If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Who are 24.64.9.177 & 24.64.8.158, etc.?
Kerio Firewall has begun a series of messages such as these, coming once
a minute or so, every so often...!... Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port 1027 owned by 'Distributed COM Services' on your computer. Someone from 24.64.8.158, port 32089 wants to send UDP datagram to port 1027 owned by 'Distributed COM Services' on your computer Someone from 24.64.85.35, port 34996 wants to send UDP datagram to port 1027 owned by 'Distributed COM Services' on your computer Someone from 24.64.210.84, port 28111 wants to send UDP datagram to port 1027 owned by 'Distributed COM Services' on your computer Someone from 24.64.180.130, port 4241 wants to send UDP datagram to port 1027 owned by 'Distributed COM Services' on your computer The port is owned by... c:\windows\system\rpcss.exe -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR |
#2
|
|||
|
|||
Who are 24.64.9.177 & 24.64.8.158, etc.?
PCR wrote:
| Kerio Firewall has begun a series of messages such as these, coming | once a minute or so, every so often...!... | | Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port | 1027 owned by 'Distributed COM Services' on your computer. | | Someone from 24.64.8.158, port 32089 wants to send UDP datagram to | port 1027 owned by 'Distributed COM Services' on your computer | | Someone from 24.64.85.35, port 34996 wants to send UDP datagram to | port 1027 owned by 'Distributed COM Services' on your computer | | Someone from 24.64.210.84, port 28111 wants to send UDP datagram to | port 1027 owned by 'Distributed COM Services' on your computer | | Someone from 24.64.180.130, port 4241 wants to send UDP datagram to | port 1027 owned by 'Distributed COM Services' on your computer | | The port is owned by... | c:\windows\system\rpcss.exe OK, I see, by the word of... http://www.networksolutions.com/whois/index.jsp ..........Quote.................................. 24.64.9.177 Record Type: IP Address OrgName: Shaw Communications Inc. OrgID: SHAWC Address: Suite 800 Address: 630 - 3rd Ave. SW City: Calgary StateProv: AB PostalCode: T2P-4L4 Country: CA ReferralServer: rwhois://rs1so.cg.shawcable.net:4321 NetRange: 24.64.0.0 - 24.71.255.255 CIDR: 24.64.0.0/13 NetName: SHAW-COMM NetHandle: NET-24-64-0-0-1 Parent: NET-24-0-0-0-0 NetType: Direct Allocation NameServer: NS7.NO.CG.SHAWCABLE.NET NameServer: NS8.SO.CG.SHAWCABLE.NET Comment: RegDate: 1996-06-03 Updated: 2006-02-08 OrgAbuseHandle: SHAWA-ARIN OrgAbuseName: SHAW ABUSE OrgAbusePhone: +1-403-750-7420 OrgAbuseEmail: OrgTechHandle: ZS178-ARIN OrgTechName: Shaw High-Speed Internet OrgTechPhone: +1-403-750-7428 OrgTechEmail: ..........EOQ...................... I see every one of those in in SHAW-COMM's NET range. I've been denying the access & will continue to do so. But what are they trying to do? |
#3
|
|||
|
|||
Who are 24.64.9.177 & 24.64.8.158, etc.?
PCR wrote:
Kerio Firewall has begun a series of messages such as these Why don't you have a NAT router? Someone from 24.64.9.177 All those IP's belong to Shaw Cable internet, Calgary Alberta. port 3222 wants to send UDP datagram No malware (as far as I can tell) is known to use port 3222. Recent port usage: http://isc.sans.org/port.html?port=3222 to port 1027 owned by 'Distributed COM Services' on your computer. I don't think that DCOM is normally installed on windows-98 systems. The Shaw Cable computer is either trying to exploit a DCOM vulnerability on your computer, or is attempting to connect to a trojan that it thinks might be running on your computer and listening on port 1027. The port is owned by... c:\windows\system\rpcss.exe Unless I'm mistaken, your computer is running win-2k or XP, not win-98. A home computer located somewhere in Alberta is performing a port-scan on your computer, attempting to either install some malware on your system via a DCOM exploit, or is attempting to contact a trojan running on your computer and give it instructions to do something (to obtain some new software, to send spam to someone, etc). The fact that they are coming from different addresses every few minutes is strange - it would indicate that it's coming from different machines - as in some sort of coordinated scan directly on to machine. Not sure what would be the reason for that. |
#4
|
|||
|
|||
Who are 24.64.9.177 & 24.64.8.158, etc.?
