Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > port=1026&reason=ICMPsent

Reply
Thread Tools

port=1026&reason=ICMPsent

 
 
ed
Guest
Posts: n/a
 
      11-14-2005
My win 2002 SP2 server is periodically sending a ICMP on UDP port 1026 to
various IPS. Looking at TCP
view, the only process open on all IPS (about 9 of them) is LSASS.EXE,
specifically isakmp. I have not actually witnessed the UDP, so this may be
a wrong assumption.

Packet flag is 0x0, so this may be nothing more than a ping, not sure.

Virus and anti-spyware scans are negative. Any thoughts?


 
Reply With Quote
 
 
 
 
Donnie
Guest
Posts: n/a
 
      11-15-2005

"ed" <(E-Mail Removed)> wrote in message
news:q23ef.96767$(E-Mail Removed)...
> My win 2002 SP2 server is periodically sending a ICMP on UDP port 1026 to
> various IPS. Looking at TCP
> view, the only process open on all IPS (about 9 of them) is LSASS.EXE,
> specifically isakmp. I have not actually witnessed the UDP, so this may

be
> a wrong assumption.
>
> Packet flag is 0x0, so this may be nothing more than a ping, not sure.
>
> Virus and anti-spyware scans are negative. Any thoughts?
>

###################################
Check the netstat -an output.
donnie


 
Reply With Quote
 
 
 
 
winged
Guest
Posts: n/a
 
      11-15-2005
ed wrote:
> My win 2002 SP2 server is periodically sending a ICMP on UDP port 1026 to
> various IPS. Looking at TCP
> view, the only process open on all IPS (about 9 of them) is LSASS.EXE,
> specifically isakmp. I have not actually witnessed the UDP, so this may be
> a wrong assumption.
>
> Packet flag is 0x0, so this may be nothing more than a ping, not sure.
>
> Virus and anti-spyware scans are negative. Any thoughts?
>
>

Local Security Authentication Server - lsass.exe

Are you logging in at these locations?> Someone logging onto you?

Is there a pattern as to what type host those IPs belong to?

Winged
 
Reply With Quote
 
Moe Trin
Guest
Posts: n/a
 
      11-15-2005
In the Usenet newsgroup alt.computer.security, in article
<q23ef.96767$(E-Mail Removed)>, ed wrote:

>My win 2002 SP2 server is periodically sending a ICMP on UDP port 1026 to
>various IPS.


That sentence makes no sense. ICMP is one IP protocol, UDP another.
Search for RFC0768 (UDP), RFC0791 (IP) and RFC0792 (ICMP) if interested.

>I have not actually witnessed the UDP, so this may be a wrong assumption.


UDP 1026 (and 1027) are primary targets of messenger spam - pop-up ads
targeting clueless windoze users. Late last month, I turned on logging
on the perimeter firewall at home (I normally ignore dropped packets)
for a week, and noted about 1000 messages a day, or about 450K of wasted
bandwidth per day. The few packets I investigated were all fake windoze
error messages, directing users to some spammers website for a "repair".
I'm in North America, so most of the packets were originating in China,
although the spamvertised web sites were all hosted at well known spammer
support domains in the US states of Washington Texas, or Florida.

Old guy
 
Reply With Quote
 
ed
Guest
Posts: n/a
 
      11-15-2005
Actually ICMP is a layered protocol the UDP protocol in question is a
transmission protocol.

I am aware of the misuse of port 1026 and 1027, but since the routers do not
allow pinging from outside of the network, I am curious why a 0x0 reply is
sent (typical response to a ping).

There is no pattern to the machines it is responding/sending to.
Additionally, these machine IP's do not show up in my firewall as probing.



The 0x0 is normally a reply to a ping, but pinging is disallowed from
outside the local network.
"Moe Trin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In the Usenet newsgroup alt.computer.security, in article
> <q23ef.96767$(E-Mail Removed)>, ed wrote:
>
>>My win 2002 SP2 server is periodically sending a ICMP on UDP port 1026 to
>>various IPS.

>
> That sentence makes no sense. ICMP is one IP protocol, UDP another.
> Search for RFC0768 (UDP), RFC0791 (IP) and RFC0792 (ICMP) if interested.
>
>>I have not actually witnessed the UDP, so this may be a wrong assumption.

