Who are 24.64.9.177 & 24.64.8.158, etc.?

**PCR** · **Who are 24.64.9.177 & 24.64.8.158, etc.?**

Kerio Firewall has begun a series of messages such as these, coming once
a minute or so, every so often...!...

Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port
1027 owned by 'Distributed COM Services' on your computer.

Someone from 24.64.8.158, port 32089 wants to send UDP datagram to port
1027 owned by 'Distributed COM Services' on your computer

Someone from 24.64.85.35, port 34996 wants to send UDP datagram to port
1027 owned by 'Distributed COM Services' on your computer

Someone from 24.64.210.84, port 28111 wants to send UDP datagram to port
1027 owned by 'Distributed COM Services' on your computer

Someone from 24.64.180.130, port 4241 wants to send UDP datagram to port
1027 owned by 'Distributed COM Services' on your computer

The port is owned by...
c:\windows\system\rpcss.exe

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR

**PCR** · **Who are 24.64.9.177 & 24.64.8.158, etc.?**

PCR wrote:
| Kerio Firewall has begun a series of messages such as these, coming
| once a minute or so, every so often...!...
|
| Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port
| 1027 owned by 'Distributed COM Services' on your computer.
|
| Someone from 24.64.8.158, port 32089 wants to send UDP datagram to
| port 1027 owned by 'Distributed COM Services' on your computer
|
| Someone from 24.64.85.35, port 34996 wants to send UDP datagram to
| port 1027 owned by 'Distributed COM Services' on your computer
|
| Someone from 24.64.210.84, port 28111 wants to send UDP datagram to
| port 1027 owned by 'Distributed COM Services' on your computer
|
| Someone from 24.64.180.130, port 4241 wants to send UDP datagram to
| port 1027 owned by 'Distributed COM Services' on your computer
|
| The port is owned by...
| c:\windows\system\rpcss.exe

OK, I see, by the word of...
http://www.networksolutions.com/whois/index.jsp

..........Quote..................................
24.64.9.177
Record Type: IP Address

OrgName: Shaw Communications Inc.
OrgID: SHAWC
Address: Suite 800
Address: 630 - 3rd Ave. SW
City: Calgary
StateProv: AB
PostalCode: T2P-4L4
Country: CA

ReferralServer: rwhois://rs1so.cg.shawcable.net:4321

NetRange: 24.64.0.0 - 24.71.255.255
CIDR: 24.64.0.0/13
NetName: SHAW-COMM
NetHandle: NET-24-64-0-0-1
Parent: NET-24-0-0-0-0
NetType: Direct Allocation
NameServer: NS7.NO.CG.SHAWCABLE.NET
NameServer: NS8.SO.CG.SHAWCABLE.NET
Comment:
RegDate: 1996-06-03
Updated: 2006-02-08

OrgAbuseHandle: SHAWA-ARIN
OrgAbuseName: SHAW ABUSE
OrgAbusePhone: +1-403-750-7420
OrgAbuseEmail:

OrgTechHandle: ZS178-ARIN
OrgTechName: Shaw High-Speed Internet
OrgTechPhone: +1-403-750-7428
OrgTechEmail:
..........EOQ......................

I see every one of those in in SHAW-COMM's NET range. I've been denying
the access & will continue to do so. But what are they trying to do?

**98 Guy** · **Who are 24.64.9.177 & 24.64.8.158, etc.?**

PCR wrote:

Kerio Firewall has begun a series of messages such as these

Why don't you have a NAT router?

Someone from 24.64.9.177

All those IP's belong to Shaw Cable internet, Calgary Alberta.

port 3222 wants to send UDP datagram

No malware (as far as I can tell) is known to use port 3222. Recent
port usage:

http://isc.sans.org/port.html?port=3222

to port 1027 owned by 'Distributed COM Services' on your computer.

I don't think that DCOM is normally installed on windows-98 systems.
The Shaw Cable computer is either trying to exploit a DCOM
vulnerability on your computer, or is attempting to connect to a
trojan that it thinks might be running on your computer and listening
on port 1027.

The port is owned by...
c:\windows\system\rpcss.exe

Unless I'm mistaken, your computer is running win-2k or XP, not
win-98.

A home computer located somewhere in Alberta is performing a port-scan
on your computer, attempting to either install some malware on your
system via a DCOM exploit, or is attempting to contact a trojan
running on your computer and give it instructions to do something (to
obtain some new software, to send spam to someone, etc).

