Rogue Packets on Port 1027 - Firewalls

This is a discussion on Rogue Packets on Port 1027 - Firewalls ; I monitored my network traffic using wireshark (a fantastic tool, by the way) and found that I'm getting rogue packets that wireshark is identifying as follows: No Time Source Destination Protocol Info -- ---- ------ ----------- -------- ---- 36 30.879265 ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Rogue Packets on Port 1027

  1. Rogue Packets on Port 1027

    I monitored my network traffic using wireshark (a fantastic tool,
    by the way) and found that I'm getting rogue packets that wireshark
    is identifying as follows:

    No Time Source Destination Protocol Info
    -- ---- ------ ----------- -------- ----
    36 30.879265 218.27.148.78 192.168.1.104 Messenger NetrSendMessage request

    The message part of the packet is reported by wireshark as follows:

    00b0 00 00 35 01 00 00 00 00 00 00 35 01 00 00 53 54 ..5..... ..5...ST
    00c0 4f 50 21 20 57 49 4e 44 4f 57 53 20 52 45 51 55 OP! WIND OWS REQU
    00d0 49 52 45 53 20 49 4d 4d 45 44 49 41 54 45 20 41 IRES IMM EDIATE A
    00e0 54 54 45 4e 54 49 4f 4e 2e 0a 0a 57 69 6e 64 6f TTENTION ...Windo
    00f0 77 73 20 68 61 73 20 66 6f 75 6e 64 20 35 35 20 ws has f ound 55
    0100 43 72 69 74 69 63 61 6c 20 53 79 73 74 65 6d 20 Critical System
    0110 45 72 72 6f 72 73 2e 0a 0a 54 6f 20 66 69 78 20 Errors.. .To fix
    0120 74 68 65 20 65 72 72 6f 72 73 20 70 6c 65 61 73 the erro rs pleas
    0130 65 20 64 6f 20 74 68 65 20 66 6f 6c 6c 6f 77 69 e do the followi
    0140 6e 67 3a 0a 0a 31 2e 20 44 6f 77 6e 6c 6f 61 64 ng:..1. Download
    0150 20 52 65 67 69 73 74 72 79 20 55 70 64 61 74 65 Registr y Update
    0160 20 66 72 6f 6d 3a 20 77 77 77 2e 72 65 67 66 69 from: w ww.regfi
    0170 78 69 74 2e 63 6f 6d 0a 32 2e 20 49 6e 73 74 61 xit.com. 2. Insta
    0180 6c 6c 20 52 65 67 69 73 74 72 79 20 55 70 64 61 ll Regis try Upda
    0190 74 65 0a 33 2e 20 52 75 6e 20 52 65 67 69 73 74 te.3. Ru n Regist
    01a0 72 79 20 55 70 64 61 74 65 0a 34 2e 20 52 65 62 ry Updat e.4. Reb
    01b0 6f 6f 74 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 oot your compute
    01c0 72 0a 0a 46 41 49 4c 55 52 45 20 54 4f 20 41 43 r..FAILU RE TO AC
    01d0 54 20 4e 4f 57 20 4d 41 59 20 4c 45 41 44 20 54 T NOW MA Y LEAD T
    01e0 4f 20 53 59 53 54 45 4d 20 46 41 49 4c 55 52 45 O SYSTEM FAILURE
    01f0 21 0a 00 !..

    My system is responding with

    No Time Source Destination Protocol Info
    -- ---- ------ ----------- -------- ----
    37 30.879333 192.168.1.104 218.27.148.78 ICMP Destination unreachable (Port unreachable)

    There is an outgoing message that appears to be similar to the incoming one:

