Rogue Packets on Port 1027? - SSH

This is a discussion on Rogue Packets on Port 1027? - SSH ; I monitored my network traffic using wireshark (a fantastic tool, by the way) and found that I'm getting rogue packets that wireshark is identifying as follows: No Time Source Destination Protocol Info -- ---- ------ ----------- -------- ---- 36 30.879265 ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 27

Thread: Rogue Packets on Port 1027?

  1. Rogue Packets on Port 1027?

    I monitored my network traffic using wireshark (a fantastic tool,
    by the way) and found that I'm getting rogue packets that wireshark
    is identifying as follows:

    No Time Source Destination Protocol Info
    -- ---- ------ ----------- -------- ----
    36 30.879265 218.27.148.78 192.168.1.104 Messenger NetrSendMessage request

    The message part of the packet is reported by wireshark as follows:

    00b0 00 00 35 01 00 00 00 00 00 00 35 01 00 00 53 54 ..5..... ..5...ST
    00c0 4f 50 21 20 57 49 4e 44 4f 57 53 20 52 45 51 55 OP! WIND OWS REQU
    00d0 49 52 45 53 20 49 4d 4d 45 44 49 41 54 45 20 41 IRES IMM EDIATE A
    00e0 54 54 45 4e 54 49 4f 4e 2e 0a 0a 57 69 6e 64 6f TTENTION ...Windo
    00f0 77 73 20 68 61 73 20 66 6f 75 6e 64 20 35 35 20 ws has f ound 55
    0100 43 72 69 74 69 63 61 6c 20 53 79 73 74 65 6d 20 Critical System
    0110 45 72 72 6f 72 73 2e 0a 0a 54 6f 20 66 69 78 20 Errors.. .To fix
    0120 74 68 65 20 65 72 72 6f 72 73 20 70 6c 65 61 73 the erro rs pleas
    0130 65 20 64 6f 20 74 68 65 20 66 6f 6c 6c 6f 77 69 e do the followi
    0140 6e 67 3a 0a 0a 31 2e 20 44 6f 77 6e 6c 6f 61 64 ng:..1. Download
    0150 20 52 65 67 69 73 74 72 79 20 55 70 64 61 74 65 Registr y Update
    0160 20 66 72 6f 6d 3a 20 77 77 77 2e 72 65 67 66 69 from: w ww.regfi
    0170 78 69 74 2e 63 6f 6d 0a 32 2e 20 49 6e 73 74 61 xit.com. 2. Insta
    0180 6c 6c 20 52 65 67 69 73 74 72 79 20 55 70 64 61 ll Regis try Upda
    0190 74 65 0a 33 2e 20 52 75 6e 20 52 65 67 69 73 74 te.3. Ru n Regist
    01a0 72 79 20 55 70 64 61 74 65 0a 34 2e 20 52 65 62 ry Updat e.4. Reb
    01b0 6f 6f 74 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 oot your compute
    01c0 72 0a 0a 46 41 49 4c 55 52 45 20 54 4f 20 41 43 r..FAILU RE TO AC
    01d0 54 20 4e 4f 57 20 4d 41 59 20 4c 45 41 44 20 54 T NOW MA Y LEAD T
    01e0 4f 20 53 59 53 54 45 4d 20 46 41 49 4c 55 52 45 O SYSTEM FAILURE
    01f0 21 0a 00 !..

    My system is responding with

    No Time Source Destination Protocol Info
    -- ---- ------ ----------- -------- ----
    37 30.879333 192.168.1.104 218.27.148.78 ICMP Destination unreachable (Port unreachable)

    There is an outgoing message that appears to be similar to the incoming one:

    0000 00 14 bf 07 5f ac 00 11 5b 43 44 6a 08 00 45 c0 ...._... [CDj..E.
    0010 02 01 a3 53 00 00 40 01 a4 6e c0 a8 01 68 da 1b ...S..@. .n...h..
    0020 94 4e 03 03 2f 5a 00 00 00 00 45 00 01 e5 00 00 .N../Z.. ..E.....
    0030 40 00 27 11 21 8e da 1b 94 4e c0 a8 01 68 bb 92 @.'.!... .N...h..
    0040 04 03 01 d1 a4 8d 04 00 28 00 10 00 00 00 00 00 ........ (.......
    0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 ........ ........
    0060 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 e6 fc ca 23 {Z...... ..O....#
    0070 2a 88 87 c5 7d 05 ae e7 bd 9b 51 d1 6b ce 00 00 *...}... ..Q.k...
    0080 00 00 01 00 00 00 00 00 00 00 00 00 ff ff ff ff ........ ........
    0090 79 01 00 00 00 00 10 00 00 00 00 00 00 00 10 00 y....... ........
    00a0 00 00 46 52 4f 4d 00 00 00 00 00 00 00 00 00 00 ..FROM.. ........
    00b0 00 00 10 00 00 00 00 00 00 00 10 00 00 00 54 4f ........ ......TO
    00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 35 01 ........ ......5.
    00d0 00 00 00 00 00 00 35 01 00 00 53 54 4f 50 21 20 ......5. ..STOP!
    00e0 57 49 4e 44 4f 57 53 20 52 45 51 55 49 52 45 53 WINDOWS REQUIRES
    00f0 20 49 4d 4d 45 44 49 41 54 45 20 41 54 54 45 4e IMMEDIA TE ATTEN
    0100 54 49 4f 4e 2e 0a 0a 57 69 6e 64 6f 77 73 20 68 TION...W indows h
    0110 61 73 20 66 6f 75 6e 64 20 35 35 20 43 72 69 74 as found 55 Crit
    0120 69 63 61 6c 20 53 79 73 74 65 6d 20 45 72 72 6f ical Sys tem Erro
    0130 72 73 2e 0a 0a 54 6f 20 66 69 78 20 74 68 65 20 rs...To fix the
    0140 65 72 72 6f 72 73 20 70 6c 65 61 73 65 20 64 6f errors p lease do
    0150 20 74 68 65 20 66 6f 6c 6c 6f 77 69 6e 67 3a 0a the fol lowing:.
    0160 0a 31 2e 20 44 6f 77 6e 6c 6f 61 64 20 52 65 67 .1. Down load Reg
    0170 69 73 74 72 79 20 55 70 64 61 74 65 20 66 72 6f istry Up date fro
    0180 6d 3a 20 77 77 77 2e 72 65 67 66 69 78 69 74 2e m: www.r egfixit.
    0190 63 6f 6d 0a 32 2e 20 49 6e 73 74 61 6c 6c 20 52 com.2. I nstall R
    01a0 65 67 69 73 74 72 79 20 55 70 64 61 74 65 0a 33 egistry Update.3
    01b0 2e 20 52 75 6e 20 52 65 67 69 73 74 72 79 20 55 . Run Re gistry U
    01c0 70 64 61 74 65 0a 34 2e 20 52 65 62 6f 6f 74 20 pdate.4. Reboot
    01d0 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 0a 0a 46 your com puter..F
    01e0 41 49 4c 55 52 45 20 54 4f 20 41 43 54 20 4e 4f AILURE T O ACT NO
    01f0 57 20 4d 41 59 20 4c 45 41 44 20 54 4f 20 53 59 W MAY LE AD TO SY
    0200 53 54 45 4d 20 46 41 49 4c 55 52 45 21 0a 00 STEM FAI LURE!..