The fact that they are coming from different addresses every few
minutes is strange - it would indicate that it's coming from different
machines - as in some sort of coordinated scan directly on to
machine. Not sure what would be the reason for that.

**98 Guy** · **Who are 24.64.9.177 & 24.64.8.158, etc.?**

Ok, what's going on is this:

Your modem recently obtained a new IP address (maybe it does this once
a day, once an hour, once a month, I don't know).

In any case, the IP address you have now once belonged to someone that
was part of a P2P network. They were part of a file-sharing network.
Their IP address is known to the network (for the time being).

Other computers are trying to access some file that they think is
located on your computer.

So either those attempts will fade away with time, or you can re-boot
your modem and obtain a new IP address.

Looks like there are lots of downloaders in Alberta...

**glee** · **Who are 24.64.9.177 & 24.64.8.158, etc.?**

It is most likely a Windows Messenger spam attempt:
http://www.linklogger.com/messenger_spam.htm
http://www.linklogger.com/UDP1026.htm
http://isc.sans.org/port.html?port=1027
--
Glen Ventura, MS MVP Shell/User, A+
http://dts-l.org/
http://dts-l.org/goodpost.htm

"PCR" wrote in message
...
PCR wrote:
| Kerio Firewall has begun a series of messages such as these, coming
| once a minute or so, every so often...!...
|
| Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port
| 1027 owned by 'Distributed COM Services' on your computer.
|
| Someone from 24.64.8.158, port 32089 wants to send UDP datagram to
| port 1027 owned by 'Distributed COM Services' on your computer
|
| Someone from 24.64.85.35, port 34996 wants to send UDP datagram to
| port 1027 owned by 'Distributed COM Services' on your computer
|
| Someone from 24.64.210.84, port 28111 wants to send UDP datagram to
| port 1027 owned by 'Distributed COM Services' on your computer
|
| Someone from 24.64.180.130, port 4241 wants to send UDP datagram to
| port 1027 owned by 'Distributed COM Services' on your computer
|
| The port is owned by...
| c:\windows\system\rpcss.exe

OK, I see, by the word of...
http://www.networksolutions.com/whois/index.jsp

.........Quote..................................
24.64.9.177
Record Type: IP Address

OrgName: Shaw Communications Inc.
OrgID: SHAWC
Address: Suite 800
Address: 630 - 3rd Ave. SW
City: Calgary
StateProv: AB
PostalCode: T2P-4L4
Country: CA

ReferralServer: rwhois://rs1so.cg.shawcable.net:4321

NetRange: 24.64.0.0 - 24.71.255.255
CIDR: 24.64.0.0/13
NetName: SHAW-COMM
NetHandle: NET-24-64-0-0-1
Parent: NET-24-0-0-0-0
NetType: Direct Allocation
NameServer: NS7.NO.CG.SHAWCABLE.NET
NameServer: NS8.SO.CG.SHAWCABLE.NET
Comment:
RegDate: 1996-06-03
Updated: 2006-02-08

OrgAbuseHandle: SHAWA-ARIN
OrgAbuseName: SHAW ABUSE
OrgAbusePhone: +1-403-750-7420
OrgAbuseEmail:

OrgTechHandle: ZS178-ARIN
OrgTechName: Shaw High-Speed Internet
OrgTechPhone: +1-403-750-7428
OrgTechEmail:
.........EOQ......................

I see every one of those in in SHAW-COMM's NET range. I've been denying
the access & will continue to do so. But what are they trying to do?

**Franc Zabkar** · **Who are 24.64.9.177 & 24.64.8.158, etc.?**

On Wed, 18 Jul 2007 20:20:29 -0400, "PCR" put
finger to keyboard and composed:

Kerio Firewall has begun a series of messages such as these, coming once
a minute or so, every so often...!...

Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port
1027 owned by 'Distributed COM Services' on your computer.

snip

The port is owned by...
c:\windows\system\rpcss.exe

What is RPCSS.EXE?
http://cexx.org/rpc.htm

================================================== =================
In any event, what rpcss.exe does is to handle a number of API calls
that relate to RPC. In general (and this is somewhat of a
simplification to prevent techie talk overload), a program can
register certain entry points (the "procedures" in remote procedure
call) that can be accessed by external applications. This is known as
the "portmapper" function. Once registered, anyone contacting the RPC
port and asking, in the appropriate format, for a particular function
provided by a particular program will be allowed to execute the
function. Any security checks are up to the contacted program, as all
the portmapper does is to make the necessary procedure call on behalf
of the client.

