UDP to port 1027

Hello.

I asked a related question in comp.security.misc. Now I see that the
UDP packet I keep on receiving is going to ports 1026 or 1027. It does
include an address to a page (www.patchupdate.info) that offers to
download a patch for some versions of Windows from a different page,
not a MS page.
What is port 1027 used for? I don't find any mention of it being
used for anything in particular.

Please set follow-up to the most appropiate group.

Thanks
Geo

PS: The ping from 204.23.212.191 might have come from a compromised
computer not related to this packet.

Re: UDP to port 1027

In comp.security.misc "GEO" wrote:
> What is port 1027 used for?

For anything you're implementing. There is no close realtionship between
port number and usage.

There only are _recommendations_ which ports to use for what.

Port UDP/1027 sometimes is used for ICQ. And usually client side
processes are using ports beyond 1024.

Yours,
VB.
--
"If you want to play with a piece of windows software that makes you
click all over the place, there's always minesweeper."

Kyle Stedman about "Personal Firewalls" in c.s.f

Re: UDP to port 1027

In comp.security.misc "GEO" wrote:
> What is port 1027 used for?

For anything you're implementing. There is no close realtionship between
port number and usage.

There only are _recommendations_ which ports to use for what.

Port UDP/1027 sometimes is used for ICQ. And usually client side
processes are using ports beyond 1024.

Yours,
VB.
--
"If you want to play with a piece of windows software that makes you
click all over the place, there's always minesweeper."

Kyle Stedman about "Personal Firewalls" in c.s.f

Re: UDP to port 1027

"GEO" Me@home.here wrote:

> I asked a related question in comp.security.misc. Now I see that the
> UDP packet I keep on receiving is going to ports 1026 or 1027. It does
> include an address to a page (www.patchupdate.info) that offers to
> download a patch for some versions of Windows from a different page,
> not a MS page.
> What is port 1027 used for? I don't find any mention of it being
> used for anything in particular.

On Windows machines The ports short above 1024 are usually used for
certain RPC implemented services like Task Scheduler and Netsend
Messaging. However, this only applies to TCP, so I guess those fools
have some misconception.

> Please set follow-up to the most appropiate group.

Eh, shouldn't you do that? But well, fup2csf

Re: UDP to port 1027

"GEO" Me@home.here wrote:

> I asked a related question in comp.security.misc. Now I see that the
> UDP packet I keep on receiving is going to ports 1026 or 1027. It does
> include an address to a page (www.patchupdate.info) that offers to
> download a patch for some versions of Windows from a different page,
> not a MS page.
> What is port 1027 used for? I don't find any mention of it being
> used for anything in particular.

On Windows machines The ports short above 1024 are usually used for
certain RPC implemented services like Task Scheduler and Netsend
Messaging. However, this only applies to TCP, so I guess those fools
have some misconception.

> Please set follow-up to the most appropiate group.

Eh, shouldn't you do that? But well, fup2csf

Re: UDP to port 1027

On Sat, 17 Jun 2006 21:02:17 +0200, Sebastian Gottschalk
wrote:

>"GEO" Me@home.here wrote:
>> What is port 1027 used for? I don't find any mention of it being
>> used for anything in particular.

>On Windows machines The ports short above 1024 are usually used for
>certain RPC implemented services like Task Scheduler and Netsend
>Messaging. However, this only applies to TCP, so I guess those fools
>have some misconception.

They must be targeting something running in one of the systens for
which they offer the 'patch':


This Security Fix is compatible with the following Microsoft® Windows®
Systems:

Microsoft Windows XP
Microsoft Windows NT Workstation
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows Server 2003



Thanks
Geo

Re: UDP to port 1027

On 17 Jun 2006 21:00:35 +0200, Volker Birk wrote:

>In comp.security.misc "GEO" wrote:
>> What is port 1027 used for?

>For anything you're implementing. There is no close realtionship between
>port number and usage.
>There only are _recommendations_ which ports to use for what.

>Port UDP/1027 sometimes is used for ICQ. And usually client side
>processes are using ports beyond 1024.



Those UDP packets seems to try to link to some service like ICQ and
display a message warning of a 'system alert-virus infection' and
provides a link to a site that will provide a patch for *only* $19.95.
I thought that there might be a newer standard that included port
1027.

