I receive regulary notification from my personall firewall about port
scanning make by www.microsoft.com. This is the information from my log
2006-09-12 09:20 port scan from 207.46.18.30 TCP (1700, 1730, 1734,
1733, 1168, 1165)
2006-09-12 09:20 port scan from 207.46.18.30 TCP (2054, 2060, 2056,
2052, 2058, 2050)
Does it mean taha microsoft try to hack me ? :-)
What is the reason of that treffic ?
regards
M
On Tue, 17 Oct 2006 13:23:40 +0200, mikahan wrote:
> I receive regulary notification from my personall firewall about port
> scanning make by www.microsoft.com. This is the information from my log
no, microsoft.com is 207.46.130.108/207.46.250.119
> 2006-09-12 09:20 port scan from 207.46.18.30 TCP (1700, 1730, 1734,
> 1733, 1168, 1165)
> 2006-09-12 09:20 port scan from 207.46.18.30 TCP (2054, 2060, 2056,
> 2052, 2058, 2050)
207.46.18.30 is wwwbaytest5.microsoft.com
> Does it mean taha microsoft try to hack me ? :-)
> What is the reason of that treffic ?
Looking up those ports at
http://isc.sans.org/port_details.php?port=1730 (example)
would seem to indicate wwwbaytest5.microsoft.com has some malware
hunting for more exploitable systems.
Bit wrote on Tue, 17 Oct 2006 09:58:38 -0500:
> On Tue, 17 Oct 2006 13:23:40 +0200, mikahan wrote:
>> I receive regulary notification from my personall firewall about port
>> scanning make by www.microsoft.com. This is the information from my log
>
> no, microsoft.com is 207.46.130.108/207.46.250.119
>
>> 2006-09-12 09:20 port scan from 207.46.18.30 TCP (1700, 1730, 1734,
>> 1733, 1168, 1165)
>> 2006-09-12 09:20 port scan from 207.46.18.30 TCP (2054, 2060, 2056,
>> 2052, 2058, 2050)
>
> 207.46.18.30 is wwwbaytest5.microsoft.com
Which is just one of a large cluster of servers running www.microsoft.com.
>> Does it mean taha microsoft try to hack me ? :-)
>> What is the reason of that treffic ?
>
> Looking up those ports at
> http://isc.sans.org/port_details.php?port=1730 (example)
>
> would seem to indicate wwwbaytest5.microsoft.com has some malware
> hunting for more exploitable systems.
Or those packets are simply responses to connections initiated from the user
end and closed prematurely. For instance, the user opened a browser to
www.microsoft.com, and it took a while for the MS server to respond, and the
browser and/or the "personal firewall" had decided to close those ports
prematurely. Each of those "port scans" could be a response to a request for
various files used by a web page - images, scripts, etc - which each have a
local source port above 1024 opened outgoing to port 80 on the web server,
so the response data will come back to those source ports.
This is just the usual sort of completely harmless and normal activity that
these so called "personal firewalls" like to warn people about when there is
absolutely no reason to. It breeds fear in the computer illiterate,
encouraging them to spend money on more "personal security" products, which
is probably one of the reasons that these "personal firewalls" spew this
rubbish.
Dan
Spack napisa³(a):
> Bit wrote on Tue, 17 Oct 2006 09:58:38 -0500:
>
>> On Tue, 17 Oct 2006 13:23:40 +0200, mikahan wrote:
>>> I receive regulary notification from my personall firewall about port
>>> scanning make by www.microsoft.com. This is the information from my log
>> no, microsoft.com is 207.46.130.108/207.46.250.119
>>
>>> 2006-09-12 09:20 port scan from 207.46.18.30 TCP (1700, 1730, 1734,
>>> 1733, 1168, 1165)
>>> 2006-09-12 09:20 port scan from 207.46.18.30 TCP (2054, 2060, 2056,
>>> 2052, 2058, 2050)
>> 207.46.18.30 is wwwbaytest5.microsoft.com
>
> Which is just one of a large cluster of servers running www.microsoft.com.
>
>>> Does it mean taha microsoft try to hack me ? :-)
>>> What is the reason of that treffic ?
>> Looking up those ports at
>> http://isc.sans.org/port_details.php?port=1730 (example)
>>
>> would seem to indicate wwwbaytest5.microsoft.com has some malware
>> hunting for more exploitable systems.