>
> UDP 1026 (and 1027) are primary targets of messenger spam - pop-up ads
> targeting clueless windoze users. Late last month, I turned on logging
> on the perimeter firewall at home (I normally ignore dropped packets)
> for a week, and noted about 1000 messages a day, or about 450K of wasted
> bandwidth per day. The few packets I investigated were all fake windoze
> error messages, directing users to some spammers website for a "repair".
> I'm in North America, so most of the packets were originating in China,
> although the spamvertised web sites were all hosted at well known spammer
> support domains in the US states of Washington Texas, or Florida.
>
> Old guy



 
Reply With Quote
 
ed
Guest
Posts: n/a
 
      11-15-2005
Shows the same ports as previous.
"Donnie" <(E-Mail Removed)> wrote in message
news:zpaef.55892$(E-Mail Removed)...
>
> "ed" <(E-Mail Removed)> wrote in message
> news:q23ef.96767$(E-Mail Removed)...
>> My win 2002 SP2 server is periodically sending a ICMP on UDP port 1026 to
>> various IPS. Looking at TCP
>> view, the only process open on all IPS (about 9 of them) is LSASS.EXE,
>> specifically isakmp. I have not actually witnessed the UDP, so this may

> be
>> a wrong assumption.
>>
>> Packet flag is 0x0, so this may be nothing more than a ping, not sure.
>>
>> Virus and anti-spyware scans are negative. Any thoughts?
>>

> ###################################
> Check the netstat -an output.
> donnie
>
>



 
Reply With Quote
 
Mark
Guest
Posts: n/a
 
      11-20-2005
Reply in line.

ed wrote:
> Actually ICMP is a layered protocol the UDP protocol in question is a
> transmission protocol.


I have to agree with Moe, I think we are having a failure to
communicate. ICMPs are in the network layer of the OSI model. UDP and
TCP would be in the transport layer. But, in the payload of an ICMP
they can give information about the upper layer protocols they are
replying to.

>
> I am aware of the misuse of port 1026 and 1027, but since the routers do not
> allow pinging from outside of the network, I am curious why a 0x0 reply is
> sent (typical response to a ping).


Are you saying that your machine in question is sending an echo reply
with a payload indicating it was in response to a UDP packet? If so, do
you have a packet capture of the payload? It would make sense to send a
host unreachable/network unreachable etc, but not an echo reply. If
that is the case, it almost sounds like some malware is trying to
communicate using a covert channel.

>
> There is no pattern to the machines it is responding/sending to.
> Additionally, these machine IP's do not show up in my firewall as probing.


Since they don't show up as probing, I'm guessing that machine is not
responding, just sending. Again, some malware trying to phone home?

>
> The 0x0 is normally a reply to a ping, but pinging is disallowed from
> outside the local network.


Agreed, that is normally an echo reply, but why do you say it has
something to do with a UDP packet?

Mark

> "Moe Trin" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>>In the Usenet newsgroup alt.computer.security, in article
>><q23ef.96767$(E-Mail Removed)>, ed wrote:
>>
>>
>>>My win 2002 SP2 server is periodically sending a ICMP on UDP port 1026 to
>>>various IPS.

>>
>>That sentence makes no sense. ICMP is one IP protocol, UDP another.
>>Search for RFC0768 (UDP), RFC0791 (IP) and RFC0792 (ICMP) if interested.
>>
>>
>>>I have not actually witnessed the UDP, so this may be a wrong assumption.

>>
>>UDP 1026 (and 1027) are primary targets of messenger spam - pop-up ads
>>targeting clueless windoze users. Late last month, I turned on logging
>>on the perimeter firewall at home (I normally ignore dropped packets)
>>for a week, and noted about 1000 messages a day, or about 450K of wasted
>>bandwidth per day. The few packets I investigated were all fake windoze
>>error messages, directing users to some spammers website for a "repair".
>>I'm in North America, so most of the packets were originating in China,
>>although the spamvertised web sites were all hosted at well known spammer
>>support domains in the US states of Washington Texas, or Florida.
>>
>> Old guy

>
>
>

 
Reply With Quote
 
ed
Guest
Posts: n/a
 
      11-28-2005
Here is what my firewall log is giving me (my address is xx.xxx.xx.151):

