I receive regulary notification from my personall firewall about port scanning make by
Does it mean taha microsoft try to hack me ? :-) What is the reason of that treffic ?
regards M
I receive regulary notification from my personall firewall about port scanning make by
Does it mean taha microsoft try to hack me ? :-) What is the reason of that treffic ?
regards M
I receive regulary notification from my personall firewall about port scanning make by
Does it mean taha microsoft try to hack me ? :-) What is the reason of that treffic ?
regards M
No, just that your "personal firewall" displays nonsense. Which is, well, exactly what it's supposed to do, so why don't you expect it to actually do so?
Your PFW screwing up your network badly? Your PFW's pure imagination? Dunno, those messages are utterly useless and you don't have any useless tool to even produce real-world data.
no, microsoft.com is 207.46.130.108/207.46.250.119
207.46.18.30 is wwwbaytest5.microsoft.comLooking up those ports at
would seem to indicate wwwbaytest5.microsoft.com has some malware hunting for more exploitable systems.
Bit wrote on Tue, 17 Oct 2006 09:58:38 -0500:
Which is just one of a large cluster of servers running
Or those packets are simply responses to connections initiated from the user end and closed prematurely. For instance, the user opened a browser to
This is just the usual sort of completely harmless and normal activity that these so called "personal firewalls" like to warn people about when there is absolutely no reason to. It breeds fear in the computer illiterate, encouraging them to spend money on more "personal security" products, which is probably one of the reasons that these "personal firewalls" spew this rubbish.
Dan
Spack napisa³(a):
ok. thank.
I would disagree with your explanation since I have no firewall, and don't connect to MS, and yesterday I was receiving UDP packets from the same range of addresses ( 207.46.18.xx). Today I have received UDP packets from 204.16.208.74.
Either the explanation that ' wwwbaytest5.microsoft.com has some malware hunting for more exploitable systems' is correct, or they have managed to spoof the IP address.
Geo
GEO wrote on Wed, 18 Oct 2006 13:47:10 GMT:
You have nothing connecting to MS at all? No windows machine with automatic updates enabled? No MSN messenger? Windows Messenger? Looks like some recent UDP packets from that IP have been MSN/Windows messenger spam (which is possible as normal chat messages are sent via the MS Messenger proxy servers, which this IP could also be a member of), but without more information (like packet traces for instance) everything is just speculation.
Dan
GEO wrote on Wed, 18 Oct 2006 13:47:10 GMT:
I've had a dig through my own PIX logs, and while there is nothing for today or yesterday, I am seeing UDP packets from IPs in the same range in earlier logs. Something strange is going on here, as at least one of those IPs belongs to a Window NT4 server so definitely doesn't have anything installed that would talk to MS, and one is to an IP that has all outbound access denied except to one IP in the PIX DMZ, so could never initiate a connection to anywhere on the internet.
I need to go and rebuild my honeypot/sniffer machine and get it back outside my firewall so I can capture a few of these packets.
Dan
Destination port?
The usual problem is windoze messenger spam sent to port 1025-1035, and usually consists of a single packet of 400 to 1200 octets, with a bogus message claiming to come from your system and reporting registry corruption or similar. It has a URL to some idiot's web site unrelated to microsoft, though the name may include the character strings 'window' and/or 'registry'. There's an article cross-posted to comp.security.misc and alt.computer.security yesterday that is complaining about this very problem. Invariably, the source IP address is faked (a real address isn't needed for this service, as one-way delivery of the spam is all that is desired). If you look at the actual packet headers, there are several obvious clues that the packet source is faked, especially if you compare other similar packets received in the same general timeframe. Such things as TTL, sequence numbers, and source port numbers often give it away, as does source IP addresses that haven't even been delegated by IANA, and therefore can't exist.
Spoofing UDP is _very_ common.
Old guy
Right. See Ibuprofin's explanation.
I use Windows 3.1, it does not even know what is this Messenger thing. Updates? What's that?
Geo
I should have re-posted the explanation you gave me a few weeks (months?) ago. :)
1026, 1027, the usual.
Geo
Sweet Mother Of... well, at least it was the most network secure version of windoze out of the box. What _are_ you using instead, Trumpet Winsock?
You have a point there. If I recall correctly, the only updates were incorporated quietly into the releases. I don't off hand even remember back-ports or updates to existing installations. But then, how would you even obtain them? Dial in with Windoze Terminal to your favorite BBS?
Old guy
Trumpet Winsock version 2.0 revision B. It looked as if version 3 might stop working after 30 days, so I kept version 2.0. Under 'Trace' it has some options that give me an idea of what is involved in the communication. Peter Tattam wrote a nice little program.
Since Windows 3.1 did not try so hard to be everything to everybody it did not include so many programs, and I guess it was designed with a single, isolated, user in mind.
Terminal? There is a very nice program called Procomm Plus version
2.1 for Windows 3.1. I know there is a version for Windows 95, and I believe it even had a DOS version.Geo
Oh, my! How old is _that_ stuff?
It certainly was single user, and as I recall, it was also single tasking. You could have several applications open (I think) but I'm pretty sure only one was actually running at a time. I vaguely remember that it was only six or seven high density floppies - call it 8 Megs max.
PRCM243.ARC 03-17-89 PROCOMM VER 2.4.3, ADDS YMODEM G PROTOCOL 142848
That's off a BBS directory listing. Version 2.4.2 was being used in the fall of 1987, but wasn't available when this listing was made. I'm sure that _somewhere_ in the garage, there is a box with a manual and the single floppy it came on. Procomm was one of the standards of the era.
Old guy
Apologies for the delay in replying.
'Copyright 1993,1994 by Peter R. Tattam'
Old? May be a little. :) Does 'aged' sound better?
I am still impressed by the good design of the version I am using. I also have used to send and receive faxes. But I was left with the impression that faxes went faster when sent using a DOS program.
Geo
I never got a chance to play with it, as I'd dumped windoze entirely by that time. I had very limited exposure to a package called Chameleon, mainly because a neighbor worked for them.
That's entirely possible. The "image" of an 8 x 11 page is something like
2 megapixels, and this is normally compressed by software before being sent over the wire (remember, few fax machines did better than 14.4 BPS which is why the original fax transmission speed was measured in minutes). The compression algorithms seem to be quite efficient (I see figures as high as 20:1 compression), but that's going to take CPU cycles. If your CPU is already busy drawing pictures on the screen, something has to be slow.Old guy
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.