"WAIT JUST A MINUTE," you scream as your face turns red. "You mean ANY
program can ask ANY OTHER program on MY MACHINE to do something for it
WITHOUT MY KNOWLEDGE?" The sad truth is that, yes, this is true, and
yes, this has been a constant source of security flaws in UNIX systems
as such-and-such RPC service has this unchecked buffer or that
improper security check which allows any remote user with the proper
script to gain full control of the machine. Since no such flaws have
been found in the rpcss.exe portmapper proper -- probably because no
one's really looked -- the real threat comes from the programs that
utilize the portmapper. Unlike UNIX, however, very few Windows
programs use RPC; hell, most Windows 9x programmers aren't even aware
that RPC exists, and RPC as a direct communications method is being
replaced by DCOM and COM+ (which can, but do not necessarily, use RPC)
in Windows 2000. Therefore, the likelihood of you even having a
portmapped program on Windows 9x is extremely low, and thus the risk
that RPC presents is also quite low.
================================================== =================

- Franc Zabkar
--
Please remove one 'i' from my address when replying by email.

**MEB[_2_]** · **Who are 24.64.9.177 & 24.64.8.158, etc.?**

"PCR" wrote in message
...
| PCR wrote:
| | Kerio Firewall has begun a series of messages such as these, coming
| | once a minute or so, every so often...!...
| |
| | Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port
| | 1027 owned by 'Distributed COM Services' on your computer.
| |
| | Someone from 24.64.8.158, port 32089 wants to send UDP datagram to
| | port 1027 owned by 'Distributed COM Services' on your computer
| |
| | Someone from 24.64.85.35, port 34996 wants to send UDP datagram to
| | port 1027 owned by 'Distributed COM Services' on your computer
| |
| | Someone from 24.64.210.84, port 28111 wants to send UDP datagram to
| | port 1027 owned by 'Distributed COM Services' on your computer
| |
| | Someone from 24.64.180.130, port 4241 wants to send UDP datagram to
| | port 1027 owned by 'Distributed COM Services' on your computer
| |
| | The port is owned by...
| | c:\windows\system\rpcss.exe
|
| OK, I see, by the word of...
| http://www.networksolutions.com/whois/index.jsp
|
| .........Quote..................................
| 24.64.9.177
| Record Type: IP Address
|
| OrgName: Shaw Communications Inc.
| OrgID: SHAWC
| Address: Suite 800
| Address: 630 - 3rd Ave. SW
| City: Calgary
| StateProv: AB
| PostalCode: T2P-4L4
| Country: CA
|
| ReferralServer: rwhois://rs1so.cg.shawcable.net:4321
|
| NetRange: 24.64.0.0 - 24.71.255.255
| CIDR: 24.64.0.0/13
| NetName: SHAW-COMM
| NetHandle: NET-24-64-0-0-1
| Parent: NET-24-0-0-0-0
| NetType: Direct Allocation
| NameServer: NS7.NO.CG.SHAWCABLE.NET
| NameServer: NS8.SO.CG.SHAWCABLE.NET
| Comment:
| RegDate: 1996-06-03
| Updated: 2006-02-08
|
| OrgAbuseHandle: SHAWA-ARIN
| OrgAbuseName: SHAW ABUSE
| OrgAbusePhone: +1-403-750-7420
| OrgAbuseEmail:
|
| OrgTechHandle: ZS178-ARIN
| OrgTechName: Shaw High-Speed Internet
| OrgTechPhone: +1-403-750-7428
| OrgTechEmail:
| .........EOQ......................
|
| I see every one of those in in SHAW-COMM's NET range. I've been denying
| the access & will continue to do so. But what are they trying to do?
|
|

Just an HEADS UP, I also had that same Shaw attack a while ago, all those
addresses {which are slightly different than yours - though 24.64.*.* and
Shaw} are BLOCKED/DENIED in my PFW firewall.

**MEB[_2_]** · **Who are 24.64.9.177 & 24.64.8.158, etc.?**

Here, I just turned on logging and popup alerts and am connected to this
group...