I'll have to learn how to read the headers to see if I can figure
out what is trying to access.

Thanks you.

Geo

PS: Hexadecimal converted to ASCII by hand using the table found in
. There must be an easier way
to do it.

Re: UDP to port 1027

In article <44940161.15954888@news.telus.net>, "GEO" Me@home.here
says...
> Hello.
>
> I asked a related question in comp.security.misc. Now I see that the
> UDP packet I keep on receiving is going to ports 1026 or 1027. It does
> include an address to a page (www.patchupdate.info) that offers to
> download a patch for some versions of Windows from a different page,
> not a MS page.
> What is port 1027 used for? I don't find any mention of it being
> used for anything in particular.
>
> Please set follow-up to the most appropiate group.
>
> Thanks
> Geo
>
> PS: The ping from 204.23.212.191 might have come from a compromised
> computer not related to this packet.
>
>
>
>

This is just Messenger spam. It's extremely common and has been going
on for ages. They are trying to get packets thru that pop up little ads
on your desktop via the Messenger service running on your machine. Just
let your firewall block the incoming UDP packets and don't worry about
it. It's pure noise..

--
Kerodo

Re: UDP to port 1027

In article <44940161.15954888@news.telus.net>, "GEO" Me@home.here
says...
> Hello.
>
> I asked a related question in comp.security.misc. Now I see that the
> UDP packet I keep on receiving is going to ports 1026 or 1027. It does
> include an address to a page (www.patchupdate.info) that offers to
> download a patch for some versions of Windows from a different page,
> not a MS page.
> What is port 1027 used for? I don't find any mention of it being
> used for anything in particular.
>
> Please set follow-up to the most appropiate group.
>
> Thanks
> Geo
>
> PS: The ping from 204.23.212.191 might have come from a compromised
> computer not related to this packet.
>
>
>
>

This is just Messenger spam. It's extremely common and has been going
on for ages. They are trying to get packets thru that pop up little ads
on your desktop via the Messenger service running on your machine. Just
let your firewall block the incoming UDP packets and don't worry about
it. It's pure noise..

--
Kerodo

Re: UDP to port 1027

On Sat, 17 Jun 2006, in the Usenet newsgroup comp.security.firewalls, in article
<44940161.15954888@news.telus.net>, "GEO" Me@home.here wrote:

> I asked a related question in comp.security.misc. Now I see that the
>UDP packet I keep on receiving is going to ports 1026 or 1027. It does
>include an address to a page (www.patchupdate.info) that offers to
>download a patch for some versions of Windows from a different page,
>not a MS page.
> What is port 1027 used for? I don't find any mention of it being
>used for anything in particular.

Which rock have you been hiding under for the past eight years? That is
ordinary windoze messenger spam, because you haven't blocked it (we port
shift _outgoing_ UDP which is generally DNS queries, such that the source
port is not in the 1025 to ~1075 range, allowing our upstream to silently
discard incoming to that range). You should also disable this "feature"
in your windoze setup - I have no idea how, as I got rid of that crap in
1992. Do a google search for 'messenger spam' and you'll find instructions
from microsoft on how to disable it, as well as Eleventy-Zillion programs
you can purchase for only $20 or so that claim to block it.

Don't bother trying to reject (ICMP Error) the packets. The last time I
bothered to look at these packets, it was QUITE OBVIOUS that the source
address was forged (TTLs wrong, and in about 4% of the cases, the claimed
source address had not been released by IANA, never mind assigned to some
entity by a Regional Internet Registry like ARIN, RIPE, or APNIC). The
forged source addresses seem to be generated by a poorly written random
number generator script.

The web pages were generally at newly registered domains, but actually
hosted by well-known spam service centers in the Portland (OR.us) to
Vancouver (BC.ca), Chicago, or New York City metropolitan areas.

>Please set follow-up to the most appropiate group.

Following the others - set to c.s.f

>PS: The ping from 204.23.212.191 might have come from a compromised
>computer not related to this packet.

Not enough information. Oh, wait - that's the posting where you are
"using Trumpet on Windows 3.1". I guess that explains why you haven't
noticed messenger spam before, but it really is a "feature" that
microsoft adopted more than fifteen years after the UNIX version, and as
usual without bothering to look at the preceeding experience and thus know
that it's a massive abuse problem waiting to happen. Oh, and 'ping' is
not UDP, but rather a function in ICMP. Real pings have not been an exploit
since the "Ping of Death" that targeted the incompetently written network
stack in the first three versions of windoze-9x.