Issue Name:UDP_Probe_Other
Source IPx.xxx.xx.151
Victim IPx.xxx.xx.85
Parameters: port=1026&reason=ICMPsent

Not sure now about the UDP, here is the .enc file decode for one of the
packets:

Frame 6458 (70 bytes on wire, 70 bytes captured)

Arrival Time: Nov 28, 2005 08:47:36.022680000

Time delta from previous packet: 0.190274000 seconds

Time relative to first packet: 475.063108000 seconds

Frame Number: 6458

Packet Length: 70 bytes

Capture Length: 70 bytes

Ethernet II, Src: 00:02:b0:bc:69:47, Dst: 00:11:11:26:08:40

Destination: 00:11:11:26:08:40 (00:11:11:26:08:40)

Source: 00:02:b0:bc:69:47 (Hokubu_bc:69:47)

Type: IP (0x0800)

Internet Protocol, Src Addr: xx.xxx.xx.85 (xx.xxx.xx.85), Dst Addr:
xx.xxx.xx.151 (xx.xxx.xx.151)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

0000 00.. = Differentiated Services Codepoint: Default (0x00)

..... ..0. = ECN-Capable Transport (ECT): 0

..... ...0 = ECN-CE: 0

Total Length: 56

Identification: 0xa638

Flags: 0x00

..0.. = Don't fragment: Not set

...0. = More fragments: Not set

Fragment offset: 0

Time to live: 140

Protocol: ICMP (0x01)

Header checksum: 0x9522 (correct)

Source: xx.xxx.xx.85 (xx.xxx.xx.85)

Destination: xx.xxx.xx.151 (xx.xxx.xx.151)

Internet Control Message Protocol

Type: 3 (Destination unreachable)

Code: 3 (Port unreachable)

Checksum: 0x8dbf (correct)

Internet Protocol, Src Addr: xx.xxx.xx.151 (xx.xxx.xx.151), Dst Addr:
xx.xxx.xx.85 (xx.xxx.xx.85)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

0000 00.. = Differentiated Services Codepoint: Default (0x00)

..... ..0. = ECN-Capable Transport (ECT): 0

..... ...0 = ECN-CE: 0

Total Length: 773

Identification: 0xa638

Flags: 0x00

..0.. = Don't fragment: Not set

...0. = More fragments: Not set

Fragment offset: 0

Time to live: 116

Protocol: UDP (0x11)

Header checksum: 0xaa45 (correct)

Source: xx.xxx.xx.151 (xx.xxx.xx.151)

Destination: xx.xxx.xx.85 (xx.xxx.xx.85)

User Datagram Protocol, Src Port: 26698 (2669, Dst Port: 1026 (1026)

Source port: 26698 (2669

Destination port: 1026 (1026)

Length: 753

Checksum: 0x0000 (none)



> ed wrote:
> > Actually ICMP is a layered protocol the UDP protocol in question is a
> > transmission protocol.



> I have to agree with Moe, I think we are having a failure to communicate.
> ICMPs are in the network layer of the OSI model. UDP and TCP would be in
> the transport layer. But, in the payload of an ICMP they can give
> information about the upper layer protocols they are replying to.



> > I am aware of the misuse of port 1026 and 1027, but since the routers do
> > not allow pinging from outside of the network, I am curious why a 0x0
> > reply is sent (typical response to a ping).




> Are you saying that your machine in question is sending an echo reply with
> a payload indicating it was in response to a UDP packet? If so, do you
> have a packet capture of the payload? It would make sense to send a host
> unreachable/network unreachable etc, but not an echo reply. If that is
> the case, it almost sounds like some malware is trying to communicate
> using a covert channel.



> > There is no pattern to the machines it is responding/sending to.

v> Additionally, these machine IP's do not show up in my firewall as
probing.



> Since they don't show up as probing, I'm guessing that machine is not
> responding, just sending. Again, some malware trying to phone home?



>> The 0x0 is normally a reply to a ping, but pinging is disallowed from
>> outside the local network.




> Agreed, that is normally an echo reply, but why do you say it has
> something to do with a UDP packet?