>
> Or those packets are simply responses to connections initiated from the user
> end and closed prematurely. For instance, the user opened a browser to
> www.microsoft.com, and it took a while for the MS server to respond, and the
> browser and/or the "personal firewall" had decided to close those ports
> prematurely. Each of those "port scans" could be a response to a request for
> various files used by a web page - images, scripts, etc - which each have a
> local source port above 1024 opened outgoing to port 80 on the web server,
> so the response data will come back to those source ports.
>
> This is just the usual sort of completely harmless and normal activity that
> these so called "personal firewalls" like to warn people about when there is
> absolutely no reason to. It breeds fear in the computer illiterate,
> encouraging them to spend money on more "personal security" products, which
> is probably one of the reasons that these "personal firewalls" spew this
> rubbish.
>
> Dan
>
>
ok. thank.
On Wed, 18 Oct 2006 08:41:04 +0100, "Spack"
wrote:
>> On Tue, 17 Oct 2006 13:23:40 +0200, mikahan wrote:
>>> I receive regulary notification from my personall firewall about port
>>> scanning make by www.microsoft.com. This is the information from my log
>>> 2006-09-12 09:20 port scan from 207.46.18.30 TCP (1700, 1730, 1734,
>>> 1733, 1168, 1165)
>> 207.46.18.30 is wwwbaytest5.microsoft.com
>Which is just one of a large cluster of servers running www.microsoft.com.
>
>>> Does it mean taha microsoft try to hack me ? :-)
>>> What is the reason of that treffic ?
>> Looking up those ports at
>> http://isc.sans.org/port_details.php?port=1730 (example)
>> would seem to indicate wwwbaytest5.microsoft.com has some malware
>> hunting for more exploitable systems.
>Or those packets are simply responses to connections initiated from the user
>end and closed prematurely. For instance, the user opened a browser to
>www.microsoft.com, and it took a while for the MS server to respond, and the
>browser and/or the "personal firewall" had decided to close those ports
>prematurely. Each of those "port scans" could be a response to a request for
>various files used by a web page - images, scripts, etc - which each have a
>local source port above 1024 opened outgoing to port 80 on the web server,
>so the response data will come back to those source ports.
>
>This is just the usual sort of completely harmless and normal activity that
>these so called "personal firewalls" like to warn people about when there is
>absolutely no reason to. It breeds fear in the computer illiterate,
>encouraging them to spend money on more "personal security" products, which
>is probably one of the reasons that these "personal firewalls" spew this
>rubbish.
I would disagree with your explanation since I have no firewall, and
don't connect to MS, and yesterday I was receiving UDP packets from
the same range of addresses ( 207.46.18.xx). Today I have received UDP
packets from 204.16.208.74.
Either the explanation that ' wwwbaytest5.microsoft.com has some
malware hunting for more exploitable systems' is correct, or they have
managed to spoof the IP address.
Geo
GEO wrote on Wed, 18 Oct 2006 13:47:10 GMT:
> On Wed, 18 Oct 2006 08:41:04 +0100, "Spack"
> wrote:
>
>>> On Tue, 17 Oct 2006 13:23:40 +0200, mikahan wrote:
>>>> I receive regulary notification from my personall firewall about port
>>>> scanning make by www.microsoft.com. This is the information from my log
>
>>>> 2006-09-12 09:20 port scan from 207.46.18.30 TCP (1700, 1730, 1734,
>>>> 1733, 1168, 1165)
>
>>> 207.46.18.30 is wwwbaytest5.microsoft.com
>
>> Which is just one of a large cluster of servers running
>> www.microsoft.com.
>>
>>>> Does it mean taha microsoft try to hack me ? :-)
>>>> What is the reason of that treffic ?
>
>>> Looking up those ports at
>>> http://isc.sans.org/port_details.php?port=1730 (example)
>>> would seem to indicate wwwbaytest5.microsoft.com has some malware
>>> hunting for more exploitable systems.
>
>> Or those packets are simply responses to connections initiated from the
>> user end and closed prematurely. For instance, the user opened a browser
>> to www.microsoft.com, and it took a while for the MS server to respond,
>> and the browser and/or the "personal firewall" had decided to close those
>> ports prematurely. Each of those "port scans" could be a response to a
>> request for various files used by a web page - images, scripts, etc -
>> which each have a local source port above 1024 opened outgoing to port 80
>> on the web server, so the response data will come back to those source
>> ports.
>>
>> This is just the usual sort of completely harmless and normal activity
>> that these so called "personal firewalls" like to warn people about when
>> there is absolutely no reason to. It breeds fear in the computer
>> illiterate, encouraging them to spend money on more "personal security"
>> products, which is probably one of the reasons that these "personal
>> firewalls" spew this rubbish.
