port=1026&reason=ICMPsent

Discussion in 'Computer Security' started by ed, Nov 14, 2005.

  1. ed

    ed Guest

    My win 2002 SP2 server is periodically sending a ICMP on UDP port 1026 to
    various IPS. Looking at TCP
    view, the only process open on all IPS (about 9 of them) is LSASS.EXE,
    specifically isakmp. I have not actually witnessed the UDP, so this may be
    a wrong assumption.

    Packet flag is 0x0, so this may be nothing more than a ping, not sure.

    Virus and anti-spyware scans are negative. Any thoughts?
    ed, Nov 14, 2005
    #1
    1. Advertising

  2. ed

    Donnie Guest

    "ed" <> wrote in message
    news:q23ef.96767$...
    > My win 2002 SP2 server is periodically sending a ICMP on UDP port 1026 to
    > various IPS. Looking at TCP
    > view, the only process open on all IPS (about 9 of them) is LSASS.EXE,
    > specifically isakmp. I have not actually witnessed the UDP, so this may

    be
    > a wrong assumption.
    >
    > Packet flag is 0x0, so this may be nothing more than a ping, not sure.
    >
    > Virus and anti-spyware scans are negative. Any thoughts?
    >

    ###################################
    Check the netstat -an output.
    donnie
    Donnie, Nov 15, 2005
    #2
    1. Advertising

  3. ed

    winged Guest

    ed wrote:
    > My win 2002 SP2 server is periodically sending a ICMP on UDP port 1026 to
    > various IPS. Looking at TCP
    > view, the only process open on all IPS (about 9 of them) is LSASS.EXE,
    > specifically isakmp. I have not actually witnessed the UDP, so this may be
    > a wrong assumption.
    >
    > Packet flag is 0x0, so this may be nothing more than a ping, not sure.
    >
    > Virus and anti-spyware scans are negative. Any thoughts?
    >
    >

    Local Security Authentication Server - lsass.exe

    Are you logging in at these locations?> Someone logging onto you?

    Is there a pattern as to what type host those IPs belong to?

    Winged
    winged, Nov 15, 2005
    #3
  4. ed

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <q23ef.96767$>, ed wrote:

    >My win 2002 SP2 server is periodically sending a ICMP on UDP port 1026 to
    >various IPS.


    That sentence makes no sense. ICMP is one IP protocol, UDP another.
    Search for RFC0768 (UDP), RFC0791 (IP) and RFC0792 (ICMP) if interested.

    >I have not actually witnessed the UDP, so this may be a wrong assumption.


    UDP 1026 (and 1027) are primary targets of messenger spam - pop-up ads
    targeting clueless windoze users. Late last month, I turned on logging
    on the perimeter firewall at home (I normally ignore dropped packets)
    for a week, and noted about 1000 messages a day, or about 450K of wasted
    bandwidth per day. The few packets I investigated were all fake windoze
    error messages, directing users to some spammers website for a "repair".
    I'm in North America, so most of the packets were originating in China,
    although the spamvertised web sites were all hosted at well known spammer
    support domains in the US states of Washington Texas, or Florida.

    Old guy
    Moe Trin, Nov 15, 2005
    #4
  5. ed

    ed Guest

    Actually ICMP is a layered protocol the UDP protocol in question is a
    transmission protocol.

    I am aware of the misuse of port 1026 and 1027, but since the routers do not
    allow pinging from outside of the network, I am curious why a 0x0 reply is
    sent (typical response to a ping).

    There is no pattern to the machines it is responding/sending to.
    Additionally, these machine IP's do not show up in my firewall as probing.



    The 0x0 is normally a reply to a ping, but pinging is disallowed from
    outside the local network.
    "Moe Trin" <> wrote in message
    news:...
    > In the Usenet newsgroup alt.computer.security, in article
    > <q23ef.96767$>, ed wrote:
    >
    >>My win 2002 SP2 server is periodically sending a ICMP on UDP port 1026 to
    >>various IPS.

    >
    > That sentence makes no sense. ICMP is one IP protocol, UDP another.
    > Search for RFC0768 (UDP), RFC0791 (IP) and RFC0792 (ICMP) if interested.
    >
    >>I have not actually witnessed the UDP, so this may be a wrong assumption.

