Port 1574 - Firewalls

This is a discussion on Port 1574 - Firewalls ; Hi. can anyone tell me what the UDP port 1574 is for? Thanks....

+ Reply to Thread
Results 1 to 16 of 16

Thread: Port 1574

  1. Port 1574

    Hi.
    can anyone tell me what the UDP port 1574 is for?

    Thanks.

  2. Re: Port 1574

    Michele wrote:

    > Hi.
    > can anyone tell me what the UDP port 1574 is for?


    For connection-less communication. *SCNR*

    If you're asking what it's typically supposed to be for, then,
    Well, why don't you take a look into your /etc/services?

    | # grep "1574/udp" < /etc/services
    | mvel-lm 1574/udp # mvel-lm

    Seems like a non-typical use.

  3. Re: Port 1574

    On Sat, 03 Feb 2007 10:54:34 +0100, Michele wrote:
    > Hi.
    > can anyone tell me what the UDP port 1574 is for?


    Normally or malware?

    Both, http://isc.sans.org/port.html?port=1574

  4. Re: Port 1574

    Thanks for the answers.
    My firewall always logs and blocks hundreds of accesses made through
    that port. I think that port is involved with my emule p2p software but
    I'd like to know why there are so many attempts to access my computer
    through udp 1574 port while I configured correcty communication in my
    firewall-router to make my emule run ok.

    Thanks again.

    Bit Twister ha scritto:
    > On Sat, 03 Feb 2007 10:54:34 +0100, Michele wrote:
    >> Hi.
    >> can anyone tell me what the UDP port 1574 is for?

    >
    > Normally or malware?
    >
    > Both, http://isc.sans.org/port.html?port=1574


  5. Re: Port 1574

    On Sat, 03 Feb 2007 18:56:17 +0100, Michele wrote:

    > My firewall always logs and blocks hundreds of accesses made through
    > that port.


    My firewall just drops the attempts and does not bother to log the
    normal internet noise ports, (80,143, 8080, 21-25,, etc)

    That allows me to see the ones trying to hide in all the noise.
    I have one site which makes 2 new port checks once a week on Sunday
    afternoon.

    If I get lots of scans I'll block the ip range. I only see one or two
    hits a day with my current blacklist.

    85.255.112.0-85.255.127.0 # known malware address range of INHoster in Ukraine
    76.166.0.0-76.190.255.255 # Road Runner HoldCo LLC
    218.249.29.0-218.249.29.255 # BEI-JING-JIAO-TONG-DA-XUE CN
    211.100.32.0-211.100.95.255 # NET263 group in Beijing P.R.China
    220.166.64.0-220.166.65.255 # MAINT-CHINANET-SC China
    220.178.0.0-220.180.255.255 # CHINANET anhui province networ
    221.6.0.0-221.6.255.255 # China Network Communications Group Corp
    221.208.0.0/14 # CNCGROUP Heilongjiang Province Network


    0.0.0.0/0 udp 1024:1035
    0.0.0.0/0 tcp 1023
    0.0.0.0/0 tcp 1025 # network blackjack dasher.a
    0.0.0.0/0 tcp 80 # AckCmd, Back End, CGI Backdoor, Executor, Hooker, RingZero
    0.0.0.0/0 tcp 8080 # Brown Orifice , RemoConChubo, RingZero
    0.0.0.0/0 tcp 21:25 # ftp, ssh, Telnet, any private mail system, smtp
    0.0.0.0/0 tcp 4899 # Remote Administrator port
    0.0.0.0/0 tcp 5900 # vnc Virtual Network Computer
    0.0.0.0/0 tcp 10000 # Network Data Management Protocol (webmint)
    0.0.0.0/0 udp 1434 # Microsoft-SQL-Monitor
    0.0.0.0/0 tcp 1433 # Microsoft-SQL-Server
    0.0.0.0/0 tcp 3306 # MySQL
    0.0.0.0/0 tcp 3372 # TIP 2, satvid-datalnk - Satellite Video Data Link
    0.0.0.0/0 tcp 5554 # Sasser trojan/worm ftp server
    0.0.0.0/0 udp 6346 # Gnutella-svc
    0.0.0.0/0 tcp 6348 # Gnutella works on this port too
    0.0.0.0/0 udp 6348 # Gnutella works on this port too
    0.0.0.0/0 tcp 9898 # dabber, MonkeyCom
    0.0.0.0/0 tcp 2100 # Amiga Network Filesystem
    0.0.0.0/0 udp 33435:33440