    The packets are coming perhaps once every 2 to 5 minutes.

    I don't understand why these packets are getting through my router
    since I do not have port 1027 enabled.

    Can anyone identify these packets or give advice?

    Also, is there a way to find out what processes are receiving/sending
    a specific packet? For example, how do I determine what process/service
    is generating the ICMP response above?
    --
    % Randy Yates % "Remember the good old 1980's, when
    %% Fuquay-Varina, NC % things were so uncomplicated?"
    %%% 919-577-9882 % 'Ticket To The Moon'
    %%%% % *Time*, Electric Light Orchestra
    http://home.earthlink.net/~yatescr

  2. Re: Rogue Packets on Port 1027?

    On Jul 20, 10:59 am, Randy Yates wrote:
    > I monitored my network traffic using wireshark (a fantastic tool,
    > by the way) and found that I'm getting rogue packets that wireshark
    > is identifying as follows:
    >
    > No Time Source Destination Protocol Info
    > -- ---- ------ ----------- -------- ----
    > 36 30.879265 218.27.148.78 192.168.1.104 Messenger NetrSendMessage request
    >
    > The message part of the packet is reported by wireshark as follows:
    >
    > 00b0 00 00 35 01 00 00 00 00 00 00 35 01 00 00 53 54 ..5..... ..5...ST
    > 00c0 4f 50 21 20 57 49 4e 44 4f 57 53 20 52 45 51 55 OP! WIND OWS REQU

    [snip]

    OK, your router received a packet (obviously meant for a MSWindows
    system)


    > My system is responding with
    >
    > No Time Source Destination Protocol Info
    > -- ---- ------ ----------- -------- ----
    > 37 30.879333 192.168.1.104 218.27.148.78 ICMP Destination unreachable (Port unreachable)
    >
    > There is an outgoing message that appears to be similar to the incoming one:
    >
    > 0000 00 14 bf 07 5f ac 00 11 5b 43 44 6a 08 00 45 c0 ...._... [CDj..E.

    [snip]

    and your router responded with an ICMP reject message.

    >
    > The packets are coming perhaps once every 2 to 5 minutes.
    >
    > I don't understand why these packets are getting through my router
    > since I do not have port 1027 enabled.


    The packets aren't "getting through your router". They are being
    stopped by your router and rejected with the appropriate ICMP reject
    message.

    > Can anyone identify these packets or give advice?


    Typical MSWindows "Windows Messaging Service" spam attack, answered by
    your router as "please go away, there's no one at that address".

    > Also, is there a way to find out what processes are receiving/sending
    > a specific packet?


    Sending the original packet? No, that's outside of your environment
    Receiving the original packet? Why, your router is receiving the
    packet and disposing of it nicely.
    Sending the reply ICMP message? That's your router, telling the other
    guy to go away.
    Receiving the reply ICMP message? No, that's outside of your
    environment.

    > For example, how do I determine what process/service
    > is generating the ICMP response above?


    That's no process. That's your router.




  3. Re: Rogue Packets on Port 1027?

    Lew Pitcher writes:
    > [...]
    > The packets aren't "getting through your router". They are being
    > stopped by your router


    Then why would software that runs on my computer detect it? Note
    that my "router" has two physical interfaces, one out to the "internet"
    and one to my "computer."
    --
    % Randy Yates % "...the answer lies within your soul
    %% Fuquay-Varina, NC % 'cause no one knows which side
    %%% 919-577-9882 % the coin will fall."
    %%%% % 'Big Wheels', *Out of the Blue*, ELO
    http://home.earthlink.net/~yatescr

  4. Re: Rogue Packets on Port 1027?

    Randy Yates writes:

    > I monitored my network traffic using wireshark (a fantastic tool,
    > by the way) and found that I'm getting rogue packets that wireshark
    > is identifying as follows:
    >
    > No Time Source Destination Protocol Info
    > -- ---- ------ ----------- -------- ----
    > 36 30.879265 218.27.148.78 192.168.1.104 Messenger
    > NetrSendMessage request


    Safe to assume 192.168.1.104 is the IP address of your LAN connected
    computer running wireshark?

    1027 is this a udp port number? I'm assuming udp since that's what
    windows messenger listend on -- dynamic port > 1024.

    If so, it is a bit disconcerting. What make/model/hardware
    rev/software level of the router? Have you verified that your
    computer hasn't somehow been put in the dmz of the router? There are
    some web-based sploits out there for some popular home router
    appliances that do this just by visiting a web page.

    Or, it could be that your router isn't blocking inbound udp (but is
    likely blocking inbound tcp).

    > My system is responding with
    >
    > No Time Source Destination Protocol Info
    > -- ---- ------ ----------- -------- ----
    > 37 30.879333 192.168.1.104 218.27.148.78 ICMP Destination unreachable (Port unreachable)


    > I don't understand why these packets are getting through my router
    > since I do not have port 1027 enabled.


    Nor do I.

    > Can anyone identify these packets or give advice?


    They're windows messenger messages - the ones that aim to pop up an
    announcement window on your machine if they were to ever reach it and
    the messenger service process it.

