|
Posted by David H. Lipman on December 29, 2006, 3:40 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| I'll lock down the ports you recommend 1024-1030, and 137.
| How do I find the app that is sending it out? I have an XP sp2 machine that
is sending
| it.
| As I said, I have norton's running and ad aware and spybot. all came up clean.
| One other thing to note. When I log into the machine. It takes a while for
the task
| bar to become clickable. Longer than the other machines, if that helps at
all.
| Tif
NO !
Do NOT block 1024-1030.
As stated before, on the Router, Block TCP and UDP ports 135 ~ 139 and 445.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by Moe Trin on December 30, 2006, 3:21 pm
If you were Registered and logged in, you could reply and use other advanced thread options
On Fri, 29 Dec 2006, in the Usenet newsgroup alt.computer.security, in article
[Did the O/P notice the responses to his earlier posting of this question
in the newsgroup comp.os.linux.networking?]
>| I'll lock down the ports you recommend 1024-1030, and 137.
>NO !
>
>Do NOT block 1024-1030.
Depending on the capabilities of your firewall (recognizing incoming
packets in those ranges as being replies to something your systems sent
out - verses unsolicited packets inbound) blocking those ports is quite
reasonable. On my home firewall, I've been dropping incoming unrelated
UDP to those ports for several years now. It's just ordinary messenger
spam such as:
STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.
Windows has found 55 Critical System Errors.
To fix the errors please do the following:
1. Download Registry Update from: www.some.spammers.website
2. Install Registry Update
3. Run Registry Update
4. Reboot your computer
FAILURE TO ACT NOW MAY LEAD TO SYSTEM FAILURE!
That one was captured on the firewall a couple of weeks ago when I was
running a packet sniffer. Source address was bogus. Oh, and I know it's
not real because I don't have any microsoft boxes, and the the spammers
web site isn't microsoft.com - not that they give a hoot if your systems
are 0wn3d.
At work, we port shift any outgoing packets out of the 1025-1050 range
(nearly all are DNS queries outbound) and drop any inbound to that range
as they can't be valid replies to anything we've sent out. Last I bothered
to measure, it was averaging a half Megabyte per day per IP address, so
for a /16 network, that saves about a Gigabyte of bandwidth every _month_
Using a packet sniffer to capture this crap, it's usually pretty obvious
based on IP and UDP headers that the source is fake, and this most often
seems to be coming from zombie windoze boxes on your ISPs local range.
You _could_ bitch to your ISP about it, but the O/P is posting from
Comcast which probably isn't going to know how to spell 'IP' much less
know about port numbers and protocols.
Old guy
|
|
Posted by David H. Lipman on December 30, 2006, 3:23 pm
If you were Registered and logged in, you could reply and use other advanced thread options
|
| Depending on the capabilities of your firewall (recognizing incoming
| packets in those ranges as being replies to something your systems sent
| out - verses unsolicited packets inbound) blocking those ports is quite
| reasonable. On my home firewall, I've been dropping incoming unrelated
| UDP to those ports for several years now. It's just ordinary messenger
| spam such as:
|
| STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.
|
| Windows has found 55 Critical System Errors.
|
| To fix the errors please do the following:
|
| 1. Download Registry Update from: www.some.spammers.website
| 2. Install Registry Update
| 3. Run Registry Update
| 4. Reboot your computer
|
| FAILURE TO ACT NOW MAY LEAD TO SYSTEM FAILURE!
|
| That one was captured on the firewall a couple of weeks ago when I was
| running a packet sniffer. Source address was bogus. Oh, and I know it's
| not real because I don't have any microsoft boxes, and the the spammers
| web site isn't microsoft.com - not that they give a hoot if your systems
| are 0wn3d.
|
| At work, we port shift any outgoing packets out of the 1025-1050 range
| (nearly all are DNS queries outbound) and drop any inbound to that range
| as they can't be valid replies to anything we've sent out. Last I bothered
| to measure, it was averaging a half Megabyte per day per IP address, so
| for a /16 network, that saves about a Gigabyte of bandwidth every _month_
|
| Using a packet sniffer to capture this crap, it's usually pretty obvious
| based on IP and UDP headers that the source is fake, and this most often
| seems to be coming from zombie windoze boxes on your ISPs local range.
| You _could_ bitch to your ISP about it, but the O/P is posting from
| Comcast which probably isn't going to know how to spell 'IP' much less
| know about port numbers and protocols.
|
| Old guy
Thanx Moe Trin and Happy New Year.
Hopefully this "Old guy" will grace us with his presence more often in 2007. :-)
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by Robert on December 29, 2006, 6:19 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> I'll lock down the ports you recommend 1024-1030, and 137.
You should really lock down everything outbound that you don't need.
> How do I find the app that is sending it out? I have an XP sp2 machine
> that is sending it.
XP it the App that is doing this. This is how windows talks with other
window machines on the network.
> As I said, I have norton's running and ad aware and spybot. all came up
> clean.
As they will. This is not an adware thing but a windows thing.
> One other thing to note. When I log into the machine. It takes a while
> for the task bar to become clickable. Longer than the other machines,
> if that helps at all.
This could be caused by many things. Mainly what is loaded when you log
in and what it's trying to do while you are logging in.
--
Regards
Robert
Smile... it increases your face value!
----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+
Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----
|
|
Posted by David H. Lipman on December 29, 2006, 3:39 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| Hi,
| I have noticed some interesting traffic coming from one of my pc's and then to
one of
| my pc's.
| First a little background.
| I have a befsr41 router with snmp :-) So I can log traffic going into my
little
| network using wallwatcher and opmanager.
| I have one XP machine I leave on a lot. I notice that it is sending UDP
outbound from
| L-port 137 to R-port 137. Then in a relatively short amount of time I see an
inbound
| request from a different IP to ports 1026 ,1027, and 1028 from a different IP
that the
| 137 was sent from. I have norton's running, and ad aware and spybot don't show
| anything.
| The addresses seem to come from anywhere China, hong kong, even the US and
Canada.
| Any Ideas of what this is:
As always, I suggest specifically blocking Both UDP and TCP ports 135 ~ 139 and
445 on *any*
SOHO Router.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
| Similar Threads | Posted | | An interesting article | September 29, 2005, 9:49 pm |
| something interesting ( at least to me ) IP recovered | October 31, 2005, 4:27 pm |
| an interesting take on the 0-day exploit | December 30, 2005, 4:56 pm |
| Interesting statistics | January 31, 2006, 8:16 pm |
| Moon's interesting e-spy legend | August 9, 2006, 7:51 am |
| interesting alerts on Zonealarm recently - what do I do? | November 26, 2006, 7:26 pm |
| Kerberos Decrypted - Interesting URLs on how kerberos work | July 4, 2006, 12:59 am |
| need traffic tool | August 27, 2005, 5:31 am |
| Windows Traffic Sniffer | August 18, 2005, 1:31 pm |
| Ok to let all ICMP traffic through firewall? | September 22, 2005, 11:14 pm |
|
XML site map