|
|
#1
01-03-2015, 07:39 AM
|
|||
|
Weird UDP Spam from Rogeans IP
so i am getting really weird Firewall Spam on port 6000 from the IP 108.61.129.178
http://i.imgur.com/KWrB4Yr.png IP Adress seems to be connected to Rogean: http://myip.ms/view/ip_addresses/181...108.61.129.191 I am currently NOT running P99 and this spam has been going on for a while now trying to connect. This is kind of worrying me reading about rootkit accusations of the .dll in the past. | ||
|
|||
|
#2
01-03-2015, 07:50 AM
|
|||
|
Check if there is an instance of eqgame.exe running in your process list. I'm not at home so I can't compare that udp request to packet captures with Wireshark while playing, but that is something else you could do in your investigating.
| ||
|
|
|||
|
#3
01-03-2015, 07:54 AM
|
|||
|
no eqgame.exe running, i re-connected the DSL and got a new IP adress, Spam has now stopped. I did play on PEQ this morning and payed a visit to the new Alkabor.
I had now logged to char select in p99 to see if port 6000 is getting spammed again, so far not. | ||
|
|
|||
|
#4
01-03-2015, 08:07 AM
|
|||
|
When playing the game there is a constant stream of UDP packets coming and going, they start the second you attempt to connect from login screen. Download the program wireshark (it's free, find it on google) and you can see the packets in real time. Establish a baseline when playing, then you can determine if what you saw was suspicious. It could just be that the server didn't realize you were disconnected and was still trying to send you information, hard to know without specific knowledge of the situation.
| ||
|
|
|||
|
#6
01-03-2015, 08:17 AM
|
|||
|
Do not assume that's what is happening here. First establish a baseline of normal behavior. Then see if you can replicate the issue you had here. Waiting for alerts on your firewall is not the same as monitoring network activity and it is more likely an issue of a false positive on the firewall than an actual security concern.
| ||
|
|
|||
|
#7
01-03-2015, 08:41 AM
|
|||
|
no i do not, i just looked through my logs again and this is what my Firewall Summary looks like JUST for today (the most! i did today was logging onto p99 char selection after i saw all those drops)
181307 dropped Packets just today. i really tend to favor this is a bug on the eqemu server side [You must be logged in to view images. Log in or Register.] | ||
|
|
|||
|
#9
01-03-2015, 11:23 PM
|
|||
|
178 is an IP Address controlled by Akkadius. That server specifically handles traffic for the Alkabor / EQMac server.
179 is an IP Address controlled by PEQ, and specifically handles their game traffic.
__________________
| ||
|
Last edited by Rogean; 01-03-2015 at 11:28 PM..
|
|
||
|
#10
01-04-2015, 12:48 AM
|
|||
|
I just investigated and those are keepalive packets it is sending from the loginserver. Basically connections are not being cleaned up properly and being held indefinitely.
I'm going through the EQMac emu code and will try and fix this up tonight. Apologies if it's bothering you! Do you see any dropped packets from 9000, 7000-7999 as well?
__________________
Engineer of Things and Stuff, Wearer of Many Hats
“Knowing yourself is the beginning of all wisdom.” — Aristotle | ||
|
Last edited by Secrets; 01-04-2015 at 12:51 AM..
|
|
||
 |
|
|
Linear Mode