    > Also, is there a way to find out what processes are receiving/sending
    > a specific packet? For example, how do I determine what process/service
    > is generating the ICMP response above?


    If I had to guess, the process sending the ICMP would be windows
    firewall, a third party firewall if any, or the tcp/ip stack of the
    machine itself.

    netstat -an | grep 1027 on your local machine should tell you if 1027
    is listening from the localhost perspective. If it is, then a
    software firewall is probably doing the ICMP reply. If not, then it's
    possible either the firewall or the tcp/ip stack itself is sayin no
    one's home.

    I'm not an expert in this, so I invite others to clarify/correct, but
    I share you concern as to why this inbound traffic isn't being
    filtered by your border device.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/

  5. Re: Rogue Packets on Port 1027?

    Hi Todd,

    Thanks for responding.

    comphelp@toddh.net (Todd H.) writes:

    > Randy Yates writes:
    >
    >> I monitored my network traffic using wireshark (a fantastic tool,
    >> by the way) and found that I'm getting rogue packets that wireshark
    >> is identifying as follows:
    >>
    >> No Time Source Destination Protocol Info
    >> -- ---- ------ ----------- -------- ----
    >> 36 30.879265 218.27.148.78 192.168.1.104 Messenger
    >> NetrSendMessage request

    >
    > Safe to assume 192.168.1.104 is the IP address of your LAN connected
    > computer running wireshark?


    Correct.

    > 1027 is this a udp port number? I'm assuming udp since that's what
    > windows messenger listend on -- dynamic port > 1024.


    Since wireshark lists the entry

    User Datagram Protocol, Src Port: 32924 (32924), Dst Port: cap (1026)

    for the packet, I guess that means it's a UDB packet? Oh, by the way,
    it seems to shuffle the ports a bit - the one above was capture just
    a minute ago and uses port 1026.

    > If so, it is a bit disconcerting. What make/model/hardware
    > rev/software level of the router?


    Linksys WRT54G, Firmware Version: v3.03.9.

    > Have you verified that your computer hasn't somehow been put in the
    > dmz of the router?


    I have now - that option is disabled (and had been disabled).

    > There are some web-based sploits out there for some popular home
    > router appliances that do this just by visiting a web page.


    Even through a linux system? By the way, I'm running

    Linux localhost.localdomain 2.6.20-1.2948.fc6 #1 SMP Fri Apr 27 19:18:54 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux

    > Or, it could be that your router isn't blocking inbound udp (but is
    > likely blocking inbound tcp).


    It looks to me like it blocks both unless either is explicitly enabled in the
    "Applications and Gaming" tab of the configuration page.

    >> My system is responding with
    >>
    >> No Time Source Destination Protocol Info
    >> -- ---- ------ ----------- -------- ----
    >> 37 30.879333 192.168.1.104 218.27.148.78 ICMP Destination unreachable (Port unreachable)

    >
    >> I don't understand why these packets are getting through my router
    >> since I do not have port 1027 enabled.

    >
    > Nor do I.
    >
    >> Can anyone identify these packets or give advice?

    >
    > They're windows messenger messages - the ones that aim to pop up an
    > announcement window on your machine if they were to ever reach it and
    > the messenger service process it.


    But that doesn't work on linux, right?

    >> Also, is there a way to find out what processes are receiving/sending
    >> a specific packet? For example, how do I determine what process/service
    >> is generating the ICMP response above?

    >
    > If I had to guess, the process sending the ICMP would be windows
    > firewall, a third party firewall if any, or the tcp/ip stack of the
    > machine itself.


    Since this is linux, probably the latter, no?

    > netstat -an | grep 1027 on your local machine should tell you if 1027
    > is listening from the localhost perspective.


    I get no matches.

    > If it is, then a
    > software firewall is probably doing the ICMP reply. If not, then it's
    > possible either the firewall or the tcp/ip stack itself is sayin no
    > one's home.
    >
    > I'm not an expert in this, so I invite others to clarify/correct, but
    > I share you concern as to why this inbound traffic isn't being
    > filtered by your border device.


    Thanks for your input, Todd. Every little bit helps.
    --
    % Randy Yates % "Watching all the days go by...
    %% Fuquay-Varina, NC % Who are you and who am I?"
    %%% 919-577-9882 % 'Mission (A World Record)',
    %%%% % *A New World Record*, ELO
    http://home.earthlink.net/~yatescr

  6. Re: Rogue Packets on Port 1027?

    In message <84y7ha6ct6.fsf@ripco.com>, Todd H. wrote:
    >
    > Safe to assume 192.168.1.104 is the IP address of your LAN connected
    > computer running wireshark?
    >
    > 1027 is this a udp port number? I'm assuming udp since that's what
    > windows messenger listend on -- dynamic port > 1024.
    >
    > If so, it is a bit disconcerting. What make/model/hardware
    > rev/software level of the router? Have you verified that your
    > computer hasn't somehow been put in the dmz of the router? There are
    > some web-based sploits out there for some popular home router
    > appliances that do this just by visiting a web page.
    >
    > Or, it could be that your router isn't blocking inbound udp (but is
    > likely blocking inbound tcp).
    >

    How about having a DMZ set up to point to that machine? that way it gets
    everything by default.

    --
    Dave
    mail da ve@llondel.org (without the space)
    http://www.llondel.org
    So many gadgets, so little time

  7. Re: Rogue Packets on Port 1027?

    Randy Yates writes:

    > Hi Todd,
    >
    > Thanks for responding.
    >
    > comphelp@toddh.net (Todd H.) writes:
    >
    > > Randy Yates writes:
    > >
    > >> I monitored my network traffic using wireshark (a fantastic tool,
    > >> by the way) and found that I'm getting rogue packets that wireshark
    > >> is identifying as follows:
    > >>
    > >> No Time Source Destination Protocol Info
    > >> -- ---- ------ ----------- -------- ----
    > >> 36 30.879265 218.27.148.78 192.168.1.104 Messenger
    > >> NetrSendMessage request

    > >
    > > Safe to assume 192.168.1.104 is the IP address of your LAN connected
    > > computer running wireshark?