    > I think that port is involved with my emule p2p software but
    > I'd like to know why there are so many attempts to access my computer
    > through udp 1574 port while I configured correcty communication in my
    > firewall-router to make my emule run ok.


    Script kiddies/crackers are always hitting ports looking for the
    lastest know exploit and unknown exploits. Want to see last 24 hour
    comparied to last 30 day trend.

    http://www.dshield.org/trends.html

  6. Re: Port 1574

    First I'd rather know if those dropped ip's are attacks!
    I know I could tell my firewall not to bore me with those logs but the
    question is: do you know what kind of data passes through UDP 1574 port?
    Do you use p2p software?
    Then ip ranges are always different and that makes me think it may not
    be a sort of attack.

    I posted this question in many forums but no clear answer has come out yet.

    Thanks.

    Bit Twister ha scritto:
    > On Sat, 03 Feb 2007 18:56:17 +0100, Michele wrote:
    >
    >> My firewall always logs and blocks hundreds of accesses made through
    >> that port.

    >
    > My firewall just drops the attempts and does not bother to log the
    > normal internet noise ports, (80,143, 8080, 21-25,, etc)
    >
    > That allows me to see the ones trying to hide in all the noise.
    > I have one site which makes 2 new port checks once a week on Sunday
    > afternoon.
    >
    > If I get lots of scans I'll block the ip range. I only see one or two
    > hits a day with my current blacklist.
    >
    > 85.255.112.0-85.255.127.0 # known malware address range of INHoster in Ukraine
    > 76.166.0.0-76.190.255.255 # Road Runner HoldCo LLC
    > 218.249.29.0-218.249.29.255 # BEI-JING-JIAO-TONG-DA-XUE CN
    > 211.100.32.0-211.100.95.255 # NET263 group in Beijing P.R.China
    > 220.166.64.0-220.166.65.255 # MAINT-CHINANET-SC China
    > 220.178.0.0-220.180.255.255 # CHINANET anhui province networ
    > 221.6.0.0-221.6.255.255 # China Network Communications Group Corp
    > 221.208.0.0/14 # CNCGROUP Heilongjiang Province Network
    >
    >
    > 0.0.0.0/0 udp 1024:1035
    > 0.0.0.0/0 tcp 1023
    > 0.0.0.0/0 tcp 1025 # network blackjack dasher.a
    > 0.0.0.0/0 tcp 80 # AckCmd, Back End, CGI Backdoor, Executor, Hooker, RingZero
    > 0.0.0.0/0 tcp 8080 # Brown Orifice , RemoConChubo, RingZero
    > 0.0.0.0/0 tcp 21:25 # ftp, ssh, Telnet, any private mail system, smtp
    > 0.0.0.0/0 tcp 4899 # Remote Administrator port
    > 0.0.0.0/0 tcp 5900 # vnc Virtual Network Computer
    > 0.0.0.0/0 tcp 10000 # Network Data Management Protocol (webmint)
    > 0.0.0.0/0 udp 1434 # Microsoft-SQL-Monitor
    > 0.0.0.0/0 tcp 1433 # Microsoft-SQL-Server
    > 0.0.0.0/0 tcp 3306 # MySQL
    > 0.0.0.0/0 tcp 3372 # TIP 2, satvid-datalnk - Satellite Video Data Link
    > 0.0.0.0/0 tcp 5554 # Sasser trojan/worm ftp server
    > 0.0.0.0/0 udp 6346 # Gnutella-svc
    > 0.0.0.0/0 tcp 6348 # Gnutella works on this port too
    > 0.0.0.0/0 udp 6348 # Gnutella works on this port too
    > 0.0.0.0/0 tcp 9898 # dabber, MonkeyCom
    > 0.0.0.0/0 tcp 2100 # Amiga Network Filesystem
    > 0.0.0.0/0 udp 33435:33440
    >
    >
    >> I think that port is involved with my emule p2p software but
    >> I'd like to know why there are so many attempts to access my computer
    >> through udp 1574 port while I configured correcty communication in my
    >> firewall-router to make my emule run ok.

