I just installed mandrake 9.0 on an extra computer at home. First thing I usually do is set up the firewall and get everything as secure as I can. I dialed my ISP and went to pcflank.com to check my firewall. All of my ports are stealthed and I started checking the syslog and fwlogwatch just to see how things were going and I noticed in addition to the 400 some packets from pcflank which I dropped, there were 160 SYN packets dropped that were targeting port 6229. I've gotten multiple scans before, but the 160 scans were from over 30 different IP's. Now my computer has only been connected to the net for about an hour and a half, and the scans keep pouring in, all from many different IP addy's. My question is what the heck is going on? I haven't been able to figure out what port 6229 does, google hasn't been any help, and I haven't seen a single port that gets this many scans other than 1443 last weekend, or the big ones like 137 and 80. I've attached an html report of my firewall log over the last hour and a half.
195.131.4.164 is pcflank.com so there are about 400 packets from them. Thanks for any help.

After some more searches I still haven't been able to find out what port 6229 does. If anyone has any idea I'd appreciate it. I'd like to find out what was going on... just for future reference... and as a side note this is the third question I've asked in a month with 0 replies. Should I be posting under a different category or what?

If we don't reply is because we don't have a clue, not because we are unwilling.

I'm going to ask some friends, stay tuned.

Now I remember... Have you been using some kind of sharing program like Kazaa, Imesh, etc? You know, I use eDonkey2000 in my Windows partition regularly. That's a program that uses the 4661 and 4662 ports and after I exit the program the other users still try to connect to my pc on port 4662, so the firewall log shows hundreds of attempts to connect to that port. If that's not the problem, please tell.

Thanks for the reply, I don't use file-sharing programs as the connection I was using is a 56k modem. However since I have a dynamic IP I imagine that someone else at my ISP could have been on kazaa or some file-sharing program that uses port 6229. So I guess they got disconnected and then when I dialed up my ISP, and their old IP was my IP. The packets were from all over the world and were all just about exactly the same. 3 or so SYN packets at a time with a TTL somewhere around 114. It was organized in some manner, so I imagine that something like Emule could be the culprit.

I just have never experienced that kind of flood of blocked packets that all seemed to be so much alike and from so many different places, so I felt it was best to see if anyone had any bright ideas about what it could be. Thanks again for the help.

I went thorugh all the guard dog entries that I have and didn't find any ports with that number. When I see something suspicious, I just

ping -f <IP>

That usually shuts them up as they people know I am on to them and/or their automatic firewall blocks my ports.

hlrguy

Just went and checked your posts. As mentioned, if no one has a clue, then normally people won't post. Your nvidia only for KDE is a real poser. I only use KDE, but have nvidia, so can't help.

hlrguy

Speaking of ports, I was retesting my firewall after playing with guarddog this weekend, and when I press test security at
http://www.auditmypc.com/freescan/prefcan.asp?S=XYFFG2

it wants to connect to auditmypc:85

Guarddog does not have that outgoing port enabled, so it fails. I can't find out what port 85 is. Google has zero info. Anyone know what it is?

hlrguy

I am not concerend cause tests at these sites can't detect anything except Mozilla 5.0 and my IP address.

http://scan.sygate.com/
https://www.grc.com/x/ne.dll?bh0bkyd2