    >
    > Correct.
    >
    > > 1027 is this a udp port number? I'm assuming udp since that's what
    > > windows messenger listend on -- dynamic port > 1024.

    >
    > Since wireshark lists the entry
    >
    > User Datagram Protocol, Src Port: 32924 (32924), Dst Port: cap (1026)
    >
    > for the packet, I guess that means it's a UDB packet? Oh, by the way,
    > it seems to shuffle the ports a bit - the one above was capture just
    > a minute ago and uses port 1026.


    Yeah UDP is user datagram protocol.

    Okay, and the messenger spim is using random ports trying to look for
    a running messenger process.

    > > If so, it is a bit disconcerting. What make/model/hardware
    > > rev/software level of the router?

    >
    > Linksys WRT54G, Firmware Version: v3.03.9.


    Which hardware version? It's on the sticker on the bottom.

    > > There are some web-based sploits out there for some popular home
    > > router appliances that do this just by visiting a web page.

    >
    > Even through a linux system? By the way, I'm running


    Yeah. Even mozila with javascript enabled can be triggered to send
    and HTTP POST request from teh browser, but looks like you may be fine
    all the same. Verify remote management is turned off on the router
    and consider the latest firmware.


    despite the title of this one the wrt54g is affected in certain hw
    revisions:
    http://www.securityfocus.com/bid/19347

    and
    http://www.securityfocus.com/bid/14822/info

    and there are others.


    > Linux localhost.localdomain 2.6.20-1.2948.fc6 #1 SMP Fri Apr 27 19:18:54 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
    >
    > > Or, it could be that your router isn't blocking inbound udp (but
    > > is likely blocking inbound tcp).

    >
    > It looks to me like it blocks both unless either is explicitly enabled in the
    > "Applications and Gaming" tab of the configuration page.


    Tried any online port scanner thingees to see what seems to get
    through?

    http://www.broadbandreports.com/tools
    portscan (down at the moment it seems)

    or, more annoyingly:

    https://www.grc.com/x/ne.dll?bh0bkyd2


    and you can even spim yourself:
    https://www.grc.com/x/ne.dll?rh1dkyd2



    > > They're windows messenger messages - the ones that aim to pop up an
    > > announcement window on your machine if they were to ever reach it and
    > > the messenger service process it.

    >
    > But that doesn't work on linux, right?


    Correct. It won't find a listening messenger service. Depending on
    whether you have the linux firewall up and configured will probably
    determine which process or the kernel is actually sending the ICMP
    message in response

    These messenger SPIM's (spam, via instant messages) being sent all
    over are nearly always using spoofed source addresses anyway so the
    ICMP network unreachable is probably going back to a host that either
    doesn't exist or didn't send it in the first place.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/

  8. Re: Rogue Packets on Port 1027?

    "Dave {Reply Address in.Sig}" writes:

    > How about having a DMZ set up to point to that machine? that way it gets
    > everything by default.


    I don't get you - can you please explain more? I don't think I really
    understand what a DMZ is.
    --
    % Randy Yates % "My Shangri-la has gone away, fading like
    %% Fuquay-Varina, NC % the Beatles on 'Hey Jude'"
    %%% 919-577-9882 %
    %%%% % 'Shangri-La', *A New World Record*, ELO
    http://home.earthlink.net/~yatescr

  9. Re: Rogue Packets on Port 1027?

    comphelp@toddh.net (Todd H.) writes:

    > Randy Yates writes:
    >> Linksys WRT54G, Firmware Version: v3.03.9.

    >
    > Which hardware version? It's on the sticker on the bottom.


    V.3

    Thanks for the links - I'm checking them out now.
    --
    % Randy Yates % "My Shangri-la has gone away, fading like
    %% Fuquay-Varina, NC % the Beatles on 'Hey Jude'"
    %%% 919-577-9882 %
    %%%% % 'Shangri-La', *A New World Record*, ELO
    http://home.earthlink.net/~yatescr

  10. Re: Rogue Packets on Port 1027?

    Randy Yates writes:

    > "Dave {Reply Address in.Sig}" writes:
    >
    > > How about having a DMZ set up to point to that machine? that way it gets
    > > everything by default.

    >
    > I don't get you - can you please explain more? I don't think I really
    > understand what a DMZ is.


    I think Dave may have been suggesting that perhaps your linux machine
    was configured to be in the DMZ of the router (in which case it
    wouldn't see any filtering from the router). I mentioned this as well
    and you had checked and verified in the config that it wasn't the
    case.

    If, on the other hand Dave was suggesting you add the host to the DMZ,
    nah, I don't understand that either, or Dave may have misunderstood
    the question you were asking.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/

  11. Re: Rogue Packets on Port 1027?

    Todd,

    I've since upgraded to firmware version 4.21.1, verified remote
    access is off, disabled wireless web access, and disabled UPnP,
    but I'm still getting the exact same packets.

    --Stumped


    comphelp@toddh.net (Todd H.) writes:

    > Randy Yates writes:
    >
    >> Hi Todd,
    >>
    >> Thanks for responding.
    >>
    >> comphelp@toddh.net (Todd H.) writes:
    >>
    >> > Randy Yates writes:
    >> >
    >> >> I monitored my network traffic using wireshark (a fantastic tool,
    >> >> by the way) and found that I'm getting rogue packets that wireshark
    >> >> is identifying as follows:
    >> >>
    >> >> No Time Source Destination Protocol Info
    >> >> -- ---- ------ ----------- -------- ----
    >> >> 36 30.879265 218.27.148.78 192.168.1.104 Messenger
    >> >> NetrSendMessage request
    >> >
    >> > Safe to assume 192.168.1.104 is the IP address of your LAN connected
    >> > computer running wireshark?

    >>
    >> Correct.
    >>
    >> > 1027 is this a udp port number? I'm assuming udp since that's what
    >> > windows messenger listend on -- dynamic port > 1024.

    >>
    >> Since wireshark lists the entry
    >>
    >> User Datagram Protocol, Src Port: 32924 (32924), Dst Port: cap (1026)
    >>
    >> for the packet, I guess that means it's a UDB packet? Oh, by the way,
    >> it seems to shuffle the ports a bit - the one above was capture just
    >> a minute ago and uses port 1026.

