port 666 UDP activity - from my own IP!

This is an extract from my snort log:

17:54:32 eth1 - UDP 80.110.170.109 666 81.110.170.109 1026

It occurs daily, quite a few times, irregular intervals. TDS doesn't find anything!

I'm supposed to be totally stealthed ?!?

Does anyone recognise the problem or issue or solution

Even after changing IP (dynamically) it still re-occurs!

TIA

 

Hi LurkaLot,

Welcome to Wilders!!!

We may decide to move this to a more appropriate forum but first of all a couple of questions.
Be sure you are using the latest radius file with TDS when you are scanning. If you are trialling TDS, you have to manually download the radius files. You can find the latest radius file and instructions HERE.
Also, is this traffic to to port 666 incoming or outgoing. If it is outgoing, we can probably trace it to a process on your system.

HTH....

 

Port 666 can be Doom (Id Software), RAT: Peur de Rien FTP, Attack FTP, Back Construction, Cain & Abel, NokNok, Satans Back Door - SBD, ServU, Shadow Phyre, F-BackDoor, Worm.Grifin Remote Control, Uprising, Dimbus, TiVedo, MAD, Storm, Ulysses, Beast, Plateau, MaLPaYo, Dracula, Cyn, Dark Sill, InetWatch, DXM SMTP
or something innocent.

Since you run Snort, did you also have a look with Port Explorer (free trial at www.diamondcs.com.au ) ?
This will show you in a blink of the eye to which service / application is involved.
And you can block or kill the socket/process immediately.

While scanning please make sure you close all other scanners and their resident protection completely to give TDS full access to every file.
And the TDS settings, please checkmark every scan option and the wormslider on highest.

A next thing to do is at the same DiamondCS location in the products page to get the AutoStartViewer and with all options checked there create a startup log to see if there is anything suspicious.
You can send the log to support@diamondcs.com.au or post it here.

Please let us know your results.