>
> I would disagree with your explanation since I have no firewall, and
> don't connect to MS, and yesterday I was receiving UDP packets from
> the same range of addresses ( 207.46.18.xx). Today I have received UDP
> packets from 204.16.208.74.
You have nothing connecting to MS at all? No windows machine with automatic
updates enabled? No MSN messenger? Windows Messenger? Looks like some recent
UDP packets from that IP have been MSN/Windows messenger spam (which is
possible as normal chat messages are sent via the MS Messenger proxy
servers, which this IP could also be a member of), but without more
information (like packet traces for instance) everything is just
speculation.
Dan
GEO wrote on Wed, 18 Oct 2006 13:47:10 GMT:
> On Wed, 18 Oct 2006 08:41:04 +0100, "Spack"
> wrote:
>
>>> On Tue, 17 Oct 2006 13:23:40 +0200, mikahan wrote:
>>>> I receive regulary notification from my personall firewall about port
>>>> scanning make by www.microsoft.com. This is the information from my log
>
>>>> 2006-09-12 09:20 port scan from 207.46.18.30 TCP (1700, 1730, 1734,
>>>> 1733, 1168, 1165)
>
>>> 207.46.18.30 is wwwbaytest5.microsoft.com
>
>> Which is just one of a large cluster of servers running
>> www.microsoft.com.
>>
>>>> Does it mean taha microsoft try to hack me ? :-)
>>>> What is the reason of that treffic ?
>
>>> Looking up those ports at
>>> http://isc.sans.org/port_details.php?port=1730 (example)
>>> would seem to indicate wwwbaytest5.microsoft.com has some malware
>>> hunting for more exploitable systems.
>
>> Or those packets are simply responses to connections initiated from the
>> user end and closed prematurely. For instance, the user opened a browser
>> to www.microsoft.com, and it took a while for the MS server to respond,
>> and the browser and/or the "personal firewall" had decided to close those
>> ports prematurely. Each of those "port scans" could be a response to a
>> request for various files used by a web page - images, scripts, etc -
>> which each have a local source port above 1024 opened outgoing to port 80
>> on the web server, so the response data will come back to those source
>> ports.
>>
>> This is just the usual sort of completely harmless and normal activity
>> that these so called "personal firewalls" like to warn people about when
>> there is absolutely no reason to. It breeds fear in the computer
>> illiterate, encouraging them to spend money on more "personal security"
>> products, which is probably one of the reasons that these "personal
>> firewalls" spew this rubbish.
>
> I would disagree with your explanation since I have no firewall, and
> don't connect to MS, and yesterday I was receiving UDP packets from
> the same range of addresses ( 207.46.18.xx). Today I have received UDP
> packets from 204.16.208.74.
>
> Either the explanation that ' wwwbaytest5.microsoft.com has some
> malware hunting for more exploitable systems' is correct, or they have
> managed to spoof the IP address.
>
> Geo
>
I've had a dig through my own PIX logs, and while there is nothing for today
or yesterday, I am seeing UDP packets from IPs in the same range in earlier
logs. Something strange is going on here, as at least one of those IPs
belongs to a Window NT4 server so definitely doesn't have anything installed
that would talk to MS, and one is to an IP that has all outbound access
denied except to one IP in the PIX DMZ, so could never initiate a connection
to anywhere on the internet.
I need to go and rebuild my honeypot/sniffer machine and get it back outside
my firewall so I can capture a few of these packets.
Dan
On Wed, 18 Oct 2006, in the Usenet newsgroup comp.security.firewalls, in article
<45362674.693109285@news.telus.net>, "GEO" Me@home.here wrote:
> I would disagree with your explanation since I have no firewall, and
>don't connect to MS, and yesterday I was receiving UDP packets from
>the same range of addresses ( 207.46.18.xx). Today I have received UDP
>packets from 204.16.208.74.
Destination port?
The usual problem is windoze messenger spam sent to port 1025-1035, and
usually consists of a single packet of 400 to 1200 octets, with a bogus
message claiming to come from your system and reporting registry
corruption or similar. It has a URL to some idiot's web site unrelated
to microsoft, though the name may include the character strings 'window'
and/or 'registry'. There's an article cross-posted to comp.security.misc
and alt.computer.security yesterday that is complaining about this very
problem. Invariably, the source IP address is faked (a real address
isn't needed for this service, as one-way delivery of the spam is all
that is desired). If you look at the actual packet headers, there
are several obvious clues that the packet source is faked, especially if
you compare other similar packets received in the same general timeframe.
