Odd router log...

So I logged into my router (which also houses a minimal firewall) to check out the logs of who's been scanning and who's been nice. I came across this line several times:
<font face="courier" size=-1>Saturday May 18, 18:14:03 GMT-0300 (CST) 2002 Unrecognized access from 192.168.2.34:9702 to UDP port 6970</font>
Anyone know why someone would push out an IP like that, and why they were trying to hit my wimpy little router, especially at that port?

The IP is an obvious forgery, as it's in the class C private range. I imagine there's some trojan or another operating on port 6970.

RealAudio and QuickTime 4 uses ports starting at 6970 to send incoming audio streams. But the GateCrasher trojan typically uses 6969 and 6970. See http://www.nsclean.com/psc-gc.html

Prolly somebody is trolling for open Gatecrasher servers.

Originally posted by MaggieL
Prolly somebody is trolling for open Gatecrasher servers.

...Must be one of those Windows "features" that I didn't install on Win2k server. Maybe the server toolkit will have it. :D
Thanks for the info.

On average do you people get scanned much? The theory is becase .au is one fo the first domains names (alphabetical) we cop loads of scans, i seem to average around 20 or so netbios portscans alone, and about 30 others on various common ports as well as some ICMP stuff and the occasional full 0-1024 portscan. Ah, iptables and snort, all is good =)