    >
    > UDP 1026 (and 1027) are primary targets of messenger spam - pop-up ads
    > targeting clueless windoze users. Late last month, I turned on logging
    > on the perimeter firewall at home (I normally ignore dropped packets)
    > for a week, and noted about 1000 messages a day, or about 450K of wasted
    > bandwidth per day. The few packets I investigated were all fake windoze
    > error messages, directing users to some spammers website for a "repair".
    > I'm in North America, so most of the packets were originating in China,
    > although the spamvertised web sites were all hosted at well known spammer
    > support domains in the US states of Washington Texas, or Florida.
    >
    > Old guy
    ed, Nov 15, 2005
    #5
  6. ed

    ed Guest

    Shows the same ports as previous.
    "Donnie" <> wrote in message
    news:zpaef.55892$...
    >
    > "ed" <> wrote in message
    > news:q23ef.96767$...
    >> My win 2002 SP2 server is periodically sending a ICMP on UDP port 1026 to
    >> various IPS. Looking at TCP
    >> view, the only process open on all IPS (about 9 of them) is LSASS.EXE,
    >> specifically isakmp. I have not actually witnessed the UDP, so this may

    > be
    >> a wrong assumption.
    >>
    >> Packet flag is 0x0, so this may be nothing more than a ping, not sure.
    >>
    >> Virus and anti-spyware scans are negative. Any thoughts?
    >>

    > ###################################
    > Check the netstat -an output.
    > donnie
    >
    >
    ed, Nov 15, 2005
    #6
  7. ed

    Mark Guest

    Reply in line.

    ed wrote:
    > Actually ICMP is a layered protocol the UDP protocol in question is a
    > transmission protocol.


    I have to agree with Moe, I think we are having a failure to
    communicate. ICMPs are in the network layer of the OSI model. UDP and
    TCP would be in the transport layer. But, in the payload of an ICMP
    they can give information about the upper layer protocols they are
    replying to.

    >
    > I am aware of the misuse of port 1026 and 1027, but since the routers do not
    > allow pinging from outside of the network, I am curious why a 0x0 reply is
    > sent (typical response to a ping).


    Are you saying that your machine in question is sending an echo reply
    with a payload indicating it was in response to a UDP packet? If so, do
    you have a packet capture of the payload? It would make sense to send a
    host unreachable/network unreachable etc, but not an echo reply. If
    that is the case, it almost sounds like some malware is trying to
    communicate using a covert channel.

    >
    > There is no pattern to the machines it is responding/sending to.
    > Additionally, these machine IP's do not show up in my firewall as probing.


    Since they don't show up as probing, I'm guessing that machine is not
    responding, just sending. Again, some malware trying to phone home?

    >
    > The 0x0 is normally a reply to a ping, but pinging is disallowed from
    > outside the local network.


    Agreed, that is normally an echo reply, but why do you say it has
    something to do with a UDP packet?

    Mark

    > "Moe Trin" <> wrote in message
    > news:...
    >
    >>In the Usenet newsgroup alt.computer.security, in article
    >><q23ef.96767$>, ed wrote:
    >>
    >>
    >>>My win 2002 SP2 server is periodically sending a ICMP on UDP port 1026 to
    >>>various IPS.

    >>
    >>That sentence makes no sense. ICMP is one IP protocol, UDP another.
    >>Search for RFC0768 (UDP), RFC0791 (IP) and RFC0792 (ICMP) if interested.
    >>
    >>
    >>>I have not actually witnessed the UDP, so this may be a wrong assumption.

    >>
    >>UDP 1026 (and 1027) are primary targets of messenger spam - pop-up ads
    >>targeting clueless windoze users. Late last month, I turned on logging
    >>on the perimeter firewall at home (I normally ignore dropped packets)
    >>for a week, and noted about 1000 messages a day, or about 450K of wasted
    >>bandwidth per day. The few packets I investigated were all fake windoze
    >>error messages, directing users to some spammers website for a "repair".
    >>I'm in North America, so most of the packets were originating in China,
    >>although the spamvertised web sites were all hosted at well known spammer
    >>support domains in the US states of Washington Texas, or Florida.
    >>
    >> Old guy

    >
    >
    >
    Mark, Nov 20, 2005
    #7
  8. ed

    ed Guest

    Here is what my firewall log is giving me (my address is xx.xxx.xx.151):

    Issue Name:UDP_Probe_Other
    Source IP:xx.xxx.xx.151
    Victim IP:xx.xxx.xx.85
    Parameters: port=1026&reason=ICMPsent

    Not sure now about the UDP, here is the .enc file decode for one of the
    packets:

    Frame 6458 (70 bytes on wire, 70 bytes captured)

    Arrival Time: Nov 28, 2005 08:47:36.022680000

    Time delta from previous packet: 0.190274000 seconds

    Time relative to first packet: 475.063108000 seconds

    Frame Number: 6458

    Packet Length: 70 bytes

    Capture Length: 70 bytes

    Ethernet II, Src: 00:02:b0:bc:69:47, Dst: 00:11:11:26:08:40

    Destination: 00:11:11:26:08:40 (00:11:11:26:08:40)

