UDP to port 1027

Hello.

I asked a related question in comp.security.misc. Now I see that the UDP packet I keep on receiving is going to ports 1026 or 1027. It does include an address to a page

formatting link
that offers to download a patch for some versions of Windows from a different page, not a MS page. What is port 1027 used for? I don't find any mention of it being used for anything in particular.

Please set follow-up to the most appropiate group.

Thanks Geo

PS: The ping from 204.23.212.191 might have come from a compromised computer not related to this packet.

Reply to
"GEO" Me
Loading thread data ...

For anything you're implementing. There is no close realtionship between port number and usage.

There only are _recommendations_ which ports to use for what.

Port UDP/1027 sometimes is used for ICQ. And usually client side processes are using ports beyond 1024.

Yours, VB.

Reply to
Volker Birk

On Windows machines The ports short above 1024 are usually used for certain RPC implemented services like Task Scheduler and Netsend Messaging. However, this only applies to TCP, so I guess those fools have some misconception.

Eh, shouldn't you do that? But well, fup2csf

Reply to
Sebastian Gottschalk

They must be targeting something running in one of the systens for which they offer the 'patch':

This Security Fix is compatible with the following Microsoft® Windows® Systems:

Microsoft Windows XP Microsoft Windows NT Workstation Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows Server 2003

Thanks Geo

Reply to
"GEO" Me

Those UDP packets seems to try to link to some service like ICQ and display a message warning of a 'system alert-virus infection' and provides a link to a site that will provide a patch for *only* $19.95. I thought that there might be a newer standard that included port

1027.

I'll have to learn how to read the headers to see if I can figure out what is trying to access.

Thanks you.

Geo

PS: Hexadecimal converted to ASCII by hand using the table found in . There must be an easier way to do it.

Reply to
"GEO" Me

This is just Messenger spam. It's extremely common and has been going on for ages. They are trying to get packets thru that pop up little ads on your desktop via the Messenger service running on your machine. Just let your firewall block the incoming UDP packets and don't worry about it. It's pure noise..

Reply to
Kerodo

Which rock have you been hiding under for the past eight years? That is ordinary windoze messenger spam, because you haven't blocked it (we port shift _outgoing_ UDP which is generally DNS queries, such that the source port is not in the 1025 to ~1075 range, allowing our upstream to silently discard incoming to that range). You should also disable this "feature" in your windoze setup - I have no idea how, as I got rid of that crap in

1992. Do a google search for 'messenger spam' and you'll find instructions from microsoft on how to disable it, as well as Eleventy-Zillion programs you can purchase for only $20 or so that claim to block it.

Don't bother trying to reject (ICMP Error) the packets. The last time I bothered to look at these packets, it was QUITE OBVIOUS that the source address was forged (TTLs wrong, and in about 4% of the cases, the claimed source address had not been released by IANA, never mind assigned to some entity by a Regional Internet Registry like ARIN, RIPE, or APNIC). The forged source addresses seem to be generated by a poorly written random number generator script.

The web pages were generally at newly registered domains, but actually hosted by well-known spam service centers in the Portland (OR.us) to Vancouver (BC.ca), Chicago, or New York City metropolitan areas.

Following the others - set to c.s.f

Not enough information. Oh, wait - that's the posting where you are "using Trumpet on Windows 3.1". I guess that explains why you haven't noticed messenger spam before, but it really is a "feature" that microsoft adopted more than fifteen years after the UNIX version, and as usual without bothering to look at the preceeding experience and thus know that it's a massive abuse problem waiting to happen. Oh, and 'ping' is not UDP, but rather a function in ICMP. Real pings have not been an exploit since the "Ping of Death" that targeted the incompetently written network stack in the first three versions of windoze-9x.

I suspect your use of the word "ping" here is incorrect, and you are actually referring to the UDP messenger spam. That being the case, the address is almost certainly forged.

Old guy

Reply to
Moe Trin

Thank you. As I don't have Messenger on my Windows 3.1, I'll just ignore them.

This Messenger stuff reminds me of the idea of letting the fridge call the store when I run out milk.

Geo

Reply to
"GEO" Me

Rock? Actually a shell. On a dial-up connection that connected to a Unix shell (at least that's how I understood it). Now we have to use PAP for authentication, so I had to start using Trumpet.

Messenger ...'a "feature" that microsoft adopted more than fifteen years after the UNIX version, and as usual without bothering to look at the preceeding experience' Interesting, I didn't know it had a history.

I said ping because on the trace log of Trumpet I see a record such as:

1 IP 203.156.76.77 ->My address len 908 prot 17 0 IP My address ->203.156.76.77 len 56 prot 1

and since I had not connected to this address I assumed that it must be a computer trying to do something to mine. Is it not a ping?

"Ping of Death"? I better do some more reading before I move to Win

95 -probably after the next version of Windows comes out :))

Thank you very much for an interesting reply.

Geo

Reply to
"GEO" Me

Actually, if we are going to talk about ICMP at all, I have seen folks recommend 'dropping' instead of 'rejecting' ICMP Error packets (except types 3 4 5 and 11) for several reasons:

  1. to prevent source quench (TCP has its own methods for dealing with congestion knowing that TCP/IP allows for 1:1 'ICMP reply' to 'normal packet' ratio anyway)
  2. to prevent redirection or performance degradation (fragmentation, DF bit set...)
  3. to prevent return info being sent back to host in the event of a scan (which has been fairly proven this is not, but bears mentioning)

Modern BSD's and Linuxes and the like are prepared to deal with most of this, but... not sure if Windows is... in this case, specifically... ummm Trumpet 3.1. -yikes-

But I would like to look at these packets too, like you guys have!

Setting up a new box over the weekend, I was curious to see how my homebrew tunneled SSL HA syslog server was hanging in there, and noticed these same ports in the logfile... figured if it was being taken care of now, no big deal, I can always check them out later. Very interested to see for myself the same things you have, Moe.

jcj

Reply to
Jay C. James

Now this is pretty wrong. Not only that ECN creates certain problems with incompatible network hardware (e.g. firewalls not properly ignoring ECN), even in combination with TCP congestion avoidance it's no suitable replacement, but rather an addition to source quench signaling.

Hm... dropping ICMP Redirects is pretty good, but which applications have performance issues? Even good'ol Windows 2000 has pretty few CPU issues with dealing a full 100 MBit/s stream of both small MTU (68 bytes ) and sparse fragments (90%), about 40% on a 1.4 GHz Athlon. WinXP performs even better, and the common Unices don't have any problems as well.

Reply to
Sebastian Gottschalk

I was not referring to ECN at all there, but that is an interesting thing you bring up. Not everyone uses ECN. I was referring to ICMP in general.

I should have specified TCP connection performance degradation and not application performance degradation! Sorry.

In reference to TCP performance degradation, there is potential to reset a TCP connection using 65536 ICMP packets. Hows that for degradation :) and thats just to start, without even covering spoofed ICMP 3 and 4 messages and how they could mess with an existing connection.

Reply to
Jay C. James

Sorry, but it seems like you're serious about TCP congestion behaviour only. Well, it works, but it adapts only slowly and not pretty efficient, whereas the other mechanisms including source quench permit an immediate signaling.

I wonder where you've been the last years... such issues have already been addressed in most implementations.

Reply to
Sebastian Gottschalk

[compton ~]$ whatis talk talkd talk (1) - talk to another user talkd (8) - remote user communication server [compton ~]$ grep talk /etc/services talk 517/udp # BSD talkd(8) ntalk 518/udp # SunOS talkd(8) [compton ~]$
[compton ~]$ grep -wE '(1|17)' /etc/protocols icmp 1 ICMP # internet control message protocol udp 17 UDP # user datagram protocol [compton ~]$

You probably don't have that file - go to

formatting link
and discover that there are about 140 different protocols that can be in an IP packet.

So, the log claims that some dial-up host on Jasmine Internet in Bangkok Thailand sent a packet of 908 octets with a protocol of 17. Your host then sent a packet to that host of protocol 1, which is ICMP - probably an ICMP Type 3 Code 3 (Port Unreachable) because nothing is listening on the port that the original packet was sent to.

Protocol 17 is UDP. Lessee, a len of 908... Probably a Security Bulletin directing you to go to some spammers website where FOR ONLY US$29.95 plus shipping and handling, you can get some software that installs spyware for you.

Or was it the shorter message (with padding) that claims "STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION" and the next line says "Windows has found $RANDOM_NUMBER Critical System Errors." (where $RANDOM_NUMBER is some value between 50 and 125.

I don't know if they ever fixed the problem in 95. Yeah, the l33t d00dZ found it great fun to send an oversized ping to a windoze box on the net and watch it curl up and die. That was a major reason that people began blocking first ping, then all forms of ICMP.

Old guy

Reply to
Moe Trin

Thank you for the reference. I was wondering if those numbers after 'prot' meant 'protocol', now I also know where to look them up.

Correct!! I thought it looked suspcious that the same site also offered to sell a 'Pop-Up creator for your web site'.

I guess I'll step carefully when I upgrade. Some of the other messages which I was refering to, but I did not have a copy at hand were like this:

1 IP 4.79.142.202 ->My address len 602 prot 6 0 IP My address ->4.79.142.202 len 40 prot 6

Would that be a ping?

This other short ones seem to be targeting something else (?):

1 IP 4.79.142.201 ->My address len 78 prot 17 Undelivered UDP UDP 8902->137 50 96 9D 00 10 00 01 00 00 00 00 00 00 20 43 4B 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 00 01 0 IP My address ->4.79.142.201 len 56 prot 1

Thanks again. Geo

Reply to
"GEO" Me

People seem to forget that there really isn't this benevolent entity out on the net that looks after your computer, and informs you when something is wrong. Microsoft does not send security bulletins to every windoze user in the world, any more than any other company. The only ones doing it are the spammers, who can also get you a deal on these blue pills for your computer.

Just curious - why are you using this old stuff? Especially in the windoze world, there are more exploits out there than trees in Canada.

[compton ~]$ grep 6 /etc/protocols tcp 6 TCP # transmission control protocol [compton ~]$

Not enough information - both TCP and UDP use portnumbers - think of it as room numbers in a commercial building. Room 80 has web services, room

25 has inter-server mail, 109, 110, and/or 143 have local mail delivery, and so on. Thing is, just because someone tried to connect to port X only means that they expected to find some specific service there. If you were looking to send mail to some remote system, you'd try to connect to port 25 there, because that is where the "well-known" service should reside. On the other-hand, there is no law that requires that service to be on port 25, just as there is no law that says that port 25 _MUST_ be used for that purpose only. See
formatting link
the official list.

While this is lacking information, all that can be said it that the first packet is from

formatting link
- the website of Gibson Research (a company that some claim to be run by a charlatan - others think he knows something). The packets is _probably_ part of a conversation - there were packets opening the conversation before this, and there should be more following. That's a guess based on the size of the packet. The second packet is probably an ACK (yes, I received this). See RFC1180

1180 TCP/IP tutorial. T.J. Socolofsky, C.J. Kale. January 1991. (Format: TXT=65494 bytes) (Status: INFORMATIONAL)

Some undefined host also at Gibson Research (client.grc.com) asking if you want to share. UDP 137 is Netbios Nameservice. Were you running a test at "Shields Up" or merely connecting to the website?

Old guy

Reply to
Moe Trin

My impression on this point is that the heavy marketing, mixed within certain aspects of the culture, has been a cause of this problem. How many people still want to believe that certain figures of authority only have their best interests at heart, from politicians to priests. Some people find emotionally hard to distrust those that are supposed to be trusted.