    >
    > Script kiddies/crackers are always hitting ports looking for the
    > lastest know exploit and unknown exploits. Want to see last 24 hour
    > comparied to last 30 day trend.
    >
    > http://www.dshield.org/trends.html


  7. Re: Port 1574

    On Sat, 03 Feb 2007 20:18:55 +0100, Michele wrote:
    > First I'd rather know if those dropped ip's are attacks!


    When they attempt unsolicitated port connections to my system they are
    attempting unauthorize entry. What would you call it.


    > I know I could tell my firewall not to bore me with those logs but the
    > question is: do you know what kind of data passes through UDP 1574 port?
    > Do you use p2p software?


    No, to the above.

    > Then ip ranges are always different and that makes me think it may not
    > be a sort of attack.


    When you are part of a Peer 2 Peer network you will be getting
    attempts from all over that network. You would not be able to tell if
    they are valid p2p connects for sharing or crack attempts unless you
    analyze the connect data attempts.

  8. Re: Port 1574

    Bit Twister wrote:

    > If I get lots of scans I'll block the ip range. I only see one or two
    > hits a day with my current blacklist.
    >
    > 85.255.112.0-85.255.127.0 # known malware address range of INHoster in Ukraine
    > 76.166.0.0-76.190.255.255 # Road Runner HoldCo LLC
    > 218.249.29.0-218.249.29.255 # BEI-JING-JIAO-TONG-DA-XUE CN
    > 211.100.32.0-211.100.95.255 # NET263 group in Beijing P.R.China
    > 220.166.64.0-220.166.65.255 # MAINT-CHINANET-SC China
    > 220.178.0.0-220.180.255.255 # CHINANET anhui province networ
    > 221.6.0.0-221.6.255.255 # China Network Communications Group Corp
    > 221.208.0.0/14 # CNCGROUP Heilongjiang Province Network
    >
    >
    > 0.0.0.0/0 udp 1024:1035
    > 0.0.0.0/0 tcp 1023
    > 0.0.0.0/0 tcp 1025 # network blackjack dasher.a
    > 0.0.0.0/0 tcp 80 # AckCmd, Back End, CGI Backdoor, Executor, Hooker, RingZero
    > 0.0.0.0/0 tcp 8080 # Brown Orifice , RemoConChubo, RingZero
    > 0.0.0.0/0 tcp 21:25 # ftp, ssh, Telnet, any private mail system, smtp
    > 0.0.0.0/0 tcp 4899 # Remote Administrator port
    > 0.0.0.0/0 tcp 5900 # vnc Virtual Network Computer
    > 0.0.0.0/0 tcp 10000 # Network Data Management Protocol (webmint)
    > 0.0.0.0/0 udp 1434 # Microsoft-SQL-Monitor
    > 0.0.0.0/0 tcp 1433 # Microsoft-SQL-Server
    > 0.0.0.0/0 tcp 3306 # MySQL
    > 0.0.0.0/0 tcp 3372 # TIP 2, satvid-datalnk - Satellite Video Data Link
    > 0.0.0.0/0 tcp 5554 # Sasser trojan/worm ftp server
    > 0.0.0.0/0 udp 6346 # Gnutella-svc
    > 0.0.0.0/0 tcp 6348 # Gnutella works on this port too
    > 0.0.0.0/0 udp 6348 # Gnutella works on this port too
    > 0.0.0.0/0 tcp 9898 # dabber, MonkeyCom
    > 0.0.0.0/0 tcp 2100 # Amiga Network Filesystem
    > 0.0.0.0/0 udp 33435:33440
    >


    Interesting blacklist entries. Have you developed it from your own
    observations, or imported it from some other source? Just interested!

