# Computer Being Attacked Via Port 6346



## StormFlare (Jan 13, 2007)

I recently have been attacked by port 6346 earlier today and have already raked up about 35,000 intrusion attempts over the course of the day here is a sample of my firewall logs.

FWIN,2007/01/12,20:46:16 -5:00 GMT,201.208.101.18:5247,68.82.x.x:6346,UDP
FWIN,2007/01/12,20:46:16 -5:00 GMT,74.106.154.243:12800,68.82.x.x:6346,UDP
FWIN,2007/01/12,20:46:16 -5:00 GMT,71.130.87.24:2241,68.82.x.x:6346,UDP
FWIN,2007/01/12,20:46:16 -5:00 GMT,24.147.163.29:48169,68.82.x.x:6346,UDP
FWIN,2007/01/12,20:46:16 -5:00 GMT,70.16.242.197:50478,68.82.x.x:6346,UDP
FWIN,2007/01/12,20:46:16 -5:00 GMT,209.88.71.1:21755,68.82.x.x:6346,UDP
GMT,74.36.24.239:1062,68.82.x.x:6346,TCP (flags:S)
FWIN,2007/01/12,20:46:18 -5:00 

It is literally like watching a gasoline counter go up at the staggering amount of times I'm being attacked sometimes it seems like it is upwards of 1,000 hits a minute all on port 6346 by TCP or UDP protocols. I was using limewire (which I know uses this port) and I have turned it off and uninstalled it, yet the issue remains. I made the mistake of leaving it on overnight so I'm not sure if that has something to do with it. Although I set all outgoing connections to 0 so I wouldn't be uploading files to anyone when I used it. Steps I have taken so far have been.

1. Ran a complete scan with Norton Antivirus virus definitions up to date.
2. Ran HijackThis and found nothing alarming in my registry.
3. Used Adaware, Spybot, and Zonealarm Pro antispyware software (all up to date) only to find a bunch of harmless tracking cookies.
4. Used Zonealarm to block incoming and outgoing TCP and UDP connections on port 6346.

I'm really stumped at what exactly is going on here I'm thinking maybe a syn flood, but that's just my educated guess. It is just bogging down my pc terribly from all these connections and giving me a latency upwards of 4000. And yes I know using p2p programs is very bad and I guess I had to learn this the hard way unfortunately as this is probably how I got to this point in the first place . Anyhow I'd really appreciate any insight anyone could give me to rectify the problem here. Thanks in advance.


----------



## Cellus (Aug 31, 2006)

Since it's coming from Port 6346, and how you mentioned P2P, it probably has to do with using Gnutella/Limewire. Now just to be clear, we can not assist with issues regarding P2P programs.

What I can tell you to try is to, well, stop using it so it does not trigger a bot or some user to flood you. One thing to always keep in mind is that, legality aside, using P2P programs can be a security risk. This flooding is one of them. Your best bet is to unplug yourself from the Internet (if you have a router, unplug that from the Internet) and wait a good while. This way any packets being sent (whichever port they may use for this, since sometimes they tend to not use the port they're flooding with) to see if you're still alive won't reply back, and the bot/user will eventually give up.

That's about as far as I'll go with that. Lesson learned, yes?


----------



## johnwill (Sep 26, 2002)

I think we'll close this one now. :smile:


----------