I suspect your use of the word "ping" here is incorrect, and you are
actually referring to the UDP messenger spam. That being the case, the
address is almost certainly forged.

Old guy

Re: UDP to port 1027

On Sat, 17 Jun 2006, in the Usenet newsgroup comp.security.firewalls, in article
<44940161.15954888@news.telus.net>, "GEO" Me@home.here wrote:

> I asked a related question in comp.security.misc. Now I see that the
>UDP packet I keep on receiving is going to ports 1026 or 1027. It does
>include an address to a page (www.patchupdate.info) that offers to
>download a patch for some versions of Windows from a different page,
>not a MS page.
> What is port 1027 used for? I don't find any mention of it being
>used for anything in particular.

Which rock have you been hiding under for the past eight years? That is
ordinary windoze messenger spam, because you haven't blocked it (we port
shift _outgoing_ UDP which is generally DNS queries, such that the source
port is not in the 1025 to ~1075 range, allowing our upstream to silently
discard incoming to that range). You should also disable this "feature"
in your windoze setup - I have no idea how, as I got rid of that crap in
1992. Do a google search for 'messenger spam' and you'll find instructions
from microsoft on how to disable it, as well as Eleventy-Zillion programs
you can purchase for only $20 or so that claim to block it.

Don't bother trying to reject (ICMP Error) the packets. The last time I
bothered to look at these packets, it was QUITE OBVIOUS that the source
address was forged (TTLs wrong, and in about 4% of the cases, the claimed
source address had not been released by IANA, never mind assigned to some
entity by a Regional Internet Registry like ARIN, RIPE, or APNIC). The
forged source addresses seem to be generated by a poorly written random
number generator script.

The web pages were generally at newly registered domains, but actually
hosted by well-known spam service centers in the Portland (OR.us) to
Vancouver (BC.ca), Chicago, or New York City metropolitan areas.

>Please set follow-up to the most appropiate group.

Following the others - set to c.s.f

>PS: The ping from 204.23.212.191 might have come from a compromised
>computer not related to this packet.

Not enough information. Oh, wait - that's the posting where you are
"using Trumpet on Windows 3.1". I guess that explains why you haven't
noticed messenger spam before, but it really is a "feature" that
microsoft adopted more than fifteen years after the UNIX version, and as
usual without bothering to look at the preceeding experience and thus know
that it's a massive abuse problem waiting to happen. Oh, and 'ping' is
not UDP, but rather a function in ICMP. Real pings have not been an exploit
since the "Ping of Death" that targeted the incompetently written network
stack in the first three versions of windoze-9x.

I suspect your use of the word "ping" here is incorrect, and you are
actually referring to the UDP messenger spam. That being the case, the
address is almost certainly forged.

Old guy

Re: UDP to port 1027

On Sun, 18 Jun 2006 10:34:46 -0700, Kerodo
wrote:


>> What is port 1027 used for? I don't find any mention of it being
>> used for anything in particular.

>This is just Messenger spam. It's extremely common and has been going
>on for ages. They are trying to get packets thru that pop up little ads
>on your desktop via the Messenger service running on your machine. Just
>let your firewall block the incoming UDP packets and don't worry about
>it. It's pure noise..

Thank you. As I don't have Messenger on my Windows 3.1, I'll just
ignore them.

This Messenger stuff reminds me of the idea of letting the fridge
call the store when I run out milk.

Geo

Re: UDP to port 1027

On Sun, 18 Jun 2006 10:34:46 -0700, Kerodo
wrote:


>> What is port 1027 used for? I don't find any mention of it being
>> used for anything in particular.

>This is just Messenger spam. It's extremely common and has been going
>on for ages. They are trying to get packets thru that pop up little ads
>on your desktop via the Messenger service running on your machine. Just
>let your firewall block the incoming UDP packets and don't worry about
>it. It's pure noise..

Thank you. As I don't have Messenger on my Windows 3.1, I'll just
ignore them.

This Messenger stuff reminds me of the idea of letting the fridge
call the store when I run out milk.