    Jim Ford

  9. Re: Port 1574

    The very strange thing is the fact that attacks, if you prefer calling
    them so, always pass through UDP 1574 port: the port is always the same,
    the protocol always the same. I've been logging them for months and
    nothing has changed. It's a bit strange to me, don't you think so?

    Anyway thanks for the answers.

    Bye.

    Bit Twister ha scritto:
    > On Sat, 03 Feb 2007 20:18:55 +0100, Michele wrote:
    >> First I'd rather know if those dropped ip's are attacks!

    >
    > When they attempt unsolicitated port connections to my system they are
    > attempting unauthorize entry. What would you call it.
    >
    >
    >> I know I could tell my firewall not to bore me with those logs but the
    >> question is: do you know what kind of data passes through UDP 1574 port?
    >> Do you use p2p software?

    >
    > No, to the above.
    >
    >> Then ip ranges are always different and that makes me think it may not
    >> be a sort of attack.

    >
    > When you are part of a Peer 2 Peer network you will be getting
    > attempts from all over that network. You would not be able to tell if
    > they are valid p2p connects for sharing or crack attempts unless you
    > analyze the connect data attempts.


  10. Re: Port 1574

    On Sat, 03 Feb 2007 19:40:16 GMT, Jim Ford wrote:
    > Interesting blacklist entries. Have you developed it from your own
    > observations, or imported it from some other source? Just interested!


    Just from log entries that make it through the blacklist.

    When a new port shows up, I check
    http://www.dshield.org/port_report.html?port=
    http://isc.sans.org/port.html?port=
    http://lists.thedatalist.com/portlist/lookup.php?port=
    to see if there is a malware description for my comment section.

    Every copula months, I'll check the blacklist hit counter to see I want to
    remove any entry.

    Firewall frontend is Shorewall on Mandriva linux.

  11. Re: Port 1574

    Bit Twister wrote:
    > On Sat, 03 Feb 2007 19:40:16 GMT, Jim Ford wrote:
    >> Interesting blacklist entries. Have you developed it from your own
    >> observations, or imported it from some other source? Just interested!

    >
    > Just from log entries that make it through the blacklist.
    >
    > When a new port shows up, I check
    > http://www.dshield.org/port_report.html?port=
    > http://isc.sans.org/port.html?port=
    > http://lists.thedatalist.com/portlist/lookup.php?port=
    > to see if there is a malware description for my comment section.
    >
    > Every copula months, I'll check the blacklist hit counter to see I want to
    > remove any entry.
    >
    > Firewall frontend is Shorewall on Mandriva linux.


    Thanks - I'm using Shorewall on a Leaf router/firewall.

    Jim

  12. Re: Port 1574

    On Sat, 03 Feb 2007 23:24:44 GMT, Jim Ford wrote:
    >
    > Thanks - I'm using Shorewall on a Leaf router/firewall.


    You selection of blacklisted ips can be different than mine.

    I run a
    xconsole -geom 1032x50+400+00 -file /var/log/messages &
    on my firewall and $DISPLAY points to my lan box.

    To use the blacklist, you have to have blacklist as one of your net
    options in /etc/shorewall/interfaces

    I use /etc/shorewall/params for variables.


