Port 1574

Hi.
can anyone tell me what the UDP port 1574 is for?

Thanks.

Re: Port 1574

Post removed (X-No-Archive: yes)

Re: Port 1574

On Sat, 03 Feb 2007 10:54:34 +0100, Michele wrote:
> Hi.
> can anyone tell me what the UDP port 1574 is for?

Normally or malware?

Both, http://isc.sans.org/port.html?port=1574

Re: Port 1574

Thanks for the answers.
My firewall always logs and blocks hundreds of accesses made through
that port. I think that port is involved with my emule p2p software but
I'd like to know why there are so many attempts to access my computer
through udp 1574 port while I configured correcty communication in my
firewall-router to make my emule run ok.

Thanks again.

Bit Twister ha scritto:
> On Sat, 03 Feb 2007 10:54:34 +0100, Michele wrote:
>> Hi.
>> can anyone tell me what the UDP port 1574 is for?
>
> Normally or malware?
>
> Both, http://isc.sans.org/port.html?port=1574

Re: Port 1574

On Sat, 03 Feb 2007 18:56:17 +0100, Michele wrote:

> My firewall always logs and blocks hundreds of accesses made through
> that port.

My firewall just drops the attempts and does not bother to log the
normal internet noise ports, (80,143, 8080, 21-25,, etc)

That allows me to see the ones trying to hide in all the noise.
I have one site which makes 2 new port checks once a week on Sunday
afternoon.

If I get lots of scans I'll block the ip range. I only see one or two
hits a day with my current blacklist.

85.255.112.0-85.255.127.0 # known malware address range of INHoster in Ukraine
76.166.0.0-76.190.255.255 # Road Runner HoldCo LLC
218.249.29.0-218.249.29.255 # BEI-JING-JIAO-TONG-DA-XUE CN
211.100.32.0-211.100.95.255 # NET263 group in Beijing P.R.China
220.166.64.0-220.166.65.255 # MAINT-CHINANET-SC China
220.178.0.0-220.180.255.255 # CHINANET anhui province networ
221.6.0.0-221.6.255.255 # China Network Communications Group Corp
221.208.0.0/14 # CNCGROUP Heilongjiang Province Network


0.0.0.0/0 udp 1024:1035
0.0.0.0/0 tcp 1023
0.0.0.0/0 tcp 1025 # network blackjack dasher.a
0.0.0.0/0 tcp 80 # AckCmd, Back End, CGI Backdoor, Executor, Hooker, RingZero
0.0.0.0/0 tcp 8080 # Brown Orifice , RemoConChubo, RingZero
0.0.0.0/0 tcp 21:25 # ftp, ssh, Telnet, any private mail system, smtp
0.0.0.0/0 tcp 4899 # Remote Administrator port
0.0.0.0/0 tcp 5900 # vnc Virtual Network Computer
0.0.0.0/0 tcp 10000 # Network Data Management Protocol (webmint)
0.0.0.0/0 udp 1434 # Microsoft-SQL-Monitor
0.0.0.0/0 tcp 1433 # Microsoft-SQL-Server
0.0.0.0/0 tcp 3306 # MySQL
0.0.0.0/0 tcp 3372 # TIP 2, satvid-datalnk - Satellite Video Data Link
0.0.0.0/0 tcp 5554 # Sasser trojan/worm ftp server
0.0.0.0/0 udp 6346 # Gnutella-svc
0.0.0.0/0 tcp 6348 # Gnutella works on this port too
0.0.0.0/0 udp 6348 # Gnutella works on this port too
0.0.0.0/0 tcp 9898 # dabber, MonkeyCom
0.0.0.0/0 tcp 2100 # Amiga Network Filesystem
0.0.0.0/0 udp 33435:33440


> I think that port is involved with my emule p2p software but
> I'd like to know why there are so many attempts to access my computer
> through udp 1574 port while I configured correcty communication in my
> firewall-router to make my emule run ok.

Script kiddies/crackers are always hitting ports looking for the
lastest know exploit and unknown exploits. Want to see last 24 hour
comparied to last 30 day trend.

http://www.dshield.org/trends.html

Re: Port 1574

First I'd rather know if those dropped ip's are attacks!
I know I could tell my firewall not to bore me with those logs but the
question is: do you know what kind of data passes through UDP 1574 port?
Do you use p2p software?
Then ip ranges are always different and that makes me think it may not
be a sort of attack.

I posted this question in many forums but no clear answer has come out yet.

Thanks.

