Re: false portscan alarm

---

• From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
• Date: Wed, 18 Oct 2006 14:49:35 -0500

---

On Wed, 18 Oct 2006, in the Usenet newsgroup comp.security.firewalls, in article
<45362674.693109285@xxxxxxxxxxxxxx>, "GEO" Me@xxxxxxxxx wrote:

I would disagree with your explanation since I have no firewall, and
don't connect to MS, and yesterday I was receiving UDP packets from
the same range of addresses ( 207.46.18.xx). Today I have received UDP
packets from 204.16.208.74.

Destination port?

The usual problem is windoze messenger spam sent to port 1025-1035, and
usually consists of a single packet of 400 to 1200 octets, with a bogus
message claiming to come from your system and reporting registry
corruption or similar. It has a URL to some idiot's web site unrelated
to microsoft, though the name may include the character strings 'window'
and/or 'registry'. There's an article cross-posted to comp.security.misc
and alt.computer.security yesterday that is complaining about this very
problem. Invariably, the source IP address is faked (a real address
isn't needed for this service, as one-way delivery of the spam is all
that is desired). If you look at the actual packet headers, there
are several obvious clues that the packet source is faked, especially if
you compare other similar packets received in the same general timeframe.
Such things as TTL, sequence numbers, and source port numbers often give
it away, as does source IP addresses that haven't even been delegated by
IANA, and therefore can't exist.

Either the explanation that ' wwwbaytest5.microsoft.com has some
malware hunting for more exploitable systems' is correct, or they have
managed to spoof the IP address.

Spoofing UDP is _very_ common.

Old guy
.

---

• Follow-Ups:
  • Re: false portscan alarm
    • From: GEO

• References:
  • false portscan alarm
    • From: mikahan
  • Re: false portscan alarm
    • From: Bit Twister
  • Re: false portscan alarm
    • From: Spack
  • Re: false portscan alarm
    • From: GEO

• Prev by Date: Filter Internet NAT Redirection
• Next by Date: Re: Skype
• Previous by thread: Re: false portscan alarm
• Next by thread: Re: false portscan alarm
• Index(es):
  • Date
  • Thread

---

Relevant Pages Need help receiving UDP packets -- 10% not good enough ... I need some help with receiving UDP packets on a Pocket PC. ... the java code that generates the packets. ... (microsoft.public.pocketpc.developer.networking) Need help with UDP packets -- 10% success not good enough ... I need some help with receiving UDP packets on a Pocket PC. ... the java code that generates the packets. ... (microsoft.public.pocketpc.developer) Re: What is going on with my Dialup? ... also forward it to an unused port, and have that port provide the ... verses the RST or ICMP 3,3. ... The lack of response causes the remote computer to make ... Others think that by not responding to unwanted packets, ... (comp.os.linux.networking) Re: OT .. Road Warrior communications question ... The data on the Internet is sent in little packets. ... The packets addressed to port 80 ... Likewise, at the mail server receiving the packets, it knows the return ... Why would e-mail work on the web but not from your e-mail software? ... (alt.guitar.bass) Re: Logs: Many hits with source port of 80 ... The hits from source port 80 to dest port 37852 are IMHO almost ... you should probably see a couple other packets - perhaps ... packets if either you send the load balancer a packet, ... >>I have seen similar hits for the past three months. ... (Incidents)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)