Ok, what's going on is this:
Your modem recently obtained a new IP address (maybe it does this once a day, once an hour, once a month, I don't know). In any case, the IP address you have now once belonged to someone that was part of a P2P network. They were part of a file-sharing network. Their IP address is known to the network (for the time being). Other computers are trying to access some file that they think is located on your computer. So either those attempts will fade away with time, or you can re-boot your modem and obtain a new IP address. Looks like there are lots of downloaders in Alberta... |
#5
|
|||
|
|||
Who are 24.64.9.177 & 24.64.8.158, etc.?
It is most likely a Windows Messenger spam attempt:
http://www.linklogger.com/messenger_spam.htm http://www.linklogger.com/UDP1026.htm http://isc.sans.org/port.html?port=1027 -- Glen Ventura, MS MVP Shell/User, A+ http://dts-l.org/ http://dts-l.org/goodpost.htm "PCR" wrote in message ... PCR wrote: | Kerio Firewall has begun a series of messages such as these, coming | once a minute or so, every so often...!... | | Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port | 1027 owned by 'Distributed COM Services' on your computer. | | Someone from 24.64.8.158, port 32089 wants to send UDP datagram to | port 1027 owned by 'Distributed COM Services' on your computer | | Someone from 24.64.85.35, port 34996 wants to send UDP datagram to | port 1027 owned by 'Distributed COM Services' on your computer | | Someone from 24.64.210.84, port 28111 wants to send UDP datagram to | port 1027 owned by 'Distributed COM Services' on your computer | | Someone from 24.64.180.130, port 4241 wants to send UDP datagram to | port 1027 owned by 'Distributed COM Services' on your computer | | The port is owned by... | c:\windows\system\rpcss.exe OK, I see, by the word of... http://www.networksolutions.com/whois/index.jsp .........Quote.................................. 24.64.9.177 Record Type: IP Address OrgName: Shaw Communications Inc. OrgID: SHAWC Address: Suite 800 Address: 630 - 3rd Ave. SW City: Calgary StateProv: AB PostalCode: T2P-4L4 Country: CA ReferralServer: rwhois://rs1so.cg.shawcable.net:4321 NetRange: 24.64.0.0 - 24.71.255.255 CIDR: 24.64.0.0/13 NetName: SHAW-COMM NetHandle: NET-24-64-0-0-1 Parent: NET-24-0-0-0-0 NetType: Direct Allocation NameServer: NS7.NO.CG.SHAWCABLE.NET NameServer: NS8.SO.CG.SHAWCABLE.NET Comment: RegDate: 1996-06-03 Updated: 2006-02-08 OrgAbuseHandle: SHAWA-ARIN OrgAbuseName: SHAW ABUSE OrgAbusePhone: +1-403-750-7420 OrgAbuseEmail: OrgTechHandle: ZS178-ARIN OrgTechName: Shaw High-Speed Internet OrgTechPhone: +1-403-750-7428 OrgTechEmail: .........EOQ...................... I see every one of those in in SHAW-COMM's NET range. I've been denying the access & will continue to do so. But what are they trying to do? |
#6
|
|||
|
|||
Who are 24.64.9.177 & 24.64.8.158, etc.?