 
Reply With Quote
 
Moe Trin
Guest
Posts: n/a
 
      11-28-2005
On Mon, 28 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
<36Gif.144735$(E-Mail Removed)>, ed wrote:

>Here is what my firewall log is giving me (my address is xx.xxx.xx.151):
>
>Issue Name:UDP_Probe_Other
>Source IPx.xxx.xx.151
>Victim IPx.xxx.xx.85
>Parameters: port=1026&reason=ICMPsent


So what that may be trying to say is that you received a UDP packet from
xx.xxx.xx.85 to your port 1026 (undoubtedly, windoze messenger spam), and
your system rejected it with an ICMP "FOAD" packet. But the stuff below
says otherwise.

>Not sure now about the UDP, here is the .enc file decode for one of the
>packets:


Boy, they love to baffle 'em with bullshit, don't they. Well, lets cut
through all the useless crap...

>Time to live: 140


Strange value - these normally start with a nice round figure, like 32, 64,
128, and occasionally 255, and gets decremented by every router between
source and destination. In most cases, nothing is more than 30 or 40 hops,
yet if this started with 255, it's 115 hops away - highly unlikely.

>Protocol: ICMP (0x01)


>Source: xx.xxx.xx.85 (xx.xxx.xx.85)
>Destination: xx.xxx.xx.151 (xx.xxx.xx.151)
>Internet Control Message Protocol
>Type: 3 (Destination unreachable)
>Code: 3 (Port unreachable)


OK - xx.xxx.xx.85 is sending an error message to xx.xxx.xx.151 that
says "the number you have dialed is unreachable" The contents of the
packet that caused this is:

>Internet Protocol, Src Addr: xx.xxx.xx.151 (xx.xxx.xx.151), Dst Addr:
>xx.xxx.xx.85 (xx.xxx.xx.85)


>Total Length: 773


>Time to live: 116


(That's more reasonable - 12 hops away)

>Protocol: UDP (0x11)


>Source: xx.xxx.xx.151 (xx.xxx.xx.151)
>Destination: xx.xxx.xx.85 (xx.xxx.xx.85)
>User Datagram Protocol, Src Port: 26698 (2669, Dst Port: 1026 (1026)


xx.xxx.xx.151 appears to be trying to send messenger spam to xx.xxx.xx.85

Now above, you said "my address is xx.xxx.xx.151" - and if that's the
case, your box got 0wn3d and was sending spam. I'd be looking at WTF is
going on with this box. Yes, that looks like you are the one with the
problem, not the remote.

Old guy
 
Reply With Quote
 
Moe Trin
Guest
Posts: n/a
 
      11-29-2005
On Mon, 28 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
<(E-Mail Removed)>, Moe Trin wrote:

>OK - xx.xxx.xx.85 is sending an error message to xx.xxx.xx.151 that
>says "the number you have dialed is unreachable" The contents of the
>packet that caused this is:


I should have mentioned, an ICMP Type 3 is supposed to carry the IP
header and first eight bytes of the packet that caused the error. Here,
it is:

>>Internet Protocol, Src Addr: xx.xxx.xx.151 (xx.xxx.xx.151), Dst Addr:
>>xx.xxx.xx.85 (xx.xxx.xx.85)

>
>>Total Length: 773

>
>>Time to live: 116

>
> (That's more reasonable - 12 hops away)


If you can ping or traceroute to xx.xxx.xx.85, it might be nice comparing
the number of hops you get to this figure of 12 hops

>>Protocol: UDP (0x11)


Now it dawns on me a bit later, you may be the "victim" of back-scatter.
UDP is connectionless. The spammer sends the packet to the target, and if
his port 102x is open (running windoze with messenger enabled) he gets
the spam in a pop-up window. IF THE PORT IS NOT OPEN, it will send the
ICMP error we saw above. Thing is - there is no handshaking to establish
the connection, so the spammer can AND OFTEN DOES fake the "source"
address. I ran a test earlier this month, logging all UDP that was not
DNS received by my firewall and was seeing an average of 1000 a day. I
normally block such traffic, but doing stats on where the packets claimed
to be sourced, I noticed about 3 percent were demonstrably false, with
addresses that IANA hasn't even released to the Regional Internet Registries
never mind let out to ISPs.

>Now above, you said "my address is xx.xxx.xx.151" - and if that's the
>case, your box got 0wn3d and was sending spam.


I should not have said this, as this could be the result of a spammer
choosing your address at random to use as the source IP for his trash.
That way, if someone complains, it's not the spammer who gets blamed.

Sorry.

Old guy
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Advertisments