Geo

Re: UDP to port 1027

On Sun, 18 Jun 2006 12:44:17 -0500, ibuprofin@painkiller.example.tld
(Moe Trin) wrote:

>"GEO" Me@home.here wrote:
>> What is port 1027 used for? I don't find any mention of it being
>>used for anything in particular.

>Which rock have you been hiding under for the past eight years?

Rock? Actually a shell. On a dial-up connection that connected to a
Unix shell (at least that's how I understood it). Now we have to use
PAP for authentication, so I had to start using Trumpet.

>That is ordinary windoze messenger spam, because you haven't blocked it (we port
>shift _outgoing_ UDP which is generally DNS queries, such that the source
>port is not in the 1025 to ~1075 range, allowing our upstream to silently
>discard incoming to that range). You should also disable this "feature"
>in your windoze setup - I have no idea how, as I got rid of that crap in
>1992. Do a google search for 'messenger spam' and you'll find instructions
>from microsoft on how to disable it, as well as Eleventy-Zillion programs
>you can purchase for only $20 or so that claim to block it.


>>PS: The ping from 204.23.212.191 might have come from a compromised
>>computer not related to this packet.

>Not enough information. Oh, wait - that's the posting where you are
>"using Trumpet on Windows 3.1". I guess that explains why you haven't
>noticed messenger spam before, but it really is a "feature" that
>microsoft adopted more than fifteen years after the UNIX version, and as
>usual without bothering to look at the preceeding experience and thus know
>that it's a massive abuse problem waiting to happen. Oh, and 'ping' is
>not UDP, but rather a function in ICMP. Real pings have not been an exploit
>since the "Ping of Death" that targeted the incompetently written network
>stack in the first three versions of windoze-9x.
>I suspect your use of the word "ping" here is incorrect, and you are
>actually referring to the UDP messenger spam. That being the case, the
>address is almost certainly forged.

Messenger ...'a "feature" that microsoft adopted more than fifteen
years after the UNIX version, and as usual without bothering to look
at the preceeding experience' Interesting, I didn't know it had a
history.

I said ping because on the trace log of Trumpet I see a record such
as:

1 IP 203.156.76.77 ->My address len 908 prot 17
0 IP My address ->203.156.76.77 len 56 prot 1

and since I had not connected to this address I assumed that it must
be a computer trying to do something to mine. Is it not a ping?

"Ping of Death"? I better do some more reading before I move to Win
95 -probably after the next version of Windows comes out :))

Thank you very much for an interesting reply.

Geo

Re: UDP to port 1027

"Moe Trin" wrote in message
news:slrne9b47g.7pp.ibuprofin@compton.phx.az.us...
> On Sat, 17 Jun 2006, in the Usenet newsgroup comp.security.firewalls, in
article
> Don't bother trying to reject (ICMP Error) the packets. The last time I
> bothered to look at these packets, it was QUITE OBVIOUS that the source
> address was forged (TTLs wrong, and in about 4% of the cases, the claimed
> source address had not been released by IANA, never mind assigned to some
> entity by a Regional Internet Registry like ARIN, RIPE, or APNIC). The
> forged source addresses seem to be generated by a poorly written random
> number generator script.
>
> The web pages were generally at newly registered domains, but actually
> hosted by well-known spam service centers in the Portland (OR.us) to
> Vancouver (BC.ca), Chicago, or New York City metropolitan areas.



Actually, if we are going to talk about ICMP at all, I have seen folks
recommend 'dropping' instead of 'rejecting' ICMP Error packets
(except types 3 4 5 and 11) for several reasons:

1. to prevent source quench
(TCP has its own methods for dealing with congestion knowing that
TCP/IP allows for 1:1 'ICMP reply' to 'normal packet' ratio anyway)

2. to prevent redirection or performance degradation
(fragmentation, DF bit set...)

3. to prevent return info being sent back to host in the event of a scan
(which has been fairly proven this is not, but bears mentioning)


Modern BSD's and Linuxes and the like are prepared to deal with most
of this, but... not sure if Windows is... in this case, specifically...
ummm
Trumpet 3.1. -yikes-



But I would like to look at these packets too, like you guys have!

