? Were all the IP's in a particular range or netblock (you can check with whois). Did it happen in one large flood or was it interspersed traffic
Hmm after a little basic research I found some software (?) that is used for equity share analysis that uses UDP 56389.. go to erlanger.com.. im posting something from their page
Continuum Ping or "Echo"
ContinuumClient sends and receives UDP ping packets to our servers on port 56398 or lower. Every new instance of ContinuumClient (created by other applications connecting to QFeed) will attempt to open port 56398 to send and receive listen for pings. If it can't, it listens on 56397, etc. This prevents ping collisions on that port. If this port is not open, the "echo" statistic reported in the ContinuumClient.ini file will be 65534 - the max reading - indicating it cannot reach that server on a ping.
I don't see why you should get those requests as it says 'to our servers'.. but its the only worthwhile thing that I can think of.. I personally know of know backdoors or trojans that use it. What machines were they trying to connect to ? Scan your internal network to see if any daemons are listening on that port, don't forget to UDP scan too.. you can use Nmap www.insecure.org/nmap
I really can't figure why you'd get so many requests.. I'm watching my firewall logs and haven't seen any of that kind of traffic.
I recommend you go here :
www.dshield.org/
and submit your firewall logs, if they haven't seen that activity then I really don't think you need to worry about it. If the traffic gets annoying and is in the same netblock then just email the abuse address from whois or the technical contact and tell them to sort it out or you'll be pissed off
btw you could post a couple of entries here for analysis, may I suggest you post it as follows :
1. log entries when it starts including the last few entries before it
2. log entries in the middle of the attempts
3. log entries after it stops including some followup traffic.
If the destination IP is public you might want to sanitize the log details before posting -- it may sound paranoid, but would you post your home address here
Frankly, I don't think you need to be bothered about it.
Cheers,
Cheers,
Hmm after a little basic research I found some software (?) that is used for equity share analysis that uses UDP 56389.. go to erlanger.com.. im posting something from their page
Continuum Ping or "Echo"
ContinuumClient sends and receives UDP ping packets to our servers on port 56398 or lower. Every new instance of ContinuumClient (created by other applications connecting to QFeed) will attempt to open port 56398 to send and receive listen for pings. If it can't, it listens on 56397, etc. This prevents ping collisions on that port. If this port is not open, the "echo" statistic reported in the ContinuumClient.ini file will be 65534 - the max reading - indicating it cannot reach that server on a ping.
I don't see why you should get those requests as it says 'to our servers'.. but its the only worthwhile thing that I can think of.. I personally know of know backdoors or trojans that use it. What machines were they trying to connect to ? Scan your internal network to see if any daemons are listening on that port, don't forget to UDP scan too.. you can use Nmap www.insecure.org/nmap
I really can't figure why you'd get so many requests.. I'm watching my firewall logs and haven't seen any of that kind of traffic.
I recommend you go here :
www.dshield.org/
and submit your firewall logs, if they haven't seen that activity then I really don't think you need to worry about it. If the traffic gets annoying and is in the same netblock then just email the abuse address from whois or the technical contact and tell them to sort it out or you'll be pissed off
btw you could post a couple of entries here for analysis, may I suggest you post it as follows :
1. log entries when it starts including the last few entries before it
2. log entries in the middle of the attempts
3. log entries after it stops including some followup traffic.
If the destination IP is public you might want to sanitize the log details before posting -- it may sound paranoid, but would you post your home address here
Frankly, I don't think you need to be bothered about it.
Cheers,
Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.137 seconds