Odd router log...
 

So I logged into my router (which also houses a minimal firewall) to check out the logs of who's been scanning and who's been nice. I came across this line several times:
<font face="courier" size=-1>Saturday May 18, 18:14:03 GMT-0300 (CST) 2002 Unrecognized access from 192.168.2.34:9702 to UDP port 6970</font>
Anyone know why someone would push out an IP like that, and why they were trying to hit my wimpy little router, especially at that port?

Re: Odd router log...
 

The IP is an obvious forgery, as it's in the class C private range. I imagine there's some trojan or another operating on port 6970.

RealAudio and QuickTime 4 uses ports starting at 6970 to send incoming audio streams. But the GateCrasher trojan typically uses 6969 and 6970. See http://www.nsclean.com/psc-gc.html

Prolly somebody is trolling for open Gatecrasher servers.

...Must be one of those Windows "features" that I didn't install on Win2k server. Maybe the server toolkit will have it. :D
Thanks for the info.

On average do you people get scanned much? The theory is becase .au is one fo the first domains names (alphabetical) we cop loads of scans, i seem to average around 20 or so netbios portscans alone, and about 30 others on various common ports as well as some ICMP stuff and the occasional full 0-1024 portscan. Ah, iptables and snort, all is good =)