    Source: 00:02:b0:bc:69:47 (Hokubu_bc:69:47)

    Type: IP (0x0800)

    Internet Protocol, Src Addr: xx.xxx.xx.85 (xx.xxx.xx.85), Dst Addr:
    xx.xxx.xx.151 (xx.xxx.xx.151)

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

    0000 00.. = Differentiated Services Codepoint: Default (0x00)

    ..... ..0. = ECN-Capable Transport (ECT): 0

    ..... ...0 = ECN-CE: 0

    Total Length: 56

    Identification: 0xa638

    Flags: 0x00

    ..0.. = Don't fragment: Not set

    ...0. = More fragments: Not set

    Fragment offset: 0

    Time to live: 140

    Protocol: ICMP (0x01)

    Header checksum: 0x9522 (correct)

    Source: xx.xxx.xx.85 (xx.xxx.xx.85)

    Destination: xx.xxx.xx.151 (xx.xxx.xx.151)

    Internet Control Message Protocol

    Type: 3 (Destination unreachable)

    Code: 3 (Port unreachable)

    Checksum: 0x8dbf (correct)

    Internet Protocol, Src Addr: xx.xxx.xx.151 (xx.xxx.xx.151), Dst Addr:
    xx.xxx.xx.85 (xx.xxx.xx.85)

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

    0000 00.. = Differentiated Services Codepoint: Default (0x00)

    ..... ..0. = ECN-Capable Transport (ECT): 0

    ..... ...0 = ECN-CE: 0

    Total Length: 773

    Identification: 0xa638

    Flags: 0x00

    ..0.. = Don't fragment: Not set

    ...0. = More fragments: Not set

    Fragment offset: 0

    Time to live: 116

    Protocol: UDP (0x11)

    Header checksum: 0xaa45 (correct)

    Source: xx.xxx.xx.151 (xx.xxx.xx.151)

    Destination: xx.xxx.xx.85 (xx.xxx.xx.85)

    User Datagram Protocol, Src Port: 26698 (26698), Dst Port: 1026 (1026)

    Source port: 26698 (26698)

    Destination port: 1026 (1026)

    Length: 753

    Checksum: 0x0000 (none)



    > ed wrote:
    > > Actually ICMP is a layered protocol the UDP protocol in question is a
    > > transmission protocol.



    > I have to agree with Moe, I think we are having a failure to communicate.
    > ICMPs are in the network layer of the OSI model. UDP and TCP would be in
    > the transport layer. But, in the payload of an ICMP they can give
    > information about the upper layer protocols they are replying to.



    > > I am aware of the misuse of port 1026 and 1027, but since the routers do
    > > not allow pinging from outside of the network, I am curious why a 0x0
    > > reply is sent (typical response to a ping).




    > Are you saying that your machine in question is sending an echo reply with
    > a payload indicating it was in response to a UDP packet? If so, do you
    > have a packet capture of the payload? It would make sense to send a host
    > unreachable/network unreachable etc, but not an echo reply. If that is
    > the case, it almost sounds like some malware is trying to communicate
    > using a covert channel.



    > > There is no pattern to the machines it is responding/sending to.

    v> Additionally, these machine IP's do not show up in my firewall as
    probing.



    > Since they don't show up as probing, I'm guessing that machine is not
    > responding, just sending. Again, some malware trying to phone home?



    >> The 0x0 is normally a reply to a ping, but pinging is disallowed from
    >> outside the local network.




    > Agreed, that is normally an echo reply, but why do you say it has
    > something to do with a UDP packet?
    ed, Nov 28, 2005
    #8
  9. ed

    Moe Trin Guest

    On Mon, 28 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
    <36Gif.144735$>, ed wrote:

    >Here is what my firewall log is giving me (my address is xx.xxx.xx.151):
    >
    >Issue Name:UDP_Probe_Other
    >Source IP:xx.xxx.xx.151
    >Victim IP:xx.xxx.xx.85
    >Parameters: port=1026&reason=ICMPsent


    So what that may be trying to say is that you received a UDP packet from
    xx.xxx.xx.85 to your port 1026 (undoubtedly, windoze messenger spam), and
    your system rejected it with an ICMP "FOAD" packet. But the stuff below
    says otherwise.

    >Not sure now about the UDP, here is the .enc file decode for one of the
    >packets:


    Boy, they love to baffle 'em with bullshit, don't they. Well, lets cut
    through all the useless crap...