On Wed, 18 Jul 2007 20:20:29 -0400, "PCR" put
finger to keyboard and composed: Kerio Firewall has begun a series of messages such as these, coming once a minute or so, every so often...!... Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port 1027 owned by 'Distributed COM Services' on your computer. snip The port is owned by... c:\windows\system\rpcss.exe What is RPCSS.EXE? http://cexx.org/rpc.htm ================================================== ================= In any event, what rpcss.exe does is to handle a number of API calls that relate to RPC. In general (and this is somewhat of a simplification to prevent techie talk overload), a program can register certain entry points (the "procedures" in remote procedure call) that can be accessed by external applications. This is known as the "portmapper" function. Once registered, anyone contacting the RPC port and asking, in the appropriate format, for a particular function provided by a particular program will be allowed to execute the function. Any security checks are up to the contacted program, as all the portmapper does is to make the necessary procedure call on behalf of the client. "WAIT JUST A MINUTE," you scream as your face turns red. "You mean ANY program can ask ANY OTHER program on MY MACHINE to do something for it WITHOUT MY KNOWLEDGE?" The sad truth is that, yes, this is true, and yes, this has been a constant source of security flaws in UNIX systems as such-and-such RPC service has this unchecked buffer or that improper security check which allows any remote user with the proper script to gain full control of the machine. Since no such flaws have been found in the rpcss.exe portmapper proper -- probably because no one's really looked -- the real threat comes from the programs that utilize the portmapper. Unlike UNIX, however, very few Windows programs use RPC; hell, most Windows 9x programmers aren't even aware that RPC exists, and RPC as a direct communications method is being replaced by DCOM and COM+ (which can, but do not necessarily, use RPC) in Windows 2000. Therefore, the likelihood of you even having a portmapped program on Windows 9x is extremely low, and thus the risk that RPC presents is also quite low. ================================================== ================= - Franc Zabkar -- Please remove one 'i' from my address when replying by email. |
#7
|
|||
|
|||
Who are 24.64.9.177 & 24.64.8.158, etc.?
"PCR" wrote in message ... | PCR wrote: | | Kerio Firewall has begun a series of messages such as these, coming | | once a minute or so, every so often...!... | | | | Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port | | 1027 owned by 'Distributed COM Services' on your computer. | | | | Someone from 24.64.8.158, port 32089 wants to send UDP datagram to | | port 1027 owned by 'Distributed COM Services' on your computer | | | | Someone from 24.64.85.35, port 34996 wants to send UDP datagram to | | port 1027 owned by 'Distributed COM Services' on your computer | | | | Someone from 24.64.210.84, port 28111 wants to send UDP datagram to | | port 1027 owned by 'Distributed COM Services' on your computer | | | | Someone from 24.64.180.130, port 4241 wants to send UDP datagram to | | port 1027 owned by 'Distributed COM Services' on your computer | | | | The port is owned by... | | c:\windows\system\rpcss.exe | | OK, I see, by the word of... | http://www.networksolutions.com/whois/index.jsp | | .........Quote.................................. | 24.64.9.177 | Record Type: IP Address | | OrgName: Shaw Communications Inc. | OrgID: SHAWC | Address: Suite 800 | Address: 630 - 3rd Ave. SW | City: Calgary | StateProv: AB | PostalCode: T2P-4L4 | Country: CA | | ReferralServer: rwhois://rs1so.cg.shawcable.net:4321 | | NetRange: 24.64.0.0 - 24.71.255.255 | CIDR: 24.64.0.0/13 | NetName: SHAW-COMM | NetHandle: NET-24-64-0-0-1 | Parent: NET-24-0-0-0-0 | NetType: Direct Allocation | NameServer: NS7.NO.CG.SHAWCABLE.NET | NameServer: NS8.SO.CG.SHAWCABLE.NET | Comment: | RegDate: 1996-06-03 | Updated: 2006-02-08 | | OrgAbuseHandle: SHAWA-ARIN | OrgAbuseName: SHAW ABUSE | OrgAbusePhone: +1-403-750-7420 | OrgAbuseEmail: | | OrgTechHandle: ZS178-ARIN | OrgTechName: Shaw High-Speed Internet | OrgTechPhone: +1-403-750-7428 | OrgTechEmail: | .........EOQ...................... | | I see every one of those in in SHAW-COMM's NET range. I've been denying | the access & will continue to do so. But what are they trying to do? | | Just an HEADS UP, I also had that same Shaw attack a while ago, all those addresses {which are slightly different than yours - though 24.64.*.* and Shaw} are BLOCKED/DENIED in my PFW firewall. |
#8
|
|||
|
|||
Who are 24.64.9.177 & 24.64.8.158, etc.?
