Re: port=1026&reason=ICMPsent
From: Mark (kilroy_at_removethis.beer.com)
Date: 11/20/05
- Next message: David H. Lipman: "Re: Too bad about this newsgroup"
- Previous message: George Orwell: "Re: Too bad about this newsgroup"
- In reply to: ed: "Re: port=1026&reason=ICMPsent"
- Next in thread: ed: "Re: port=1026&reason=ICMPsent"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 20 Nov 2005 14:54:24 GMT
Reply in line.
ed wrote:
> Actually ICMP is a layered protocol the UDP protocol in question is a
> transmission protocol.
I have to agree with Moe, I think we are having a failure to
communicate. ICMPs are in the network layer of the OSI model. UDP and
TCP would be in the transport layer. But, in the payload of an ICMP
they can give information about the upper layer protocols they are
replying to.
>
> I am aware of the misuse of port 1026 and 1027, but since the routers do not
> allow pinging from outside of the network, I am curious why a 0x0 reply is
> sent (typical response to a ping).
Are you saying that your machine in question is sending an echo reply
with a payload indicating it was in response to a UDP packet? If so, do
you have a packet capture of the payload? It would make sense to send a
host unreachable/network unreachable etc, but not an echo reply. If
that is the case, it almost sounds like some malware is trying to
communicate using a covert channel.
>
> There is no pattern to the machines it is responding/sending to.
> Additionally, these machine IP's do not show up in my firewall as probing.
Since they don't show up as probing, I'm guessing that machine is not
responding, just sending. Again, some malware trying to phone home?
>
> The 0x0 is normally a reply to a ping, but pinging is disallowed from
> outside the local network.
Agreed, that is normally an echo reply, but why do you say it has
something to do with a UDP packet?
Mark
> "Moe Trin" <ibuprofin@painkiller.example.tld> wrote in message
> news:slrndnkfei.k4d.ibuprofin@compton.phx.az.us...
>
>>In the Usenet newsgroup alt.computer.security, in article
>><q23ef.96767$Hs.9720@tornado.ohiordc.rr.com>, ed wrote:
>>
>>
>>>My win 2002 SP2 server is periodically sending a ICMP on UDP port 1026 to
>>>various IPS.
>>
>>That sentence makes no sense. ICMP is one IP protocol, UDP another.
>>Search for RFC0768 (UDP), RFC0791 (IP) and RFC0792 (ICMP) if interested.
>>
>>
>>>I have not actually witnessed the UDP, so this may be a wrong assumption.
>>
>>UDP 1026 (and 1027) are primary targets of messenger spam - pop-up ads
>>targeting clueless windoze users. Late last month, I turned on logging
>>on the perimeter firewall at home (I normally ignore dropped packets)
>>for a week, and noted about 1000 messages a day, or about 450K of wasted
>>bandwidth per day. The few packets I investigated were all fake windoze
>>error messages, directing users to some spammers website for a "repair".
>>I'm in North America, so most of the packets were originating in China,
>>although the spamvertised web sites were all hosted at well known spammer
>>support domains in the US states of Washington Texas, or Florida.
>>
>> Old guy
>
>
>
- Next message: David H. Lipman: "Re: Too bad about this newsgroup"
- Previous message: George Orwell: "Re: Too bad about this newsgroup"
- In reply to: ed: "Re: port=1026&reason=ICMPsent"
- Next in thread: ed: "Re: port=1026&reason=ICMPsent"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
