Have i been hacked ? Strange service entries being used on the firewall.

Posted on 2007-10-04
Last Modified: 2013-11-29
Hi All,

I have recently been getting a load of messages regarding port scans on my network and also now malformed ip packets being dropped protocol 17.

I have just l;ooked at my firewall and run a report based on "bandwidth usage by service" and have seen something i never usually see.

at the top there is internet email dns etc .. all teh usual stuff , but listed below all them are a load of tcp / and udp ports as folows :-
5 UDP Port 63570 (17,63570) 0.003
6 UDP Port 27545 (17,27545) 0.003
7 UDP Port 13661 (17,13661) 0.003
8 UDP Port 34103 (17,34103) 0.002
9 UDP Port 42183 (17,42183) 0.002
10 UDP Port 2632 (17,2632) 0.002
11 UDP Port 41829 (17,41829) 0.002
12 UDP Port 42188 (17,42188) 0.002
13 UDP Port 61130 (17,61130) 0.002
14 UDP Port 40384 (17,40384) 0.002
15 UDP Port 24668 (17,24668) 0.001
16 UDP Port 4484 (17,4484) 0.001
17 UDP Port 3853 (17,3853) 0.001
18 UDP Port 44023 (17,44023) 0.001

Have i been hacked ? What are all these ?

Please help

Question by:MisterMoleyMole
    LVL 19

    Expert Comment

    Most propably these are the result of you using some p2p application such as limewire or utorrent, those could also be the result of Skype or some other VOIP application.

    Are you using those ?
    LVL 27

    Expert Comment

    Port 17 could be also used as fraggle attack:

    A similar attack to the "smurf" attack is called "fraggle" attack, which uses UDP echo packets in the same fashion as the ICMP echo packets; it was a simple re-write of "smurf". Fraggle uses User Datagram Protocol (UDP) echo packets directed at the Unix UDP services echo (port 7), chargen (port 19), daytime (port13) and qotd (port 17).

    For both the SMURF attack and the Fraggle attack, there are three parties in these attacks: the attacker, the intermediary, and the victim (note that the intermediary can also be a victim). In other words, you can be affected in one of several ways:

        * As a victim or target of the attack
        * As a network which is abused to amplify the attack
        * As a party harboring the instigator of the attack

    Author Comment

    Thanks for the reply.

    I am using skype on our network so is this whats causing this?  How can i double check and make sure i am not being hacked and attacked ?  If i am beig hacked what should i do about this. This is my first attack so i am unaware pf procedures to stop this.

    Many Thanks
    LVL 19

    Expert Comment

    5 UDP Port 63570 (17,63570) 0.003  judging from the "0.003" it does not seem to be a hacking attempt..what is the brand of your firewall ? apparently it seems you can stop this if you block all traffic that has the source port 17

    Author Comment

    Its a sonicwall firewall - we are heavily using skype at the minute so is it not that  ?

    LVL 19

    Accepted Solution

    Well the thing is that skype client do act as STUN/TURN servers i.e. they do act as transition programs for other skype clients..especially those behind NAT it could be either that or something else...but  I would not worry about that traffic that much it is udp traffic and at very low percentages...try to monitor it over times when all the computers with skype clients are turned off ...or monitor it over a few days and check if the percentages change...but Skype definitely generates a lot of UDP traffic over random ports

    Author Comment

    Many Thanks shakoush2001

    I will do that


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
    Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now