Here, I just turned on logging and popup alerts and am connected to this
group... 19/Jul/2007 03:09:54 Shaw Comm block blocked; In UDP; S010600e04c8a2715.rd.shawcable.net [24.64.43.218:2880]-localhost:1026; Owner: no owner 19/Jul/2007 03:11:20 Shaw Comm block blocked; In UDP; S01060020ed1d11bc.lb.shawcable.net [24.64.180.89:20542]-localhost:1026; Owner: no owner 19/Jul/2007 03:14:50 Shaw Comm block blocked; In UDP; S0106000ae694e9c1.cn.shawcable.net [24.64.50.56:20710]-localhost:1026; Owner: no owner 19/Jul/2007 03:21:32 Shaw Comm block blocked; In UDP; 24.64.230.110:24538-localhost:1026; Owner: no owner 19/Jul/2007 03:21:58 Shaw Comm block blocked; In UDP; S0106001346b90d71.lb.shawcable.net [24.64.160.64:7051]-localhost:1026; Owner: no owner 19/Jul/2007 03:30:58 Shaw Comm block blocked; In UDP; S01060004ac8b9494.lb.shawcable.net [24.64.191.235:9685]-localhost:1026; Owner: no owner Comes via UDP as you noted, apparently when using IE or OE... so a router WOULDN'T stop it... another lurker busted .... "MEB" meb@not wrote in message ... | | "PCR" wrote in message | ... | | PCR wrote: | | | Kerio Firewall has begun a series of messages such as these, coming | | | once a minute or so, every so often...!... | | | | | | Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port | | | 1027 owned by 'Distributed COM Services' on your computer. | | | | | | Someone from 24.64.8.158, port 32089 wants to send UDP datagram to | | | port 1027 owned by 'Distributed COM Services' on your computer | | | | | | Someone from 24.64.85.35, port 34996 wants to send UDP datagram to | | | port 1027 owned by 'Distributed COM Services' on your computer | | | | | | Someone from 24.64.210.84, port 28111 wants to send UDP datagram to | | | port 1027 owned by 'Distributed COM Services' on your computer | | | | | | Someone from 24.64.180.130, port 4241 wants to send UDP datagram to | | | port 1027 owned by 'Distributed COM Services' on your computer | | | | | | The port is owned by... | | | c:\windows\system\rpcss.exe | | | | OK, I see, by the word of... | | http://www.networksolutions.com/whois/index.jsp | | | | .........Quote.................................. | | 24.64.9.177 | | Record Type: IP Address | | | | OrgName: Shaw Communications Inc. | | OrgID: SHAWC | | Address: Suite 800 | | Address: 630 - 3rd Ave. SW | | City: Calgary | | StateProv: AB | | PostalCode: T2P-4L4 | | Country: CA | | | | ReferralServer: rwhois://rs1so.cg.shawcable.net:4321 | | | | NetRange: 24.64.0.0 - 24.71.255.255 | | | | | | Just an HEADS UP, I also had that same Shaw attack a while ago, all those | addresses {which are slightly different than yours - though 24.64.*.* and | Shaw} are BLOCKED/DENIED in my PFW firewall. | | |
#9
|
|||
|
|||
Who are 24.64.9.177 & 24.64.8.158, etc.?
You goof,
Those are the lottery numbers you've been expecting,that Augie promised to get to you somehow. Firewall intrusions..haaruumphh! -- HTH, Curt Windows Support Center www.aumha.org Practically Nerded,... http://dundats.mvps.org/Index.htm "PCR" wrote in message ... | PCR wrote: || Kerio Firewall has begun a series of messages such as these, coming || once a minute or so, every so often...!... || || Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port || 1027 owned by 'Distributed COM Services' on your computer. || || Someone from 24.64.8.158, port 32089 wants to send UDP datagram to || port 1027 owned by 'Distributed COM Services' on your computer || || Someone from 24.64.85.35, port 34996 wants to send UDP datagram to || port 1027 owned by 'Distributed COM Services' on your computer || || Someone from 24.64.210.84, port 28111 wants to send UDP datagram to || port 1027 owned by 'Distributed COM Services' on your computer || || Someone from 24.64.180.130, port 4241 wants to send UDP datagram to || port 1027 owned by 'Distributed COM Services' on your computer || || The port is owned by... || c:\windows\system\rpcss.exe | | OK, I see, by the word of... | http://www.networksolutions.com/whois/index.jsp | | .........Quote.................................. | 24.64.9.177 | Record Type: IP Address | | OrgName: Shaw Communications Inc. | OrgID: SHAWC | Address: Suite 800 | Address: 630 - 3rd Ave. SW | City: Calgary | StateProv: AB | PostalCode: T2P-4L4 | Country: CA | | ReferralServer: rwhois://rs1so.cg.shawcable.net:4321 | | NetRange: 24.64.0.0 - 24.71.255.255 | CIDR: 24.64.0.0/13 | NetName: SHAW-COMM | NetHandle: NET-24-64-0-0-1 | Parent: NET-24-0-0-0-0 | NetType: Direct Allocation | NameServer: NS7.NO.CG.SHAWCABLE.NET | NameServer: NS8.SO.CG.SHAWCABLE.NET | Comment: | RegDate: 1996-06-03 | Updated: 2006-02-08 | | OrgAbuseHandle: SHAWA-ARIN | OrgAbuseName: SHAW ABUSE | OrgAbusePhone: +1-403-750-7420 | OrgAbuseEmail: | | OrgTechHandle: ZS178-ARIN | OrgTechName: Shaw High-Speed Internet | OrgTechPhone: +1-403-750-7428 | OrgTechEmail: | .........EOQ...................... | | I see every one of those in in SHAW-COMM's NET range. I've been denying | the access & will continue to do so. But what are they trying to do? | | |
#10
|
|||
|
|||
Who are 24.64.9.177 & 24.64.8.158, etc.?