19/Jul/2007 03:09:54 Shaw Comm block blocked; In UDP;
S010600e04c8a2715.rd.shawcable.net [24.64.43.218:2880]-localhost:1026;
Owner: no owner
19/Jul/2007 03:11:20 Shaw Comm block blocked; In UDP;
S01060020ed1d11bc.lb.shawcable.net [24.64.180.89:20542]-localhost:1026;
Owner: no owner
19/Jul/2007 03:14:50 Shaw Comm block blocked; In UDP;
S0106000ae694e9c1.cn.shawcable.net [24.64.50.56:20710]-localhost:1026;
Owner: no owner
19/Jul/2007 03:21:32 Shaw Comm block blocked; In UDP;
24.64.230.110:24538-localhost:1026; Owner: no owner
19/Jul/2007 03:21:58 Shaw Comm block blocked; In UDP;
S0106001346b90d71.lb.shawcable.net [24.64.160.64:7051]-localhost:1026;
Owner: no owner
19/Jul/2007 03:30:58 Shaw Comm block blocked; In UDP;
S01060004ac8b9494.lb.shawcable.net [24.64.191.235:9685]-localhost:1026;
Owner: no owner

Comes via UDP as you noted, apparently when using IE or OE... so a router
WOULDN'T stop it... another lurker busted ....

"MEB" meb@not wrote in message
...
|
| "PCR" wrote in message
| ...
| | PCR wrote:
| | | Kerio Firewall has begun a series of messages such as these, coming
| | | once a minute or so, every so often...!...
| | |
| | | Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port
| | | 1027 owned by 'Distributed COM Services' on your computer.
| | |
| | | Someone from 24.64.8.158, port 32089 wants to send UDP datagram to
| | | port 1027 owned by 'Distributed COM Services' on your computer
| | |
| | | Someone from 24.64.85.35, port 34996 wants to send UDP datagram to
| | | port 1027 owned by 'Distributed COM Services' on your computer
| | |
| | | Someone from 24.64.210.84, port 28111 wants to send UDP datagram to
| | | port 1027 owned by 'Distributed COM Services' on your computer
| | |
| | | Someone from 24.64.180.130, port 4241 wants to send UDP datagram to
| | | port 1027 owned by 'Distributed COM Services' on your computer
| | |
| | | The port is owned by...
| | | c:\windows\system\rpcss.exe
| |
| | OK, I see, by the word of...
| | http://www.networksolutions.com/whois/index.jsp
| |
| | .........Quote..................................
| | 24.64.9.177
| | Record Type: IP Address
| |
| | OrgName: Shaw Communications Inc.
| | OrgID: SHAWC
| | Address: Suite 800
| | Address: 630 - 3rd Ave. SW
| | City: Calgary
| | StateProv: AB
| | PostalCode: T2P-4L4
| | Country: CA
| |
| | ReferralServer: rwhois://rs1so.cg.shawcable.net:4321
| |
| | NetRange: 24.64.0.0 - 24.71.255.255
| |
| |
|
| Just an HEADS UP, I also had that same Shaw attack a while ago, all those
| addresses {which are slightly different than yours - though 24.64.*.* and
| Shaw} are BLOCKED/DENIED in my PFW firewall.
|
|

**Curt Christianson[_2_]** · **Who are 24.64.9.177 & 24.64.8.158, etc.?**

You goof,

Those are the lottery numbers you've been expecting,that Augie promised to
get to you somehow. Firewall intrusions..haaruumphh!

--
HTH,
Curt

Windows Support Center
www.aumha.org
Practically Nerded,...
http://dundats.mvps.org/Index.htm

"PCR" wrote in message
...
| PCR wrote:
|| Kerio Firewall has begun a series of messages such as these, coming
|| once a minute or so, every so often...!...
||
|| Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port
|| 1027 owned by 'Distributed COM Services' on your computer.
||
|| Someone from 24.64.8.158, port 32089 wants to send UDP datagram to
|| port 1027 owned by 'Distributed COM Services' on your computer
||
|| Someone from 24.64.85.35, port 34996 wants to send UDP datagram to
|| port 1027 owned by 'Distributed COM Services' on your computer
||
|| Someone from 24.64.210.84, port 28111 wants to send UDP datagram to
|| port 1027 owned by 'Distributed COM Services' on your computer
||
|| Someone from 24.64.180.130, port 4241 wants to send UDP datagram to
|| port 1027 owned by 'Distributed COM Services' on your computer
||
|| The port is owned by...
|| c:\windows\system\rpcss.exe
|
| OK, I see, by the word of...
| http://www.networksolutions.com/whois/index.jsp
|
| .........Quote..................................
| 24.64.9.177
| Record Type: IP Address
|
| OrgName: Shaw Communications Inc.
| OrgID: SHAWC
| Address: Suite 800
| Address: 630 - 3rd Ave. SW
| City: Calgary
| StateProv: AB
| PostalCode: T2P-4L4
| Country: CA
|
| ReferralServer: rwhois://rs1so.cg.shawcable.net:4321
|
| NetRange: 24.64.0.0 - 24.71.255.255
| CIDR: 24.64.0.0/13
| NetName: SHAW-COMM
| NetHandle: NET-24-64-0-0-1
| Parent: NET-24-0-0-0-0
| NetType: Direct Allocation
| NameServer: NS7.NO.CG.SHAWCABLE.NET
| NameServer: NS8.SO.CG.SHAWCABLE.NET
| Comment:
| RegDate: 1996-06-03
| Updated: 2006-02-08
|
| OrgAbuseHandle: SHAWA-ARIN
| OrgAbuseName: SHAW ABUSE
| OrgAbusePhone: +1-403-750-7420
| OrgAbuseEmail:
|
| OrgTechHandle: ZS178-ARIN
| OrgTechName: Shaw High-Speed Internet
| OrgTechPhone: +1-403-750-7428
| OrgTechEmail:
| .........EOQ......................
|
| I see every one of those in in SHAW-COMM's NET range. I've been denying
| the access & will continue to do so. But what are they trying to do?
|
|

