Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > port=1026&reason=ICMPsent

Reply
Thread Tools

port=1026&reason=ICMPsent

 
 
ed
Guest
Posts: n/a
 
      11-29-2005
Thanks,

That is what I am guessing, have located some form of QoS running as
aspnet.exe.



"Moe Trin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Mon, 28 Nov 2005, in the Usenet newsgroup alt.computer.security, in
> article
> <36Gif.144735$(E-Mail Removed)>, ed wrote:
>
>>Here is what my firewall log is giving me (my address is xx.xxx.xx.151):
>>
>>Issue Name:UDP_Probe_Other
>>Source IPx.xxx.xx.151
>>Victim IPx.xxx.xx.85
>>Parameters: port=1026&reason=ICMPsent

>
> So what that may be trying to say is that you received a UDP packet from
> xx.xxx.xx.85 to your port 1026 (undoubtedly, windoze messenger spam), and
> your system rejected it with an ICMP "FOAD" packet. But the stuff below
> says otherwise.
>
>>Not sure now about the UDP, here is the .enc file decode for one of the
>>packets:

>
> Boy, they love to baffle 'em with bullshit, don't they. Well, lets cut
> through all the useless crap...
>
>>Time to live: 140

>
> Strange value - these normally start with a nice round figure, like 32,
> 64,
> 128, and occasionally 255, and gets decremented by every router between
> source and destination. In most cases, nothing is more than 30 or 40 hops,
> yet if this started with 255, it's 115 hops away - highly unlikely.
>
>>Protocol: ICMP (0x01)

>
>>Source: xx.xxx.xx.85 (xx.xxx.xx.85)
>>Destination: xx.xxx.xx.151 (xx.xxx.xx.151)
>>Internet Control Message Protocol
>>Type: 3 (Destination unreachable)
>>Code: 3 (Port unreachable)

>
> OK - xx.xxx.xx.85 is sending an error message to xx.xxx.xx.151 that
> says "the number you have dialed is unreachable" The contents of the
> packet that caused this is:
>
>>Internet Protocol, Src Addr: xx.xxx.xx.151 (xx.xxx.xx.151), Dst Addr:
>>xx.xxx.xx.85 (xx.xxx.xx.85)

>
>>Total Length: 773

>
>>Time to live: 116

>
> (That's more reasonable - 12 hops away)
>
>>Protocol: UDP (0x11)

>
>>Source: xx.xxx.xx.151 (xx.xxx.xx.151)
>>Destination: xx.xxx.xx.85 (xx.xxx.xx.85)
>>User Datagram Protocol, Src Port: 26698 (2669, Dst Port: 1026 (1026)

>
> xx.xxx.xx.151 appears to be trying to send messenger spam to xx.xxx.xx.85
>
> Now above, you said "my address is xx.xxx.xx.151" - and if that's the
> case, your box got 0wn3d and was sending spam. I'd be looking at WTF is
> going on with this box. Yes, that looks like you are the one with the
> problem, not the remote.
>
> Old guy



 
Reply With Quote
 
 
 
 
Mark
Guest
Posts: n/a
 
      11-29-2005
Moe Trin wrote:
>
>
>>>Internet Protocol, Src Addr: xx.xxx.xx.151 (xx.xxx.xx.151), Dst Addr:
>>>xx.xxx.xx.85 (xx.xxx.xx.85)

>>
>>>Total Length: 773

>>
>>>Time to live: 116

>>
>> (That's more reasonable - 12 hops away)

>
>
> If you can ping or traceroute to xx.xxx.xx.85, it might be nice comparing
> the number of hops you get to this figure of 12 hops
>
>
>
>
>>Now above, you said "my address is xx.xxx.xx.151" - and if that's the
>>case, your box got 0wn3d and was sending spam.

>
>
> I should not have said this, as this could be the result of a spammer
> choosing your address at random to use as the source IP for his trash.
> That way, if someone complains, it's not the spammer who gets blamed.
>


Agreed, it looks like backscatter to me.
Nothing to worry about, and frankly, nothing you can do about it.

Unless you actually see your machine making connetion attempts to UDP
102X in the output of a netstat, I wouldn't worry about it.

Moe's suggestion of tracerouting to the .85 address is a good one.
Might give some more clues if you're still interested.

--
Mark
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Advertisments