Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.

Mon, 26 Dec 2005 21:46:59 -0800 

On Sun, Dec 25, 2005 at 11:10:15PM -0600, Dale wrote

> >    Source: 215.146.157.191 (215.146.157.191)
> >    Destination: 205.208.159.31 (205.208.159.31)
> >User Datagram Protocol, Src Port: 44356 (44356), Dst Port: 1026 (1026)
> >    Source port: 44356 (44356)
> >    Destination port: 1026 (1026)

  [...deletia...]

> What is this?  Is this some spam and it pops up a window if I were using 
> windoze?  I went to the site and it looks like they want to sell 
> something, which I ain't buying by the way.  ;-)   How can I tell them 
> to stop this?  Oh, only my main rig does this.  My three servers which 
> have no GUI stuff or browsers installed do not get this, that I can see 
> anyway.

  A few notes...

  1) It's UDP (User Datagram Protocol).

  2) UDP is a connectionless protocol, i.e. no 3-way handshake like TCP.
     That means that the sending software can put any garbage they want
     in the source-port and source IP address.  *DO NOT* complain to the
     ISP responsible for 215.146.157.191.  UDP forgery is trivial.

  3) This garbage is spewed out by zombie bots to port 1026 to pop up
messages on your screen if you'r running the Windows Messnger Service.
It'll probably show up if you have Samba configured right/wrong (Ain't
Windows emulation wonderful?).  Everybody gets hit with it, just like
port 135 and 1433 and 1434 scans.  Here's an hour's worth from my
router's log.  The router is set to reject unsolicited traffic...

Dec 26 18:04:26 221.1.204.251:33054 to UDP port 1026
Dec 26 18:05:46 66.52.125.177:23460 to UDP port 1026
Dec 26 18:06:55 66.188.58.207:4099 to UDP port 1026
Dec 26 18:11:16 221.203.145.54:32939 to UDP port 1026
Dec 26 18:15:55 66.170.205.192:23797 to UDP port 1026
Dec 26 18:17:04 211.172.244.182:9285 to UDP port 1026
Dec 26 18:20:59 218.27.103.206:36380 to UDP port 1026
Dec 26 18:27:02 202.96.87.41:34462 to UDP port 1026
Dec 26 18:27:46 221.1.204.251:33054 to UDP port 1026
Dec 26 18:38:14 202.111.173.85:39549 to UDP port 1026
Dec 26 18:38:17 202.111.173.83:55698 to UDP port 1026
Dec 26 18:38:34 203.39.211.73:7731 to UDP port 1026
Dec 26 18:40:14 218.27.103.206:45829 to UDP port 1026
Dec 26 18:41:07 66.223.176.136:24121 to UDP port 1026
Dec 26 18:42:48 66.138.198.3:7578 to UDP port 1026
Dec 26 18:42:58 66.178.233.47:11540 to UDP port 1026
Dec 26 18:50:08 202.111.173.83:59789 to UDP port 1026
Dec 26 18:55:10 66.35.104.238:27387 to UDP port 1026
Dec 26 18:56:30 202.111.173.85:45304 to UDP port 1026
Dec 26 18:59:42 218.27.103.206:55370 to UDP port 1026

-- 
Walter Dnes <[EMAIL PROTECTED]> In linux /sbin/init is Job #1
My musings on technology and security at http://tech_sec.blog.ca
-- 
gentoo-user@gentoo.org mailing list

Reply via email to