    >Time to live: 140


    Strange value - these normally start with a nice round figure, like 32, 64,
    128, and occasionally 255, and gets decremented by every router between
    source and destination. In most cases, nothing is more than 30 or 40 hops,
    yet if this started with 255, it's 115 hops away - highly unlikely.

    >Protocol: ICMP (0x01)


    >Source: xx.xxx.xx.85 (xx.xxx.xx.85)
    >Destination: xx.xxx.xx.151 (xx.xxx.xx.151)
    >Internet Control Message Protocol
    >Type: 3 (Destination unreachable)
    >Code: 3 (Port unreachable)


    OK - xx.xxx.xx.85 is sending an error message to xx.xxx.xx.151 that
    says "the number you have dialed is unreachable" The contents of the
    packet that caused this is:

    >Internet Protocol, Src Addr: xx.xxx.xx.151 (xx.xxx.xx.151), Dst Addr:
    >xx.xxx.xx.85 (xx.xxx.xx.85)


    >Total Length: 773


    >Time to live: 116


    (That's more reasonable - 12 hops away)

    >Protocol: UDP (0x11)


    >Source: xx.xxx.xx.151 (xx.xxx.xx.151)
    >Destination: xx.xxx.xx.85 (xx.xxx.xx.85)
    >User Datagram Protocol, Src Port: 26698 (26698), Dst Port: 1026 (1026)


    xx.xxx.xx.151 appears to be trying to send messenger spam to xx.xxx.xx.85

    Now above, you said "my address is xx.xxx.xx.151" - and if that's the
    case, your box got 0wn3d and was sending spam. I'd be looking at WTF is
    going on with this box. Yes, that looks like you are the one with the
    problem, not the remote.

    Old guy
    Moe Trin, Nov 28, 2005
    #9
  10. ed

    Moe Trin Guest

    Re: port=1026&reason=ICMPsent <CORRECTION>

    On Mon, 28 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
    <>, Moe Trin wrote:

    >OK - xx.xxx.xx.85 is sending an error message to xx.xxx.xx.151 that
    >says "the number you have dialed is unreachable" The contents of the
    >packet that caused this is:


    I should have mentioned, an ICMP Type 3 is supposed to carry the IP
    header and first eight bytes of the packet that caused the error. Here,
    it is:

    >>Internet Protocol, Src Addr: xx.xxx.xx.151 (xx.xxx.xx.151), Dst Addr:
    >>xx.xxx.xx.85 (xx.xxx.xx.85)

    >
    >>Total Length: 773

    >
    >>Time to live: 116

    >
    > (That's more reasonable - 12 hops away)


    If you can ping or traceroute to xx.xxx.xx.85, it might be nice comparing
    the number of hops you get to this figure of 12 hops

    >>Protocol: UDP (0x11)


    Now it dawns on me a bit later, you may be the "victim" of back-scatter.
    UDP is connectionless. The spammer sends the packet to the target, and if
    his port 102x is open (running windoze with messenger enabled) he gets
    the spam in a pop-up window. IF THE PORT IS NOT OPEN, it will send the
    ICMP error we saw above. Thing is - there is no handshaking to establish
    the connection, so the spammer can AND OFTEN DOES fake the "source"
    address. I ran a test earlier this month, logging all UDP that was not
    DNS received by my firewall and was seeing an average of 1000 a day. I
    normally block such traffic, but doing stats on where the packets claimed
    to be sourced, I noticed about 3 percent were demonstrably false, with
    addresses that IANA hasn't even released to the Regional Internet Registries
    never mind let out to ISPs.

    >Now above, you said "my address is xx.xxx.xx.151" - and if that's the
    >case, your box got 0wn3d and was sending spam.


    I should not have said this, as this could be the result of a spammer
    choosing your address at random to use as the source IP for his trash.
    That way, if someone complains, it's not the spammer who gets blamed.

    Sorry.

    Old guy
    Moe Trin, Nov 29, 2005
    #10
  11. ed

    ed Guest

    Thanks,

    That is what I am guessing, have located some form of QoS running as
    aspnet.exe.