    # cd /etc/shorewall

    # tail -3 interfaces | head -2
    net $NET_NIC $NET_BCAST $NET_OPTIONS
    loc $LOC_NIC $LOC_BCAST

    # grep NET_ params
    NET_BCAST=192.168.2.255
    NET_NIC=eth1
    NET_OPTIONS=dhcp,routefilter,blacklist,tcpflags,lo gmartians

  13. Re: Port 1574

    Bit Twister wrote:
    > On Sat, 03 Feb 2007 23:24:44 GMT, Jim Ford wrote:
    >> Thanks - I'm using Shorewall on a Leaf router/firewall.

    >
    > You selection of blacklisted ips can be different than mine.
    >
    > I run a
    > xconsole -geom 1032x50+400+00 -file /var/log/messages &
    > on my firewall and $DISPLAY points to my lan box.
    >
    > To use the blacklist, you have to have blacklist as one of your net
    > options in /etc/shorewall/interfaces
    >
    > I use /etc/shorewall/params for variables.
    >
    >
    > # cd /etc/shorewall
    >
    > # tail -3 interfaces | head -2
    > net $NET_NIC $NET_BCAST $NET_OPTIONS
    > loc $LOC_NIC $LOC_BCAST
    >
    > # grep NET_ params
    > NET_BCAST=192.168.2.255
    > NET_NIC=eth1
    > NET_OPTIONS=dhcp,routefilter,blacklist,tcpflags,lo gmartians


    I've got a blacklist, but I've really not bothered to pore over the log
    files and enter the 'bad' ip addresses and ports that I see regularly
    dropped. I just have a quick scan through them to see if anything 'leaps
    out', and then dump the log. I've occasionally been tempted to set up a
    Tarpit/Teergrube in an attempt to take a more pro-active approach, but
    as I understand it can create problems with contracking, not looked very
    deeply. Another problem is that it won't necessarily hit the bad guys,
    but as often as not their unwitting zombies.

    Comments, anyone? (Come on Seb - you know you can't resist! ;^) )

    Jim Ford

  14. Re: Port 1574

    On Sun, 04 Feb 2007 14:14:21 GMT, Jim Ford wrote:
    >
    > I've got a blacklist, but I've really not bothered to pore over the log


    I do not pore over my logs. I do have a terminal open doing a
    tail -f /var/log/messages
    and pinned the
    xconsole -geom 1032x50+400+00 -file /var/log/messages &
    to the top of my desktop. That is about a 4 line view of the log and
    the only thing seen is the hourly msec log runs and any ntp time sync
    messages.

    > files and enter the 'bad' ip addresses and ports that I see regularly
    > dropped.


    When I see a port or several ip drops, I'll put it in the black list.
    For port range I'll use whois ip_here

    > I just have a quick scan through them to see if anything 'leaps
    > out', and then dump the log.


    That is the advantage of the blacklist. Whatever is there is something
    to look at and all the noise is damped out by the blacklist.

    Matter of fact just saw 3 different ips hitting the same port.
    Tells me they have a new exploit, or gone back to a very old one. New
    blacklist entry is
    0.0.0.0/0 tcp 3389 # MS WBT Server


    > I've occasionally been tempted to set up a
    > Tarpit/Teergrube in an attempt to take a more pro-active approach, but
    > as I understand it can create problems with contracking, not looked very
    > deeply. Another problem is that it won't necessarily hit the bad guys,
    > but as often as not their unwitting zombies.


    Yes, and odds would be the unwitting zombies.

    Reading http://www.theregister.co.uk/2007/02...er_conviction/
    should provide you with a caution.
    You do not want to be in court trying to defend what your computer did
    to someone.

    I have see a few laws where just a ping is an unlawful "access" attempt
    and can land you into the barbed wire hotel.

