port=1026&reason=ICMPsent

port=1026&reason=ICMPsent
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Computer Software Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
port=1026&reason=ICMPsent ed 11-14-2005
Posted by ed on November 14, 2005, 4:36 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
My win 2002 SP2 server is periodically sending a ICMP on UDP port 1026 to
various IPS. Looking at TCP
view, the only process open on all IPS (about 9 of them) is LSASS.EXE,
specifically isakmp. I have not actually witnessed the UDP, so this may be
a wrong assumption.

Packet flag is 0x0, so this may be nothing more than a ping, not sure.

Virus and anti-spyware scans are negative. Any thoughts?




Posted by winged on November 15, 2005, 12:57 am
If you were  Registered and logged in, you could reply and use other advanced thread options
ed wrote:
> My win 2002 SP2 server is periodically sending a ICMP on UDP port 1026 to
> various IPS. Looking at TCP
> view, the only process open on all IPS (about 9 of them) is LSASS.EXE,
> specifically isakmp. I have not actually witnessed the UDP, so this may be
> a wrong assumption.
>
> Packet flag is 0x0, so this may be nothing more than a ping, not sure.
>
> Virus and anti-spyware scans are negative. Any thoughts?
>
>
Local Security Authentication Server - lsass.exe

Are you logging in at these locations?> Someone logging onto you?

Is there a pattern as to what type host those IPs belong to?

Winged


Posted by Donnie on November 15, 2005, 12:59 am
If you were  Registered and logged in, you could reply and use other advanced thread options

> My win 2002 SP2 server is periodically sending a ICMP on UDP port 1026 to
> various IPS. Looking at TCP
> view, the only process open on all IPS (about 9 of them) is LSASS.EXE,
> specifically isakmp. I have not actually witnessed the UDP, so this may
be
> a wrong assumption.
>
> Packet flag is 0x0, so this may be nothing more than a ping, not sure.
>
> Virus and anti-spyware scans are negative. Any thoughts?
>
###################################
Check the netstat -an output.
donnie




Posted by ed on November 15, 2005, 11:01 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Shows the same ports as previous.
>
>> My win 2002 SP2 server is periodically sending a ICMP on UDP port 1026 to
>> various IPS. Looking at TCP
>> view, the only process open on all IPS (about 9 of them) is LSASS.EXE,
>> specifically isakmp. I have not actually witnessed the UDP, so this may
> be
>> a wrong assumption.
>>
>> Packet flag is 0x0, so this may be nothing more than a ping, not sure.
>>
>> Virus and anti-spyware scans are negative. Any thoughts?
>>
> ###################################
> Check the netstat -an output.
> donnie
>
>




Posted by Moe Trin on November 15, 2005, 1:58 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
In the Usenet newsgroup alt.computer.security, in article

>My win 2002 SP2 server is periodically sending a ICMP on UDP port 1026 to
>various IPS.

That sentence makes no sense. ICMP is one IP protocol, UDP another.
Search for RFC0768 (UDP), RFC0791 (IP) and RFC0792 (ICMP) if interested.

>I have not actually witnessed the UDP, so this may be a wrong assumption.

UDP 1026 (and 1027) are primary targets of messenger spam - pop-up ads
targeting clueless windoze users. Late last month, I turned on logging
on the perimeter firewall at home (I normally ignore dropped packets)
for a week, and noted about 1000 messages a day, or about 450K of wasted
bandwidth per day. The few packets I investigated were all fake windoze
error messages, directing users to some spammers website for a "repair".
I'm in North America, so most of the packets were originating in China,
although the spamvertised web sites were all hosted at well known spammer
support domains in the US states of Washington Texas, or Florida.

Old guy



The site map in XML format XML site map

Contact Us | Privacy Policy