Setting up a new box over the weekend, I was curious to see how my
homebrew tunneled SSL HA syslog server was hanging in there, and
noticed these same ports in the logfile... figured if it was being taken
care of now, no big deal, I can always check them out later. Very
interested to see for myself the same things you have, Moe.




jcj

Re: UDP to port 1027

Jay C. James wrote:

> 1. to prevent source quench
> (TCP has its own methods for dealing with congestion knowing that
> TCP/IP allows for 1:1 'ICMP reply' to 'normal packet' ratio anyway)

Now this is pretty wrong. Not only that ECN creates certain problems
with incompatible network hardware (e.g. firewalls not properly ignoring
ECN), even in combination with TCP congestion avoidance it's no suitable
replacement, but rather an addition to source quench signaling.

> 2. to prevent redirection or performance degradation
> (fragmentation, DF bit set...)

Hm... dropping ICMP Redirects is pretty good, but which applications
have performance issues? Even good'ol Windows 2000 has pretty few CPU
issues with dealing a full 100 MBit/s stream of both small MTU (68 bytes
) and sparse fragments (90%), about 40% on a 1.4 GHz Athlon. WinXP
performs even better, and the common Unices don't have any problems as well.

Re: UDP to port 1027

"Sebastian Gottschalk" wrote in message
news:4fomcsF1iqdq0U1@news.dfncis.de...
> Jay C. James wrote:
>
> > 1. to prevent source quench
> > (TCP has its own methods for dealing with congestion knowing that
> > TCP/IP allows for 1:1 'ICMP reply' to 'normal packet' ratio anyway)
>
> Now this is pretty wrong. Not only that ECN creates certain problems
> with incompatible network hardware (e.g. firewalls not properly ignoring
> ECN), even in combination with TCP congestion avoidance it's no suitable
> replacement, but rather an addition to source quench signaling.
>

I was not referring to ECN at all there, but that is an interesting thing
you bring up.
Not everyone uses ECN. I was referring to ICMP in general.


> > 2. to prevent redirection or performance degradation
> > (fragmentation, DF bit set...)
>
> Hm... dropping ICMP Redirects is pretty good, but which applications
> have performance issues? Even good'ol Windows 2000 has pretty few CPU
> issues with dealing a full 100 MBit/s stream of both small MTU (68 bytes
> ) and sparse fragments (90%), about 40% on a 1.4 GHz Athlon. WinXP
> performs even better, and the common Unices don't have any problems as
well.

I should have specified TCP connection performance degradation and not
application performance degradation! Sorry.

In reference to TCP performance degradation, there is potential to reset a
TCP
connection using 65536 ICMP packets. Hows that for degradation :) and thats
just to start, without even covering spoofed ICMP 3 and 4 messages and how
they could mess with an existing connection.

Re: UDP to port 1027

Jay C. James wrote:
> I was not referring to ECN at all there, but that is an interesting
> thing you bring up. Not everyone uses ECN. I was referring to ICMP in
> general.

Sorry, but it seems like you're serious about TCP congestion behaviour
only. Well, it works, but it adapts only slowly and not pretty
efficient, whereas the other mechanisms including source quench permit
an immediate signaling.

> In reference to TCP performance degradation, there is potential to
> reset a TCP connection using 65536 ICMP packets. Hows that for
> degradation :) and thats just to start, without even covering spoofed
> ICMP 3 and 4 messages and how they could mess with an existing
> connection.

I wonder where you've been the last years... such issues have already
been addressed in most implementations.

Re: UDP to port 1027

On Mon, 19 Jun 2006, in the Usenet newsgroup comp.security.firewalls, in
article <44968e0e.9607371@news.telus.net>, "GEO" Me@home.here wrote:

> Messenger ...'a "feature" that microsoft adopted more than fifteen
>years after the UNIX version, and as usual without bothering to look
>at the preceeding experience' Interesting, I didn't know it had a
>history.

[compton ~]$ whatis talk talkd
talk (1) - talk to another user
talkd (8) - remote user communication server
[compton ~]$ grep talk /etc/services
talk 517/udp # BSD talkd(8)
ntalk 518/udp # SunOS talkd(8)
[compton ~]$

>I said ping because on the trace log of Trumpet I see a record such as:
>
>1 IP 203.156.76.77 ->My address len 908 prot 17
>0 IP My address ->203.156.76.77 len 56 prot 1
>
>and since I had not connected to this address I assumed that it must
>be a computer trying to do something to mine. Is it not a ping?