"Curt Christianson" wrote in message ... | You goof, | | Those are the lottery numbers you've been expecting,that Augie promised to | get to you somehow. Firewall intrusions..haaruumphh! | | -- | HTH, | Curt | | Windows Support Center | www.aumha.org | Practically Nerded,... | http://dundats.mvps.org/Index.htm SO Curt, are you claiming these as yours? Or was this a little hahaha,, not very funny when we ARE discussing systems intrusions or other attempts at monitoring activities ... I never consider any of these types of activities as laughable or ignorable... Sorry Curt, but with the present activities the people are being subjected to, without their knowledge or consent, I do take issue .... -- MEB http://peoplescounsel.orgfree.com ________ | | "PCR" wrote in message | ... | | PCR wrote: | || Kerio Firewall has begun a series of messages such as these, coming | || once a minute or so, every so often...!... | || | || Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port | || 1027 owned by 'Distributed COM Services' on your computer. | || | || Someone from 24.64.8.158, port 32089 wants to send UDP datagram to | || port 1027 owned by 'Distributed COM Services' on your computer | || | || Someone from 24.64.85.35, port 34996 wants to send UDP datagram to | || port 1027 owned by 'Distributed COM Services' on your computer | || | || Someone from 24.64.210.84, port 28111 wants to send UDP datagram to | || port 1027 owned by 'Distributed COM Services' on your computer | || | || Someone from 24.64.180.130, port 4241 wants to send UDP datagram to | || port 1027 owned by 'Distributed COM Services' on your computer | || | || The port is owned by... | || c:\windows\system\rpcss.exe | | | | OK, I see, by the word of... | | http://www.networksolutions.com/whois/index.jsp | | | | .........Quote.................................. | | 24.64.9.177 | | Record Type: IP Address | | | | OrgName: Shaw Communications Inc. | | OrgID: SHAWC | | Address: Suite 800 | | Address: 630 - 3rd Ave. SW | | City: Calgary | | StateProv: AB | | PostalCode: T2P-4L4 | | Country: CA | | | | ReferralServer: rwhois://rs1so.cg.shawcable.net:4321 | | | | NetRange: 24.64.0.0 - 24.71.255.255 | | CIDR: 24.64.0.0/13 | | NetName: SHAW-COMM | | NetHandle: NET-24-64-0-0-1 | | Parent: NET-24-0-0-0-0 | | NetType: Direct Allocation | | NameServer: NS7.NO.CG.SHAWCABLE.NET | | NameServer: NS8.SO.CG.SHAWCABLE.NET | | Comment: | | RegDate: 1996-06-03 | | Updated: 2006-02-08 | | | | OrgAbuseHandle: SHAWA-ARIN | | OrgAbuseName: SHAW ABUSE | | OrgAbusePhone: +1-403-750-7420 | | OrgAbuseEmail: | | | | OrgTechHandle: ZS178-ARIN | | OrgTechName: Shaw High-Speed Internet | | OrgTechPhone: +1-403-750-7428 | | OrgTechEmail: | | .........EOQ...................... | | | | I see every one of those in in SHAW-COMM's NET range. I've been denying | | the access & will continue to do so. But what are they trying to do? | | | | | | |
|
Thread Tools | |
Display Modes | |
|
|