    >
    > Yeah UDP is user datagram protocol.
    >
    > Okay, and the messenger spim is using random ports trying to look for
    > a running messenger process.
    >
    >> > If so, it is a bit disconcerting. What make/model/hardware
    >> > rev/software level of the router?

    >>
    >> Linksys WRT54G, Firmware Version: v3.03.9.

    >
    > Which hardware version? It's on the sticker on the bottom.
    >
    >> > There are some web-based sploits out there for some popular home
    >> > router appliances that do this just by visiting a web page.

    >>
    >> Even through a linux system? By the way, I'm running

    >
    > Yeah. Even mozila with javascript enabled can be triggered to send
    > and HTTP POST request from teh browser, but looks like you may be fine
    > all the same. Verify remote management is turned off on the router
    > and consider the latest firmware.
    >
    >
    > despite the title of this one the wrt54g is affected in certain hw
    > revisions:
    > http://www.securityfocus.com/bid/19347
    >
    > and
    > http://www.securityfocus.com/bid/14822/info
    >
    > and there are others.
    >
    >
    >> Linux localhost.localdomain 2.6.20-1.2948.fc6 #1 SMP Fri Apr 27 19:18:54 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
    >>
    >> > Or, it could be that your router isn't blocking inbound udp (but
    >> > is likely blocking inbound tcp).

    >>
    >> It looks to me like it blocks both unless either is explicitly enabled in the
    >> "Applications and Gaming" tab of the configuration page.

    >
    > Tried any online port scanner thingees to see what seems to get
    > through?
    >
    > http://www.broadbandreports.com/tools
    > portscan (down at the moment it seems)
    >
    > or, more annoyingly:
    >
    > https://www.grc.com/x/ne.dll?bh0bkyd2
    >
    >
    > and you can even spim yourself:
    > https://www.grc.com/x/ne.dll?rh1dkyd2
    >
    >
    >
    >> > They're windows messenger messages - the ones that aim to pop up an
    >> > announcement window on your machine if they were to ever reach it and
    >> > the messenger service process it.

    >>
    >> But that doesn't work on linux, right?

    >
    > Correct. It won't find a listening messenger service. Depending on
    > whether you have the linux firewall up and configured will probably
    > determine which process or the kernel is actually sending the ICMP
    > message in response
    >
    > These messenger SPIM's (spam, via instant messages) being sent all
    > over are nearly always using spoofed source addresses anyway so the
    > ICMP network unreachable is probably going back to a host that either
    > doesn't exist or didn't send it in the first place.
    >
    > Best Regards,
    > --
    > Todd H.
    > http://www.toddh.net/


    --
    % Randy Yates % "My Shangri-la has gone away, fading like
    %% Fuquay-Varina, NC % the Beatles on 'Hey Jude'"
    %%% 919-577-9882 %
    %%%% % 'Shangri-La', *A New World Record*, ELO
    http://home.earthlink.net/~yatescr

  12. Re: Rogue Packets on Port 1027?

    Should I click on the "Filter Internet NAT Redirection" box? Should
    I disable IPSec, PPTP, and L2TP passthroughs?

    --Randy

    Randy Yates writes:

    > Todd,
    >
    > I've since upgraded to firmware version 4.21.1, verified remote
    > access is off, disabled wireless web access, and disabled UPnP,
    > but I'm still getting the exact same packets.
    >
    > --Stumped
    >
    >
    > comphelp@toddh.net (Todd H.) writes:
    >
    >> Randy Yates writes:
    >>
    >>> Hi Todd,
    >>>
    >>> Thanks for responding.
    >>>
    >>> comphelp@toddh.net (Todd H.) writes:
    >>>
    >>> > Randy Yates writes:
    >>> >
    >>> >> I monitored my network traffic using wireshark (a fantastic tool,
    >>> >> by the way) and found that I'm getting rogue packets that wireshark
    >>> >> is identifying as follows:
    >>> >>
    >>> >> No Time Source Destination Protocol Info
    >>> >> -- ---- ------ ----------- -------- ----
    >>> >> 36 30.879265 218.27.148.78 192.168.1.104 Messenger
    >>> >> NetrSendMessage request
    >>> >
    >>> > Safe to assume 192.168.1.104 is the IP address of your LAN connected
    >>> > computer running wireshark?
    >>>
    >>> Correct.
    >>>
    >>> > 1027 is this a udp port number? I'm assuming udp since that's what
    >>> > windows messenger listend on -- dynamic port > 1024.
    >>>
    >>> Since wireshark lists the entry
    >>>
    >>> User Datagram Protocol, Src Port: 32924 (32924), Dst Port: cap (1026)
    >>>
    >>> for the packet, I guess that means it's a UDB packet? Oh, by the way,
    >>> it seems to shuffle the ports a bit - the one above was capture just
    >>> a minute ago and uses port 1026.

    >>
    >> Yeah UDP is user datagram protocol.
    >>
    >> Okay, and the messenger spim is using random ports trying to look for
    >> a running messenger process.
    >>
    >>> > If so, it is a bit disconcerting. What make/model/hardware
    >>> > rev/software level of the router?
    >>>
    >>> Linksys WRT54G, Firmware Version: v3.03.9.

    >>
    >> Which hardware version? It's on the sticker on the bottom.
    >>
    >>> > There are some web-based sploits out there for some popular home
    >>> > router appliances that do this just by visiting a web page.
    >>>
    >>> Even through a linux system? By the way, I'm running

    >>
    >> Yeah. Even mozila with javascript enabled can be triggered to send
    >> and HTTP POST request from teh browser, but looks like you may be fine
    >> all the same. Verify remote management is turned off on the router
    >> and consider the latest firmware.
    >>
    >>
    >> despite the title of this one the wrt54g is affected in certain hw
    >> revisions:
    >> http://www.securityfocus.com/bid/19347
    >>
    >> and
    >> http://www.securityfocus.com/bid/14822/info
    >>
    >> and there are others.
    >>
    >>
    >>> Linux localhost.localdomain 2.6.20-1.2948.fc6 #1 SMP Fri Apr 27 19:18:54 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
    >>>
    >>> > Or, it could be that your router isn't blocking inbound udp (but
    >>> > is likely blocking inbound tcp).
    >>>
    >>> It looks to me like it blocks both unless either is explicitly enabled in the
    >>> "Applications and Gaming" tab of the configuration page.