[compton ~]$ grep -wE '(1|17)' /etc/protocols
icmp 1 ICMP # internet control message protocol
udp 17 UDP # user datagram protocol
[compton ~]$

You probably don't have that file - go to
http://www.iana.org/assignments/protocol-numbers and discover that there
are about 140 different protocols that can be in an IP packet.

So, the log claims that some dial-up host on Jasmine Internet in Bangkok
Thailand sent a packet of 908 octets with a protocol of 17. Your host then
sent a packet to that host of protocol 1, which is ICMP - probably an ICMP
Type 3 Code 3 (Port Unreachable) because nothing is listening on the port
that the original packet was sent to.

Protocol 17 is UDP. Lessee, a len of 908... Probably a Security Bulletin
directing you to go to some spammers website where FOR ONLY US$29.95 plus
shipping and handling, you can get some software that installs spyware
for you.

Or was it the shorter message (with padding) that claims "STOP! WINDOWS
REQUIRES IMMEDIATE ATTENTION" and the next line says "Windows has found
$RANDOM_NUMBER Critical System Errors." (where $RANDOM_NUMBER is some value
between 50 and 125.

> "Ping of Death"? I better do some more reading before I move to Win
>95 -probably after the next version of Windows comes out :))

I don't know if they ever fixed the problem in 95. Yeah, the l33t d00dZ
found it great fun to send an oversized ping to a windoze box on the net
and watch it curl up and die. That was a major reason that people began
blocking first ping, then all forms of ICMP.

Old guy

Re: UDP to port 1027

On Tue, 20 Jun 2006 21:03:59 -0500, ibuprofin@painkiller.example.tld
(Moe Trin) wrote:

>[compton ~]$ grep -wE '(1|17)' /etc/protocols
>icmp 1 ICMP # internet control message protocol
>udp 17 UDP # user datagram protocol
>[compton ~]$
>
>You probably don't have that file - go to
>http://www.iana.org/assignments/protocol-numbers and discover that there
>are about 140 different protocols that can be in an IP packet.

Thank you for the reference. I was wondering if those numbers after
'prot' meant 'protocol', now I also know where to look them up.


>Protocol 17 is UDP. Lessee, a len of 908... Probably a Security Bulletin
>directing you to go to some spammers website where FOR ONLY US$29.95 plus
>shipping and handling, you can get some software that installs spyware
>for you.

Correct!! I thought it looked suspcious that the same site also
offered to sell a 'Pop-Up creator for your web site'.

>> "Ping of Death"? I better do some more reading before I move to Win
>>95 -probably after the next version of Windows comes out :))
>
>I don't know if they ever fixed the problem in 95. Yeah, the l33t d00dZ
>found it great fun to send an oversized ping to a windoze box on the net
>and watch it curl up and die. That was a major reason that people began
>blocking first ping, then all forms of ICMP.

I guess I'll step carefully when I upgrade. Some of the other
messages which I was refering to, but I did not have a copy at hand
were like this:

1 IP 4.79.142.202 ->My address len 602 prot 6
0 IP My address ->4.79.142.202 len 40 prot 6

Would that be a ping?


This other short ones seem to be targeting something else (?):

1 IP 4.79.142.201 ->My address len 78 prot 17
Undelivered UDP
UDP 8902->137 50
96 9D 00 10 00 01 00 00 00 00 00 00 20 43 4B 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21
00 01
0 IP My address ->4.79.142.201 len 56 prot 1


Thanks again.
Geo

Re: UDP to port 1027

On Sat, 24 Jun 2006, in the Usenet newsgroup comp.security.firewalls, in article
<449c641f.3128692@news.telus.net>, "GEO" Me@home.here wrote:

>(Moe Trin) wrote:

>>Protocol 17 is UDP. Lessee, a len of 908... Probably a Security Bulletin
>>directing you to go to some spammers website where FOR ONLY US$29.95 plus
>>shipping and handling, you can get some software that installs spyware
>>for you.
>
> Correct!! I thought it looked suspcious that the same site also
>offered to sell a 'Pop-Up creator for your web site'.

People seem to forget that there really isn't this benevolent entity
out on the net that looks after your computer, and informs you when
something is wrong. Microsoft does not send security bulletins to
every windoze user in the world, any more than any other company. The
only ones doing it are the spammers, who can also get you a deal on
these blue pills for your computer.