    0000 00 14 bf 07 5f ac 00 11 5b 43 44 6a 08 00 45 c0 ...._... [CDj..E.
    0010 02 01 a3 53 00 00 40 01 a4 6e c0 a8 01 68 da 1b ...S..@. .n...h..
    0020 94 4e 03 03 2f 5a 00 00 00 00 45 00 01 e5 00 00 .N../Z.. ..E.....
    0030 40 00 27 11 21 8e da 1b 94 4e c0 a8 01 68 bb 92 @.'.!... .N...h..
    0040 04 03 01 d1 a4 8d 04 00 28 00 10 00 00 00 00 00 ........ (.......
    0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 ........ ........
    0060 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 e6 fc ca 23 {Z...... ..O....#
    0070 2a 88 87 c5 7d 05 ae e7 bd 9b 51 d1 6b ce 00 00 *...}... ..Q.k...
    0080 00 00 01 00 00 00 00 00 00 00 00 00 ff ff ff ff ........ ........
    0090 79 01 00 00 00 00 10 00 00 00 00 00 00 00 10 00 y....... ........
    00a0 00 00 46 52 4f 4d 00 00 00 00 00 00 00 00 00 00 ..FROM.. ........
    00b0 00 00 10 00 00 00 00 00 00 00 10 00 00 00 54 4f ........ ......TO
    00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 35 01 ........ ......5.
    00d0 00 00 00 00 00 00 35 01 00 00 53 54 4f 50 21 20 ......5. ..STOP!
    00e0 57 49 4e 44 4f 57 53 20 52 45 51 55 49 52 45 53 WINDOWS REQUIRES
    00f0 20 49 4d 4d 45 44 49 41 54 45 20 41 54 54 45 4e IMMEDIA TE ATTEN
    0100 54 49 4f 4e 2e 0a 0a 57 69 6e 64 6f 77 73 20 68 TION...W indows h
    0110 61 73 20 66 6f 75 6e 64 20 35 35 20 43 72 69 74 as found 55 Crit
    0120 69 63 61 6c 20 53 79 73 74 65 6d 20 45 72 72 6f ical Sys tem Erro
    0130 72 73 2e 0a 0a 54 6f 20 66 69 78 20 74 68 65 20 rs...To fix the
    0140 65 72 72 6f 72 73 20 70 6c 65 61 73 65 20 64 6f errors p lease do
    0150 20 74 68 65 20 66 6f 6c 6c 6f 77 69 6e 67 3a 0a the fol lowing:.
    0160 0a 31 2e 20 44 6f 77 6e 6c 6f 61 64 20 52 65 67 .1. Down load Reg
    0170 69 73 74 72 79 20 55 70 64 61 74 65 20 66 72 6f istry Up date fro
    0180 6d 3a 20 77 77 77 2e 72 65 67 66 69 78 69 74 2e m: www.r egfixit.
    0190 63 6f 6d 0a 32 2e 20 49 6e 73 74 61 6c 6c 20 52 com.2. I nstall R
    01a0 65 67 69 73 74 72 79 20 55 70 64 61 74 65 0a 33 egistry Update.3
    01b0 2e 20 52 75 6e 20 52 65 67 69 73 74 72 79 20 55 . Run Re gistry U
    01c0 70 64 61 74 65 0a 34 2e 20 52 65 62 6f 6f 74 20 pdate.4. Reboot
    01d0 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 0a 0a 46 your com puter..F
    01e0 41 49 4c 55 52 45 20 54 4f 20 41 43 54 20 4e 4f AILURE T O ACT NO
    01f0 57 20 4d 41 59 20 4c 45 41 44 20 54 4f 20 53 59 W MAY LE AD TO SY
    0200 53 54 45 4d 20 46 41 49 4c 55 52 45 21 0a 00 STEM FAI LURE!..

    The packets are coming perhaps once every 2 to 5 minutes.

    I don't understand why these packets are getting through my router
    since I do not have port 1027 enabled.

    Can anyone identify these packets or give advice?

    Also, is there a way to find out what processes are receiving/sending
    a specific packet? For example, how do I determine what process/service
    is generating the ICMP response above?
    --
    % Randy Yates % "Bird, on the wing,
    %% Fuquay-Varina, NC % goes floating by
    %%% 919-577-9882 % but there's a teardrop in his eye..."
    %%%% % 'One Summer Dream', *Face The Music*, ELO
    http://home.earthlink.net/~yatescr

  2. Re: Rogue Packets on Port 1027


    See response in teh other 2 ng's you posted to separately. :-)

    --
    Todd H.
    http://www.toddh.net/

+ Reply to Thread