    >>
    >> Tried any online port scanner thingees to see what seems to get
    >> through?
    >>
    >> http://www.broadbandreports.com/tools
    >> portscan (down at the moment it seems)
    >>
    >> or, more annoyingly:
    >>
    >> https://www.grc.com/x/ne.dll?bh0bkyd2
    >>
    >>
    >> and you can even spim yourself:
    >> https://www.grc.com/x/ne.dll?rh1dkyd2
    >>
    >>
    >>
    >>> > They're windows messenger messages - the ones that aim to pop up an
    >>> > announcement window on your machine if they were to ever reach it and
    >>> > the messenger service process it.
    >>>
    >>> But that doesn't work on linux, right?

    >>
    >> Correct. It won't find a listening messenger service. Depending on
    >> whether you have the linux firewall up and configured will probably
    >> determine which process or the kernel is actually sending the ICMP
    >> message in response
    >>
    >> These messenger SPIM's (spam, via instant messages) being sent all
    >> over are nearly always using spoofed source addresses anyway so the
    >> ICMP network unreachable is probably going back to a host that either
    >> doesn't exist or didn't send it in the first place.
    >>
    >> Best Regards,
    >> --
    >> Todd H.
    >> http://www.toddh.net/

    >
    > --
    > % Randy Yates % "My Shangri-la has gone away, fading like
    > %% Fuquay-Varina, NC % the Beatles on 'Hey Jude'"
    > %%% 919-577-9882 %
    > %%%% % 'Shangri-La', *A New World Record*, ELO
    > http://home.earthlink.net/~yatescr


    --
    % Randy Yates % "Midnight, on the water...
    %% Fuquay-Varina, NC % I saw... the ocean's daughter."
    %%% 919-577-9882 % 'Can't Get It Out Of My Head'
    %%%% % *El Dorado*, Electric Light Orchestra
    http://home.earthlink.net/~yatescr

  13. Re: Rogue Packets on Port 1027?

    In message <84wswud9bd.fsf@ripco.com>, Todd H. wrote:

    >
    > I think Dave may have been suggesting that perhaps your linux machine
    > was configured to be in the DMZ of the router (in which case it
    > wouldn't see any filtering from the router). I mentioned this as well
    > and you had checked and verified in the config that it wasn't the
    > case.
    >
    > If, on the other hand Dave was suggesting you add the host to the DMZ,
    > nah, I don't understand that either, or Dave may have misunderstood
    > the question you were asking.
    >

    No, I was suggesting that perhaps it might already be in the DMZ. In the UK
    we use some words different to the US :-)
    --
    Dave
    mail da ve@llondel.org (without the space)
    http://www.llondel.org
    So many gadgets, so little time

  14. Re: Rogue Packets on Port 1027?

    In message , Randy Yates wrote:

    > "Dave {Reply Address in.Sig}" writes:
    >
    >> How about having a DMZ set up to point to that machine? that way it gets
    >> everything by default.

    >
    > I don't get you - can you please explain more? I don't think I really
    > understand what a DMZ is.
    >

    It stands for DeMilitarizedZone, basically allowing you to have a computer
    outside the firewall/NAT protection, such that it receives anything not
    specifically targetted at another local IP address. Often used by gamers
    because they need to use various obscure ports that otherwise wouldn't be
    routed without much tweaking by them. There are obvious security
    implications for having such a setup...
    --
    Dave
    mail da ve@llondel.org (without the space)
    http://www.llondel.org
    So many gadgets, so little time

  15. Re: Rogue Packets on Port 1027?

    Here's another, related question.

    The router is itself a computer, no? I
    think they use some type of embedded linux
    system.

    Isn't it possible that the router has been
    owned, and that various attacks/spoofs/whatever
    is being executed by the router?

    After my upgrade yesterday, I realized that if
    you owned the router, you could even fake firmware
    upgrades by parsing the binary and extracting and
    reporting the new firmware revision number without
    actually upgrading anything.

    --Randy


    comphelp@toddh.net (Todd H.) writes:

    > Randy Yates writes:
    >
    >> "Dave {Reply Address in.Sig}" writes:
    >>
    >> > How about having a DMZ set up to point to that machine? that way it gets
    >> > everything by default.

    >>
    >> I don't get you - can you please explain more? I don't think I really
    >> understand what a DMZ is.

    >
    > I think Dave may have been suggesting that perhaps your linux machine
    > was configured to be in the DMZ of the router (in which case it
    > wouldn't see any filtering from the router). I mentioned this as well
    > and you had checked and verified in the config that it wasn't the
    > case.
    >
    > If, on the other hand Dave was suggesting you add the host to the DMZ,
    > nah, I don't understand that either, or Dave may have misunderstood
    > the question you were asking.
    >
    > Best Regards,
    > --
    > Todd H.
    > http://www.toddh.net/


    --
    % Randy Yates % "Bird, on the wing,
    %% Fuquay-Varina, NC % goes floating by
    %%% 919-577-9882 % but there's a teardrop in his eye..."
    %%%% % 'One Summer Dream', *Face The Music*, ELO
    http://home.earthlink.net/~yatescr

  16. Re: Rogue Packets on Port 1027? PROBLEM SOLVED!

    OK, are you ready for this?????? ....

    I had mistakenly (a long time ago) configured my router
    (via the applications and gaming tab) to forward ALL ports
    in the range 80 to 8080 to one of my local computers instead
    of just port 80.

    SHEESH!!!!!

    Thanks for all the help, especially to you, Todd.