> I guess I'll step carefully when I upgrade.

Just curious - why are you using this old stuff? Especially in the windoze
world, there are more exploits out there than trees in Canada.

>Some of the other messages which I was refering to, but I did not have a
>copy at hand were like this:
>
>1 IP 4.79.142.202 ->My address len 602 prot 6
>0 IP My address ->4.79.142.202 len 40 prot 6
>
> Would that be a ping?

[compton ~]$ grep 6 /etc/protocols
tcp 6 TCP # transmission control protocol
[compton ~]$

Not enough information - both TCP and UDP use portnumbers - think of it
as room numbers in a commercial building. Room 80 has web services, room
25 has inter-server mail, 109, 110, and/or 143 have local mail delivery,
and so on. Thing is, just because someone tried to connect to port X only
means that they expected to find some specific service there. If you were
looking to send mail to some remote system, you'd try to connect to port
25 there, because that is where the "well-known" service should reside.
On the other-hand, there is no law that requires that service to be on
port 25, just as there is no law that says that port 25 _MUST_ be used
for that purpose only. See http://www.iana.org/assignments/port-numbers
for the official list.

While this is lacking information, all that can be said it that the first
packet is from www.grc.com - the website of Gibson Research (a company
that some claim to be run by a charlatan - others think he knows something).
The packets is _probably_ part of a conversation - there were packets
opening the conversation before this, and there should be more following.
That's a guess based on the size of the packet. The second packet is
probably an ACK (yes, I received this). See RFC1180

1180 TCP/IP tutorial. T.J. Socolofsky, C.J. Kale. January 1991.
(Format: TXT=65494 bytes) (Status: INFORMATIONAL)

> This other short ones seem to be targeting something else (?):
>
>1 IP 4.79.142.201 ->My address len 78 prot 17
>Undelivered UDP
>UDP 8902->137 50

Some undefined host also at Gibson Research (client.grc.com) asking if
you want to share. UDP 137 is Netbios Nameservice. Were you running a
test at "Shields Up" or merely connecting to the website?

Old guy

Re: UDP to port 1027

On Sat, 24 Jun 2006 14:23:52 -0500, ibuprofin@painkiller.example.tld
(Moe Trin) wrote:

>People seem to forget that there really isn't this benevolent entity
>out on the net that looks after your computer, and informs you when
>something is wrong. Microsoft does not send security bulletins to
>every windoze user in the world, any more than any other company. The
>only ones doing it are the spammers, who can also get you a deal on
>these blue pills for your computer.

My impression on this point is that the heavy marketing, mixed
within certain aspects of the culture, has been a cause of this
problem. How many people still want to believe that certain figures of
authority only have their best interests at heart, from politicians to
priests. Some people find emotionally hard to distrust those that are
supposed to be trusted.


>Just curious - why are you using this old stuff? Especially in the windoze
>world, there are more exploits out there than trees in Canada.

I had already got used to MS-DOS before moving to Win 3.1, and I did
not have access to anything else for a while. By the time I got Win 95
I found it a bit complicated in comparison and the more I looked at it
the less I liked the idea of creating an OS that assumed that users
should not have as much control and that the company will do it for
them -they know better what it is that you wanted to do.
If I had had access at that time to Linux, I probably would have
moved to it, and still I might do that instead of mving to the newer
versions of Windows. But I don't like that the newer versions of Linux
seem to be trying to copy the newer versions of Windows. I prefer the
idea of having one program for each task, not one program that is
supposed to do everything.

As you say, it seems that Win 95/98 have had plenty of exploits,
which might make moving to Linux easier than trying to keep track of
all the existing problems with Win 95/98 and its applications.


>>Some of the other messages which I was refering to, but I did not have a
>>copy at hand were like this:
>>1 IP 4.79.142.202 ->My address len 602 prot 6
>>0 IP My address ->4.79.142.202 len 40 prot 6
>> Would that be a ping?



>While this is lacking information, all that can be said it that the first
>packet is from www.grc.com - ....

> Were you running a
>test at "Shields Up" or merely connecting to the website?