    "Moe Trin" <> wrote in message
    news:...
    > On Mon, 28 Nov 2005, in the Usenet newsgroup alt.computer.security, in
    > article
    > <36Gif.144735$>, ed wrote:
    >
    >>Here is what my firewall log is giving me (my address is xx.xxx.xx.151):
    >>
    >>Issue Name:UDP_Probe_Other
    >>Source IP:xx.xxx.xx.151
    >>Victim IP:xx.xxx.xx.85
    >>Parameters: port=1026&reason=ICMPsent

    >
    > So what that may be trying to say is that you received a UDP packet from
    > xx.xxx.xx.85 to your port 1026 (undoubtedly, windoze messenger spam), and
    > your system rejected it with an ICMP "FOAD" packet. But the stuff below
    > says otherwise.
    >
    >>Not sure now about the UDP, here is the .enc file decode for one of the
    >>packets:

    >
    > Boy, they love to baffle 'em with bullshit, don't they. Well, lets cut
    > through all the useless crap...
    >
    >>Time to live: 140

    >
    > Strange value - these normally start with a nice round figure, like 32,
    > 64,
    > 128, and occasionally 255, and gets decremented by every router between
    > source and destination. In most cases, nothing is more than 30 or 40 hops,
    > yet if this started with 255, it's 115 hops away - highly unlikely.
    >
    >>Protocol: ICMP (0x01)

    >
    >>Source: xx.xxx.xx.85 (xx.xxx.xx.85)
    >>Destination: xx.xxx.xx.151 (xx.xxx.xx.151)
    >>Internet Control Message Protocol
    >>Type: 3 (Destination unreachable)
    >>Code: 3 (Port unreachable)

    >
    > OK - xx.xxx.xx.85 is sending an error message to xx.xxx.xx.151 that
    > says "the number you have dialed is unreachable" The contents of the
    > packet that caused this is:
    >
    >>Internet Protocol, Src Addr: xx.xxx.xx.151 (xx.xxx.xx.151), Dst Addr:
    >>xx.xxx.xx.85 (xx.xxx.xx.85)

    >
    >>Total Length: 773

    >
    >>Time to live: 116

    >
    > (That's more reasonable - 12 hops away)
    >
    >>Protocol: UDP (0x11)

    >
    >>Source: xx.xxx.xx.151 (xx.xxx.xx.151)
    >>Destination: xx.xxx.xx.85 (xx.xxx.xx.85)
    >>User Datagram Protocol, Src Port: 26698 (26698), Dst Port: 1026 (1026)

    >
    > xx.xxx.xx.151 appears to be trying to send messenger spam to xx.xxx.xx.85
    >
    > Now above, you said "my address is xx.xxx.xx.151" - and if that's the
    > case, your box got 0wn3d and was sending spam. I'd be looking at WTF is
    > going on with this box. Yes, that looks like you are the one with the
    > problem, not the remote.
    >
    > Old guy
    ed, Nov 29, 2005
    #11
  12. ed

    Mark Guest

    Re: port=1026&reason=ICMPsent <CORRECTION>

    Moe Trin wrote:
    >
    >
    >>>Internet Protocol, Src Addr: xx.xxx.xx.151 (xx.xxx.xx.151), Dst Addr:
    >>>xx.xxx.xx.85 (xx.xxx.xx.85)

    >>
    >>>Total Length: 773

    >>
    >>>Time to live: 116

    >>
    >> (That's more reasonable - 12 hops away)

    >
    >
    > If you can ping or traceroute to xx.xxx.xx.85, it might be nice comparing
    > the number of hops you get to this figure of 12 hops
    >
    >
    >
    >
    >>Now above, you said "my address is xx.xxx.xx.151" - and if that's the
    >>case, your box got 0wn3d and was sending spam.

    >
    >
    > I should not have said this, as this could be the result of a spammer
    > choosing your address at random to use as the source IP for his trash.
    > That way, if someone complains, it's not the spammer who gets blamed.
    >


    Agreed, it looks like backscatter to me.
    Nothing to worry about, and frankly, nothing you can do about it.

    Unless you actually see your machine making connetion attempts to UDP
    102X in the output of a netstat, I wouldn't worry about it.

    Moe's suggestion of tracerouting to the .85 address is a good one.
    Might give some more clues if you're still interested.

    --
    Mark
    Mark, Nov 29, 2005
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Yehavi Bourvine

    Tacacs+ disconnect reason 8 (Port error)?

    Yehavi Bourvine, Oct 22, 2003, in forum: Cisco
    Replies:
    0
    Views:
    959
    Yehavi Bourvine
    Oct 22, 2003
  2. Mark T.

    File System Error (1026)

    Mark T., Nov 3, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    1,835
    ┬░Mike┬░
    Nov 3, 2003
  3. Tony

    Ports 1026 and 1027 on VoIP?

    Tony, Aug 6, 2005, in forum: UK VOIP
    Replies:
    1
    Views:
    617
    Mike Zanker
    Aug 7, 2005
  4. BillKirch

    1026 RAM on one stick???

    BillKirch, Jul 6, 2003, in forum: Computer Information
    Replies:
    2
    Views:
    834
    JC Carter
    Jul 6, 2003
  5. GraB
    Replies:
    6
    Views:
    444
Loading...

Share This Page