    Law makers were tired of seeing the bad guy walk away because the prosecutors
    could not prove unlawful /access/ attempt. Look at what the Texas
    lawmakers passed while thinking of your tarpit. Just read the first 2
    definitions of this Texas Statute CHAPTER 33. COMPUTER CRIMES

    http://tlo2.tlc.state.tx.us/statutes....000033.00.doc
    or in pdf format
    http://tlo2.tlc.state.tx.us/statutes...0.000033.00.pd

  15. Re: Port 1574

    Bit Twister wrote:
    > On Sun, 04 Feb 2007 14:14:21 GMT, Jim Ford wrote:
    >> I've got a blacklist, but I've really not bothered to pore over the log

    >
    > I do not pore over my logs. I do have a terminal open doing a
    > tail -f /var/log/messages
    > and pinned the
    > xconsole -geom 1032x50+400+00 -file /var/log/messages &
    > to the top of my desktop. That is about a 4 line view of the log and
    > the only thing seen is the hourly msec log runs and any ntp time sync
    > messages.
    >
    >> files and enter the 'bad' ip addresses and ports that I see regularly
    >> dropped.

    >
    > When I see a port or several ip drops, I'll put it in the black list.
    > For port range I'll use whois ip_here
    >
    >> I just have a quick scan through them to see if anything 'leaps
    >> out', and then dump the log.

    >
    > That is the advantage of the blacklist. Whatever is there is something
    > to look at and all the noise is damped out by the blacklist.
    >
    > Matter of fact just saw 3 different ips hitting the same port.
    > Tells me they have a new exploit, or gone back to a very old one. New
    > blacklist entry is
    > 0.0.0.0/0 tcp 3389 # MS WBT Server


    I'm not sure what the purpose of monitoring the Shorewall hits is. So
    what do you do with the 'residue' of hits - the ones you don't
    blacklist? Of what interest are they? Why not do as I do and just shrug
    your shoulders and dump the Shorewall hit log from time to time without
    any more than a cursory inspection?

    I'm not being critical - it's just that I feel that perhaps I'm missing
    something here!

    Jim Ford

  16. Re: Port 1574

    On Sun, 04 Feb 2007 17:14:30 GMT, Jim Ford wrote:
    >
    > I'm not sure what the purpose of monitoring the Shorewall hits is.


    Well, blacklist hits show me which lines to remove when there are very
    low/no hits.

    > So what do you do with the 'residue' of hits - the ones you don't
    > blacklist? Of what interest are they? Why not do as I do and just
    > shrug your shoulders and dump the Shorewall hit log from time to
    > time without any more than a cursory inspection?


    When I see a drop entry on the screen, I'll look to see who it is.

    Since I am running linux with 8 desktops, it is no problem to click
    the log desktop, quick cut/paste ip into whois
    and decide what to do with a log entry.

    I have been supprised at some and have sent them an abuse report.
    It was nice to see them clean up their problem.


    > I'm not being critical -


    I would not care if you were.

    > it's just that I feel that perhaps I'm missing something here!


    Well, if you are going to "shrug your shoulders and dump the log" you
    aught to set Shorewall to just drop/nolog.

    As you can see from the links I gave you, trying to retaliate could
    get you into deep dodo with the law at worst, at best lose your
    internet connection.

    Not much I can do with China and known Russian malware ip ranges, so those I'll
    blacklist. If I can reconize a know business or someone I think will
    look into it, I'll tell them.

    Seeing a new port which is not a part of port scan, tells me something
    new has been found.

    If you want to help with the problem you could get with
    http://www.dshield.org and see what it would take for you to submit
    your logs. It might be as simple as a batch/cron job to email them to
    dshield before logs are rotated out of sight.
    Dshield parses them for port/ip and merge that with their data to
    detect new events, identify computers spewing crap and try to get
    their ISP to tell the ownere to clean it up.

    I have no idea where the good work is going on, but in the last two
    years I have seen a marked drop in number of hits on my firewall.
    Maybe it is just Comcast using filters on their internet connect points.
    I was switched to RoadRunner about 5 months ago and I only added a few
    IP addresses lines to my blacklist.

    There are 31 ranges commented out of my blacklist where the count was zero.
    Another month and I'll remove those.

+ Reply to Thread