    --Randy


    Randy Yates writes:

    > I monitored my network traffic using wireshark (a fantastic tool,
    > by the way) and found that I'm getting rogue packets that wireshark
    > is identifying as follows:
    >
    > No Time Source Destination Protocol Info
    > -- ---- ------ ----------- -------- ----
    > 36 30.879265 218.27.148.78 192.168.1.104 Messenger NetrSendMessage request
    >
    > The message part of the packet is reported by wireshark as follows:
    >
    > 00b0 00 00 35 01 00 00 00 00 00 00 35 01 00 00 53 54 ..5..... ..5...ST
    > 00c0 4f 50 21 20 57 49 4e 44 4f 57 53 20 52 45 51 55 OP! WIND OWS REQU
    > 00d0 49 52 45 53 20 49 4d 4d 45 44 49 41 54 45 20 41 IRES IMM EDIATE A
    > 00e0 54 54 45 4e 54 49 4f 4e 2e 0a 0a 57 69 6e 64 6f TTENTION ...Windo
    > 00f0 77 73 20 68 61 73 20 66 6f 75 6e 64 20 35 35 20 ws has f ound 55
    > 0100 43 72 69 74 69 63 61 6c 20 53 79 73 74 65 6d 20 Critical System
    > 0110 45 72 72 6f 72 73 2e 0a 0a 54 6f 20 66 69 78 20 Errors.. .To fix
    > 0120 74 68 65 20 65 72 72 6f 72 73 20 70 6c 65 61 73 the erro rs pleas
    > 0130 65 20 64 6f 20 74 68 65 20 66 6f 6c 6c 6f 77 69 e do the followi
    > 0140 6e 67 3a 0a 0a 31 2e 20 44 6f 77 6e 6c 6f 61 64 ng:..1. Download
    > 0150 20 52 65 67 69 73 74 72 79 20 55 70 64 61 74 65 Registr y Update
    > 0160 20 66 72 6f 6d 3a 20 77 77 77 2e 72 65 67 66 69 from: w ww.regfi
    > 0170 78 69 74 2e 63 6f 6d 0a 32 2e 20 49 6e 73 74 61 xit.com. 2. Insta
    > 0180 6c 6c 20 52 65 67 69 73 74 72 79 20 55 70 64 61 ll Regis try Upda
    > 0190 74 65 0a 33 2e 20 52 75 6e 20 52 65 67 69 73 74 te.3. Ru n Regist
    > 01a0 72 79 20 55 70 64 61 74 65 0a 34 2e 20 52 65 62 ry Updat e.4. Reb
    > 01b0 6f 6f 74 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 oot your compute
    > 01c0 72 0a 0a 46 41 49 4c 55 52 45 20 54 4f 20 41 43 r..FAILU RE TO AC
    > 01d0 54 20 4e 4f 57 20 4d 41 59 20 4c 45 41 44 20 54 T NOW MA Y LEAD T
    > 01e0 4f 20 53 59 53 54 45 4d 20 46 41 49 4c 55 52 45 O SYSTEM FAILURE
    > 01f0 21 0a 00 !..
    >
    > My system is responding with
    >
    > No Time Source Destination Protocol Info
    > -- ---- ------ ----------- -------- ----
    > 37 30.879333 192.168.1.104 218.27.148.78 ICMP Destination unreachable (Port unreachable)
    >
    > There is an outgoing message that appears to be similar to the incoming one:
    >
    > 0000 00 14 bf 07 5f ac 00 11 5b 43 44 6a 08 00 45 c0 ...._... [CDj..E.
    > 0010 02 01 a3 53 00 00 40 01 a4 6e c0 a8 01 68 da 1b ...S..@. .n...h..
    > 0020 94 4e 03 03 2f 5a 00 00 00 00 45 00 01 e5 00 00 .N../Z.. ..E.....
    > 0030 40 00 27 11 21 8e da 1b 94 4e c0 a8 01 68 bb 92 @.'.!... .N...h..
    > 0040 04 03 01 d1 a4 8d 04 00 28 00 10 00 00 00 00 00 ........ (.......
    > 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 ........ ........
    > 0060 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 e6 fc ca 23 {Z...... ..O....#
    > 0070 2a 88 87 c5 7d 05 ae e7 bd 9b 51 d1 6b ce 00 00 *...}... ..Q.k...
    > 0080 00 00 01 00 00 00 00 00 00 00 00 00 ff ff ff ff ........ ........
    > 0090 79 01 00 00 00 00 10 00 00 00 00 00 00 00 10 00 y....... ........
    > 00a0 00 00 46 52 4f 4d 00 00 00 00 00 00 00 00 00 00 ..FROM.. ........
    > 00b0 00 00 10 00 00 00 00 00 00 00 10 00 00 00 54 4f ........ ......TO
    > 00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 35 01 ........ ......5.
    > 00d0 00 00 00 00 00 00 35 01 00 00 53 54 4f 50 21 20 ......5. ..STOP!
    > 00e0 57 49 4e 44 4f 57 53 20 52 45 51 55 49 52 45 53 WINDOWS REQUIRES
    > 00f0 20 49 4d 4d 45 44 49 41 54 45 20 41 54 54 45 4e IMMEDIA TE ATTEN
    > 0100 54 49 4f 4e 2e 0a 0a 57 69 6e 64 6f 77 73 20 68 TION...W indows h
    > 0110 61 73 20 66 6f 75 6e 64 20 35 35 20 43 72 69 74 as found 55 Crit
    > 0120 69 63 61 6c 20 53 79 73 74 65 6d 20 45 72 72 6f ical Sys tem Erro
    > 0130 72 73 2e 0a 0a 54 6f 20 66 69 78 20 74 68 65 20 rs...To fix the
    > 0140 65 72 72 6f 72 73 20 70 6c 65 61 73 65 20 64 6f errors p lease do
    > 0150 20 74 68 65 20 66 6f 6c 6c 6f 77 69 6e 67 3a 0a the fol lowing:.
    > 0160 0a 31 2e 20 44 6f 77 6e 6c 6f 61 64 20 52 65 67 .1. Down load Reg
    > 0170 69 73 74 72 79 20 55 70 64 61 74 65 20 66 72 6f istry Up date fro
    > 0180 6d 3a 20 77 77 77 2e 72 65 67 66 69 78 69 74 2e m: www.r egfixit.
    > 0190 63 6f 6d 0a 32 2e 20 49 6e 73 74 61 6c 6c 20 52 com.2. I nstall R
    > 01a0 65 67 69 73 74 72 79 20 55 70 64 61 74 65 0a 33 egistry Update.3
    > 01b0 2e 20 52 75 6e 20 52 65 67 69 73 74 72 79 20 55 . Run Re gistry U
    > 01c0 70 64 61 74 65 0a 34 2e 20 52 65 62 6f 6f 74 20 pdate.4. Reboot
    > 01d0 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 0a 0a 46 your com puter..F
    > 01e0 41 49 4c 55 52 45 20 54 4f 20 41 43 54 20 4e 4f AILURE T O ACT NO
    > 01f0 57 20 4d 41 59 20 4c 45 41 44 20 54 4f 20 53 59 W MAY LE AD TO SY
    > 0200 53 54 45 4d 20 46 41 49 4c 55 52 45 21 0a 00 STEM FAI LURE!..
    >
    > The packets are coming perhaps once every 2 to 5 minutes.
    >
    > I don't understand why these packets are getting through my router
    > since I do not have port 1027 enabled.
    >
    > Can anyone identify these packets or give advice?
    >
    > Also, is there a way to find out what processes are receiving/sending
    > a specific packet? For example, how do I determine what process/service
    > is generating the ICMP response above?
    > --
    > % Randy Yates % "Remember the good old 1980's, when
    > %% Fuquay-Varina, NC % things were so uncomplicated?"
    > %%% 919-577-9882 % 'Ticket To The Moon'
    > %%%% % *Time*, Electric Light Orchestra
    > http://home.earthlink.net/~yatescr