**MEB[_2_]** · **Who are 24.64.9.177 & 24.64.8.158, etc.?**

"Curt Christianson" wrote in message
...
| You goof,
|
| Those are the lottery numbers you've been expecting,that Augie promised to
| get to you somehow. Firewall intrusions..haaruumphh!
|
| --
| HTH,
| Curt
|
| Windows Support Center
| www.aumha.org
| Practically Nerded,...
| http://dundats.mvps.org/Index.htm

SO Curt, are you claiming these as yours? Or was this a little hahaha,, not
very funny when we ARE discussing systems intrusions or other attempts at
monitoring activities ...
I never consider any of these types of activities as laughable or
ignorable... Sorry Curt, but with the present activities the people are
being subjected to, without their knowledge or consent, I do take issue ....

--
MEB
http://peoplescounsel.orgfree.com
________

|
| "PCR" wrote in message
| ...
| | PCR wrote:
| || Kerio Firewall has begun a series of messages such as these, coming
| || once a minute or so, every so often...!...
| ||
| || Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port
| || 1027 owned by 'Distributed COM Services' on your computer.
| ||
| || Someone from 24.64.8.158, port 32089 wants to send UDP datagram to
| || port 1027 owned by 'Distributed COM Services' on your computer
| ||
| || Someone from 24.64.85.35, port 34996 wants to send UDP datagram to
| || port 1027 owned by 'Distributed COM Services' on your computer
| ||
| || Someone from 24.64.210.84, port 28111 wants to send UDP datagram to
| || port 1027 owned by 'Distributed COM Services' on your computer
| ||
| || Someone from 24.64.180.130, port 4241 wants to send UDP datagram to
| || port 1027 owned by 'Distributed COM Services' on your computer
| ||
| || The port is owned by...
| || c:\windows\system\rpcss.exe
| |
| | OK, I see, by the word of...
| | http://www.networksolutions.com/whois/index.jsp
| |
| | .........Quote..................................
| | 24.64.9.177
| | Record Type: IP Address
| |
| | OrgName: Shaw Communications Inc.
| | OrgID: SHAWC
| | Address: Suite 800
| | Address: 630 - 3rd Ave. SW
| | City: Calgary
| | StateProv: AB
| | PostalCode: T2P-4L4
| | Country: CA
| |
| | ReferralServer: rwhois://rs1so.cg.shawcable.net:4321
| |
| | NetRange: 24.64.0.0 - 24.71.255.255
| | CIDR: 24.64.0.0/13
| | NetName: SHAW-COMM
| | NetHandle: NET-24-64-0-0-1
| | Parent: NET-24-0-0-0-0
| | NetType: Direct Allocation
| | NameServer: NS7.NO.CG.SHAWCABLE.NET
| | NameServer: NS8.SO.CG.SHAWCABLE.NET
| | Comment:
| | RegDate: 1996-06-03
| | Updated: 2006-02-08
| |
| | OrgAbuseHandle: SHAWA-ARIN
| | OrgAbuseName: SHAW ABUSE
| | OrgAbusePhone: +1-403-750-7420
| | OrgAbuseEmail:
| |
| | OrgTechHandle: ZS178-ARIN
| | OrgTechName: Shaw High-Speed Internet
| | OrgTechPhone: +1-403-750-7428
| | OrgTechEmail:
| | .........EOQ......................
| |
| | I see every one of those in in SHAW-COMM's NET range. I've been denying
| | the access & will continue to do so. But what are they trying to do?
| |
| |
|
|

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode