I've just started running Snort on a machine here to try and get more info about this, but I was hoping someone else might have spotted this on their systems. I've got 1 NT4 Workstation here that once a day connects to 62.49.150.165 on a high port (last time on 26957) for 3-5 minutes and passing 652 bytes (according to my PIX log), and once a day to 62.49.198.207 again on a high port (on 13826 last time) again for 3-5 minutes passing 652 bytes. I've tried connecting the second address on a couple of ports to see what would happen and I get a UDP query back on port 137 (dropped at my PIX), which seems very odd to me. Both of these addresses are assigned to Demon Internet and from a traceroute appear to be allocated for ADSL use. The connection to the first IP is always around 8:50 am, just about the time the PC is turned on, although rebooting during the day doesn't trigger it (will try cold starting later when it's free). The second connection varies (Friday was 14:44, today was 11:12) so I'm not sure what it's based on. Dan --- D.C. Crichton email: [EMAIL PROTECTED] Senior Systems Analyst tel: +44 (0)121 706 6000 Computer Manuals Ltd. fax: +44 (0)121 606 0477 Computer book info on the web: http://computer-manuals.co.uk/ Want to earn money? Join our affiliate network! http://computer-manuals.co.uk/affiliate/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