Such things as TTL, sequence numbers, and source port numbers often give
it away, as does source IP addresses that haven't even been delegated by
IANA, and therefore can't exist.
> Either the explanation that ' wwwbaytest5.microsoft.com has some
>malware hunting for more exploitable systems' is correct, or they have
>managed to spoof the IP address.
Spoofing UDP is _very_ common.
Old guy
On Wed, 18 Oct 2006 15:58:51 +0100, "Spack"
wrote:
>>> Or those packets are simply responses to connections initiated from the
>>> user end and closed prematurely. For instance, the user opened a browser
>>> to www.microsoft.com,.........[snip]
>>> This is just the usual sort of completely harmless and normal activity
>>> that these so called "personal firewalls"..............[snip]
>> I would disagree with your explanation since I have no firewall, and
>> don't connect to MS, and yesterday I was receiving UDP packets from
>> the same range of addresses ( 207.46.18.xx). Today I have received UDP
>> packets from 204.16.208.74.
>
>You have nothing connecting to MS at all? No windows machine with automatic
>updates enabled? No MSN messenger? Windows Messenger? Looks like some recent
>UDP packets from that IP have been MSN/Windows messenger spam (which is
>possible as normal chat messages are sent via the MS Messenger proxy
>servers, which this IP could also be a member of), but without more
>information (like packet traces for instance) everything is just
>speculation.
Right. See Ibuprofin's explanation.
I use Windows 3.1, it does not even know what is this Messenger
thing. Updates? What's that?
Geo
On Wed, 18 Oct 2006 14:49:35 -0500, ibuprofin@painkiller.example.tld
(Moe Trin) wrote:
I should have re-posted the explanation you gave me a few weeks
(months?) ago. :)
>> ..... Today I have received UDP packets from 204.16.208.74.
>Destination port?
1026, 1027, the usual.
>The usual problem is windoze messenger spam sent to port 1025-1035, and
>usually consists of a single packet of 400 to 1200 octets, with a bogus
>message claiming to come from your system and reporting registry
>corruption or similar. It has a URL to some idiot's web site unrelated
>to microsoft, though the name may include the character strings 'window'
>and/or 'registry'. There's an article cross-posted to comp.security.misc
>and alt.computer.security yesterday that is complaining about this very
>problem. Invariably, the source IP address is faked (a real address
>isn't needed for this service, as one-way delivery of the spam is all
>that is desired). If you look at the actual packet headers, there
>are several obvious clues that the packet source is faked, especially if
>you compare other similar packets received in the same general timeframe.
>Such things as TTL, sequence numbers, and source port numbers often give
>it away, as does source IP addresses that haven't even been delegated by
>IANA, and therefore can't exist.
>> Either the explanation that ' wwwbaytest5.microsoft.com has some
>>malware hunting for more exploitable systems' is correct, or they have
>>managed to spoof the IP address.
>Spoofing UDP is _very_ common.
Geo
On Thu, 19 Oct 2006, in the Usenet newsgroup comp.security.firewalls, in article
<4536e85a.742747204@news.telus.net>, "GEO" Me@home.here wrote:
>I use Windows 3.1, it does not even know what is this Messenger thing.
Sweet Mother Of... well, at least it was the most network secure version
of windoze out of the box. What _are_ you using instead, Trumpet Winsock?
>Updates? What's that?
You have a point there. If I recall correctly, the only updates were
incorporated quietly into the releases. I don't off hand even remember
back-ports or updates to existing installations. But then, how would you
even obtain them? Dial in with Windoze Terminal to your favorite BBS?
Old guy
On Thu, 19 Oct 2006 14:46:49 -0500, ibuprofin@painkiller.example.tld
(Moe Trin) wrote:
>>I use Windows 3.1, it does not even know what is this Messenger thing.
>Sweet Mother Of... well, at least it was the most network secure version
>of windoze out of the box. What _are_ you using instead, Trumpet Winsock?
Trumpet Winsock version 2.0 revision B. It looked as if version 3
might stop working after 30 days, so I kept version 2.0.
Under 'Trace' it has some options that give me an idea of what is
involved in the communication. Peter Tattam wrote a nice little
program.
>>Updates? What's that?
>You have a point there. If I recall correctly, the only updates were
>incorporated quietly into the releases. I don't off hand even remember
>back-ports or updates to existing installations. But then, how would you
>even obtain them? Dial in with Windoze Terminal to your favorite BBS?