    --
    % Randy Yates % "Rollin' and riding and slippin' and
    %% Fuquay-Varina, NC % sliding, it's magic."
    %%% 919-577-9882 %
    %%%% % 'Living' Thing', *A New World Record*, ELO
    http://home.earthlink.net/~yatescr

  17. Re: Rogue Packets on Port 1027?

    On Jul 21, 7:30 am, Randy Yates wrote:
    > Here's another, related question.
    >
    > The router is itself a computer, no? I
    > think they use some type of embedded linux
    > system.
    >
    > Isn't it possible that the router has been
    > owned, and that various attacks/spoofs/whatever
    > is being executed by the router?


    Possible, but fairly unlikely in my experience. Most real exploits
    out there are targeted at MS and I've never heard of anyone having a
    hacked WRT54G, but that's not so say it's not possible (a quick google
    yielded this http://searchsecurity.techtarget.com...124857,00.html)

    If you're a Linux user though, I would definitely recommend installing
    a third-party firmware for this device. I run DD-WRT on my 54G and
    I'm fairly happy with it, but there are several other options as well;
    I've heard good things about both OpenWRT and tomato. One of these
    will allow you to see exactly what the firmware is doing by inspecting
    the firewall rules and connection status directly. They'll also have
    the fringe benefit of being imune to any exploits that are found in
    the stock Linksys firmware. :-)

    Back to solving the issue of these packets getting through your NAT,
    though. If you don't have any port forwarding rules or DMZ set up I
    would definitely agree that this is a problem. Can you put a hub on
    the outside of the router and watch packets as they come in to verify
    that they are in fact being NATed by your Linksys and not being
    generated internally somehow?


  18. Re: Rogue Packets on Port 1027?

    On Jul 20, 7:59 am, Randy Yates wrote:
    >
    > Also, is there a way to find out what processes are receiving/sending
    > a specific packet? For example, how do I determine what process/service
    > is generating the ICMP response above?


    In Linux "netstat -tanp" will show all active/established/listening
    TCP connections numerically and their associated processes (you will
    need to be root to see all processes). You can make this "netstat -
    uanp" for UDP or "netstat -tuanp" for both TCP and UDP (try "man
    netstat").

    This is assuming that the resulting ICMP responses are coming from a
    process however, and in this case it's more likely they're coming
    directly from the kernel because there probably is no service
    listening on this port (you can verify that by using the above
    commands and ensuring there is nothing in state LISTEN on the ports in
    question). You will need to install a firewall or other filter device
    if you want to block these ICMP response packets because they are
    default behavior when UDP packets reach a port where nothing is
    listening (TCP instead generates RSTs). You can look into iptables,
    but I would recommend trying to figure out why the Linksys is doing
    NAT it shouldn't.


  19. Re: Rogue Packets on Port 1027? PROBLEM SOLVED!

    On Jul 21, 12:02 pm, Randy Yates wrote:
    > OK, are you ready for this?????? ....
    >
    > I had mistakenly (a long time ago) configured my router
    > (via the applications and gaming tab) to forward ALL ports
    > in the range 80 to 8080 to one of my local computers instead
    > of just port 80.


    Hehe, oops, glad to hear you figured it out!


  20. Re: Rogue Packets on Port 1027?

    Hi,

    THANKS much for the education/information. Perhaps the post
    hadn't migrated to your usenet server yet, but I found the
    problem - a misconfigured port forwarding page.

    Thanks so much for your help and ideas. I may check into the
    openWRT firmware you wrote about, and it's nice to know the
    netstat command information.

    --Randy


    saucily writes:

    > On Jul 20, 7:59 am, Randy Yates wrote:
    >>
    >> Also, is there a way to find out what processes are receiving/sending
    >> a specific packet? For example, how do I determine what process/service
    >> is generating the ICMP response above?

    >
    > In Linux "netstat -tanp" will show all active/established/listening
    > TCP connections numerically and their associated processes (you will
    > need to be root to see all processes). You can make this "netstat -
    > uanp" for UDP or "netstat -tuanp" for both TCP and UDP (try "man
    > netstat").
    >
    > This is assuming that the resulting ICMP responses are coming from a
    > process however, and in this case it's more likely they're coming
    > directly from the kernel because there probably is no service
    > listening on this port (you can verify that by using the above
    > commands and ensuring there is nothing in state LISTEN on the ports in
    > question). You will need to install a firewall or other filter device
    > if you want to block these ICMP response packets because they are
    > default behavior when UDP packets reach a port where nothing is
    > listening (TCP instead generates RSTs). You can look into iptables,
    > but I would recommend trying to figure out why the Linksys is doing
    > NAT it shouldn't.
    >


    --
    % Randy Yates % "Though you ride on the wheels of tomorrow,
    %% Fuquay-Varina, NC % you still wander the fields of your
    %%% 919-577-9882 % sorrow."
    %%%% % '21st Century Man', *Time*, ELO
    http://home.earthlink.net/~yatescr

+ Reply to Thread
Page 1 of 2 1 2 LastLast