Right, I forgot that I went from a link in
(mentioned by
Sebastian Gottschalk a few days ago) to www.grc.com You are good at
using limited information. :)


Thank you.
Geo

Re: UDP to port 1027

On Tue, 27 Jun 2006 19:40:52 GMT, "GEO" Me@home.here wrote:

> If I had had access at that time to Linux, I probably would have
> moved to it, and still I might do that instead of mving to the newer
> versions of Windows.

Start saving your money. Microsoft suggests getting lots of horsepower
and memory for the new Vista. Then you get to buy all the thirdparty
software you need.

> But I don't like that the newer versions of Linux
> seem to be trying to copy the newer versions of Windows. I prefer the
> idea of having one program for each task, not one program that is
> supposed to do everything.

Linux is still that way. It is just they have the gui frontends to
help the people which do not want to run the command line apps via a keyboard.

Re: UDP to port 1027

On Tue, 27 Jun 2006, in the Usenet newsgroup comp.security.firewalls, in
article <44a0b6df.13019971@news.telus.net>, "GEO" Me@home.here wrote:

>I had already got used to MS-DOS before moving to Win 3.1, and I did
>not have access to anything else for a while. By the time I got Win 95
>I found it a bit complicated in comparison and the more I looked at it
>the less I liked the idea of creating an OS that assumed that users
>should not have as much control and that the company will do it for
>them -they know better what it is that you wanted to do.

Even in the later versions of windoze, you don't have to do everything
by clicking on some icon, or moving a slider. People simply don't want
to spend the time learning how to use anything. "It should be obvious."
That's why the manufacturers of VCRs and such are adding a mechanism to
extract time from TV signals, and set the clock automatically. Gone are
the days of the VCR blinking "--:--" for months because the user can't be
bothered to read how to set the time.

>If I had had access at that time to Linux, I probably would have
>moved to it, and still I might do that instead of mving to the newer
>versions of Windows.

You had to know where to look. The O/S and most tools have been freely
available for download since late 1992. The first version I used was
downloaded onto 30-ish 5.25 inch floppies, and you installed from that.

>But I don't like that the newer versions of Linux seem to be trying to
>copy the newer versions of Windows.

The average new user is used to windoze. The various distributions are
merely doing good marketing technique, and giving the customer what they
want.

>I prefer the idea of having one program for each task, not one program
>that is supposed to do everything.

One program for each task hasn't been the case since the early 1980s.

[compton ~]$ whatis dig dnsquery host nslookup
dig (1) - send domain name query packets to name servers
dnsquery (1) - query domain name servers using resolver
host (1) - look up host names using domain server
nslookup (8) - query Internet name servers interactively
[compton ~]$

Four different programs to query DNS. Been that way for years. They all
do the same job (differently), and produce the same information. Use the
one that you like. For that matter:

[compton ~]$ whatis whatis
whatis (1) - search the whatis database for complete words
[compton ~]$ man -f whatis
whatis (1) - search the whatis database for complete words
[compton ~]$ grep ^whatis /usr/share/man/whatis
whatis (1) - search the whatis database for complete words
[compton ~]$

There's three ways to query a database to find manual entries about specific
commands. Thing is, _all_ of the commands are available, even if you are
using the most bloated click and drool eye-candy type of interface. This
system is running Linux, and while I am running X (a portable, network-
transparent window system) to give me 19 different terminals ("A mouse is
a device used to point at the xterm you want to type in"), there isn't an
icon, or pull-down menu, or tool bar anywhere. Everything I do is command
line - typing in those cryptic commands and getting work done.

> As you say, it seems that Win 95/98 have had plenty of exploits,
>which might make moving to Linux easier than trying to keep track of
>all the existing problems with Win 95/98 and its applications.

Linux isn't your only possibility. In addition to the 350+ different
Linux distributions, there are also several variants of BSD (FreeBSD,
NetBSD, OpenBSD) and at least one "branded" UNIX (Solaris x86) that
will run on Intel type hardware. But don't think that just because you
are running a *nix you are immune from malware. While they are much
less common, exploits exist for these O/S as well. They tend to be a
lot less destructive because of philosophic differences (we don't run
these things as the super user that has the authority to do anything to
the system - the windoze "administrator" account). Someone recently
posted "Uncrackable computers are already available. It's uncrackable
users that are in short supply."

Old guy

Re: UDP to port 1027

Post removed (X-No-Archive: yes)