Since Windows 3.1 did not try so hard to be everything to everybody
it did not include so many programs, and I guess it was designed with
a single, isolated, user in mind.
Terminal? There is a very nice program called Procomm Plus version
2.1 for Windows 3.1. I know there is a version for Windows 95, and I
believe it even had a DOS version.
Geo
On Fri, 20 Oct 2006, in the Usenet newsgroup comp.security.firewalls, in article
<45381815.820501561@news.telus.net>, "GEO" Me@home.here wrote:
>(Moe Trin) wrote:
>>What _are_ you using instead, Trumpet Winsock?
> Trumpet Winsock version 2.0 revision B. It looked as if version 3
>might stop working after 30 days, so I kept version 2.0.
Oh, my! How old is _that_ stuff?
> Since Windows 3.1 did not try so hard to be everything to everybody
>it did not include so many programs, and I guess it was designed with
>a single, isolated, user in mind.
It certainly was single user, and as I recall, it was also single tasking.
You could have several applications open (I think) but I'm pretty sure only
one was actually running at a time. I vaguely remember that it was only
six or seven high density floppies - call it 8 Megs max.
> Terminal? There is a very nice program called Procomm Plus version
>2.1 for Windows 3.1. I know there is a version for Windows 95, and I
>believe it even had a DOS version.
PRCM243.ARC 03-17-89 PROCOMM VER 2.4.3, ADDS YMODEM G PROTOCOL 142848
That's off a BBS directory listing. Version 2.4.2 was being used in the
fall of 1987, but wasn't available when this listing was made. I'm sure
that _somewhere_ in the garage, there is a box with a manual and the single
floppy it came on. Procomm was one of the standards of the era.
Old guy
On Fri, 20 Oct 2006 15:02:18 -0500, ibuprofin@painkiller.example.tld
(Moe Trin) wrote:
Apologies for the delay in replying.
>>(Moe Trin) wrote:
>
>>>What _are_ you using instead, Trumpet Winsock?
>
>> Trumpet Winsock version 2.0 revision B. It looked as if version 3
>>might stop working after 30 days, so I kept version 2.0.
>
>Oh, my! How old is _that_ stuff?
'Copyright 1993,1994 by Peter R. Tattam'
Old? May be a little. :) Does 'aged' sound better?
>> Since Windows 3.1 did not try so hard to be everything to everybody
>>it did not include so many programs, and I guess it was designed with
>>a single, isolated, user in mind.
>
>It certainly was single user, and as I recall, it was also single tasking.
>You could have several applications open (I think) but I'm pretty sure only
>one was actually running at a time. I vaguely remember that it was only
>six or seven high density floppies - call it 8 Megs max.
>
>> Terminal? There is a very nice program called Procomm Plus version
>>2.1 for Windows 3.1. I know there is a version for Windows 95, and I
>>believe it even had a DOS version.
>
>PRCM243.ARC 03-17-89 PROCOMM VER 2.4.3, ADDS YMODEM G PROTOCOL 142848
>
>That's off a BBS directory listing. Version 2.4.2 was being used in the
>fall of 1987, but wasn't available when this listing was made. I'm sure
>that _somewhere_ in the garage, there is a box with a manual and the single
>floppy it came on. Procomm was one of the standards of the era.
I am still impressed by the good design of the version I am using. I
also have used to send and receive faxes. But I was left with the
impression that faxes went faster when sent using a DOS program.
Geo
On Mon, 30 Oct 2006, in the Usenet newsgroup comp.security.firewalls, in article
<4545d085.26071084@news.telus.net>, "GEO" Me@home.here wrote:
>(Moe Trin) wrote:
>>Oh, my! How old is _that_ stuff?
>
> 'Copyright 1993,1994 by Peter R. Tattam'
>
> Old? May be a little. :) Does 'aged' sound better?
I never got a chance to play with it, as I'd dumped windoze entirely by
that time. I had very limited exposure to a package called Chameleon,
mainly because a neighbor worked for them.
> I am still impressed by the good design of the version I am using. I
>also have used to send and receive faxes. But I was left with the
>impression that faxes went faster when sent using a DOS program.
That's entirely possible. The "image" of an 8 x 11 page is something like
2 megapixels, and this is normally compressed by software before being
sent over the wire (remember, few fax machines did better than 14.4 BPS
which is why the original fax transmission speed was measured in minutes).
The compression algorithms seem to be quite efficient (I see figures as high
as 20:1 compression), but that's going to take CPU cycles. If your CPU is
already busy drawing pictures on the screen, something has to be slow.
Old guy