I had already got used to MS-DOS before moving to Win 3.1, and I did not have access to anything else for a while. By the time I got Win 95 I found it a bit complicated in comparison and the more I looked at it the less I liked the idea of creating an OS that assumed that users should not have as much control and that the company will do it for them -they know better what it is that you wanted to do. If I had had access at that time to Linux, I probably would have moved to it, and still I might do that instead of mving to the newer versions of Windows. But I don't like that the newer versions of Linux seem to be trying to copy the newer versions of Windows. I prefer the idea of having one program for each task, not one program that is supposed to do everything.

As you say, it seems that Win 95/98 have had plenty of exploits, which might make moving to Linux easier than trying to keep track of all the existing problems with Win 95/98 and its applications.

Right, I forgot that I went from a link in (mentioned by Sebastian Gottschalk a few days ago) to

formatting link
You are good at using limited information. :)

Thank you. Geo

Reply to
"GEO" Me

Start saving your money. Microsoft suggests getting lots of horsepower and memory for the new Vista. Then you get to buy all the thirdparty software you need.

Linux is still that way. It is just they have the gui frontends to help the people which do not want to run the command line apps via a keyboard.

Reply to
Bit Twister

Even in the later versions of windoze, you don't have to do everything by clicking on some icon, or moving a slider. People simply don't want to spend the time learning how to use anything. "It should be obvious." That's why the manufacturers of VCRs and such are adding a mechanism to extract time from TV signals, and set the clock automatically. Gone are the days of the VCR blinking "--:--" for months because the user can't be bothered to read how to set the time.

You had to know where to look. The O/S and most tools have been freely available for download since late 1992. The first version I used was downloaded onto 30-ish 5.25 inch floppies, and you installed from that.

The average new user is used to windoze. The various distributions are merely doing good marketing technique, and giving the customer what they want.

One program for each task hasn't been the case since the early 1980s.

[compton ~]$ whatis dig dnsquery host nslookup dig (1) - send domain name query packets to name servers dnsquery (1) - query domain name servers using resolver host (1) - look up host names using domain server nslookup (8) - query Internet name servers interactively [compton ~]$

Four different programs to query DNS. Been that way for years. They all do the same job (differently), and produce the same information. Use the one that you like. For that matter:

[compton ~]$ whatis whatis whatis (1) - search the whatis database for complete words [compton ~]$ man -f whatis whatis (1) - search the whatis database for complete words [compton ~]$ grep ^whatis /usr/share/man/whatis whatis (1) - search the whatis database for complete words [compton ~]$

There's three ways to query a database to find manual entries about specific commands. Thing is, _all_ of the commands are available, even if you are using the most bloated click and drool eye-candy type of interface. This system is running Linux, and while I am running X (a portable, network- transparent window system) to give me 19 different terminals ("A mouse is a device used to point at the xterm you want to type in"), there isn't an icon, or pull-down menu, or tool bar anywhere. Everything I do is command line - typing in those cryptic commands and getting work done.

Linux isn't your only possibility. In addition to the 350+ different Linux distributions, there are also several variants of BSD (FreeBSD, NetBSD, OpenBSD) and at least one "branded" UNIX (Solaris x86) that will run on Intel type hardware. But don't think that just because you are running a *nix you are immune from malware. While they are much less common, exploits exist for these O/S as well. They tend to be a lot less destructive because of philosophic differences (we don't run these things as the super user that has the authority to do anything to the system - the windoze "administrator" account). Someone recently posted "Uncrackable computers are already available. It's uncrackable users that are in short supply."

Old guy

Reply to
Moe Trin

Actually I think the point is so that all such devices will show the same time. It won't bother me a bit. It's better than the cable box showing

6:15, the VCR showing 6:13, and DVD player showing 6:19, etc.
Reply to
Spender

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.