Bit Twister ha scritto:
> On Sat, 03 Feb 2007 18:56:17 +0100, Michele wrote:
>
>> My firewall always logs and blocks hundreds of accesses made through
>> that port.
>
> My firewall just drops the attempts and does not bother to log the
> normal internet noise ports, (80,143, 8080, 21-25,, etc)
>
> That allows me to see the ones trying to hide in all the noise.
> I have one site which makes 2 new port checks once a week on Sunday
> afternoon.
>
> If I get lots of scans I'll block the ip range. I only see one or two
> hits a day with my current blacklist.
>
> 85.255.112.0-85.255.127.0 # known malware address range of INHoster in Ukraine
> 76.166.0.0-76.190.255.255 # Road Runner HoldCo LLC
> 218.249.29.0-218.249.29.255 # BEI-JING-JIAO-TONG-DA-XUE CN
> 211.100.32.0-211.100.95.255 # NET263 group in Beijing P.R.China
> 220.166.64.0-220.166.65.255 # MAINT-CHINANET-SC China
> 220.178.0.0-220.180.255.255 # CHINANET anhui province networ
> 221.6.0.0-221.6.255.255 # China Network Communications Group Corp
> 221.208.0.0/14 # CNCGROUP Heilongjiang Province Network
>
>
> 0.0.0.0/0 udp 1024:1035
> 0.0.0.0/0 tcp 1023
> 0.0.0.0/0 tcp 1025 # network blackjack dasher.a
> 0.0.0.0/0 tcp 80 # AckCmd, Back End, CGI Backdoor, Executor, Hooker, RingZero
> 0.0.0.0/0 tcp 8080 # Brown Orifice , RemoConChubo, RingZero
> 0.0.0.0/0 tcp 21:25 # ftp, ssh, Telnet, any private mail system, smtp
> 0.0.0.0/0 tcp 4899 # Remote Administrator port
> 0.0.0.0/0 tcp 5900 # vnc Virtual Network Computer
> 0.0.0.0/0 tcp 10000 # Network Data Management Protocol (webmint)
> 0.0.0.0/0 udp 1434 # Microsoft-SQL-Monitor
> 0.0.0.0/0 tcp 1433 # Microsoft-SQL-Server
> 0.0.0.0/0 tcp 3306 # MySQL
> 0.0.0.0/0 tcp 3372 # TIP 2, satvid-datalnk - Satellite Video Data Link
> 0.0.0.0/0 tcp 5554 # Sasser trojan/worm ftp server
> 0.0.0.0/0 udp 6346 # Gnutella-svc
> 0.0.0.0/0 tcp 6348 # Gnutella works on this port too
> 0.0.0.0/0 udp 6348 # Gnutella works on this port too
> 0.0.0.0/0 tcp 9898 # dabber, MonkeyCom
> 0.0.0.0/0 tcp 2100 # Amiga Network Filesystem
> 0.0.0.0/0 udp 33435:33440
>
>
>> I think that port is involved with my emule p2p software but
>> I'd like to know why there are so many attempts to access my computer
>> through udp 1574 port while I configured correcty communication in my
>> firewall-router to make my emule run ok.
>
> Script kiddies/crackers are always hitting ports looking for the
> lastest know exploit and unknown exploits. Want to see last 24 hour
> comparied to last 30 day trend.
>
> http://www.dshield.org/trends.html

Re: Port 1574

On Sat, 03 Feb 2007 20:18:55 +0100, Michele wrote:
> First I'd rather know if those dropped ip's are attacks!

When they attempt unsolicitated port connections to my system they are
attempting unauthorize entry. What would you call it.


> I know I could tell my firewall not to bore me with those logs but the
> question is: do you know what kind of data passes through UDP 1574 port?
> Do you use p2p software?

No, to the above.

> Then ip ranges are always different and that makes me think it may not
> be a sort of attack.

When you are part of a Peer 2 Peer network you will be getting
attempts from all over that network. You would not be able to tell if
they are valid p2p connects for sharing or crack attempts unless you
analyze the connect data attempts.

Re: Port 1574

Bit Twister wrote:

> If I get lots of scans I'll block the ip range. I only see one or two
> hits a day with my current blacklist.
>
> 85.255.112.0-85.255.127.0 # known malware address range of INHoster in Ukraine
> 76.166.0.0-76.190.255.255 # Road Runner HoldCo LLC
> 218.249.29.0-218.249.29.255 # BEI-JING-JIAO-TONG-DA-XUE CN
> 211.100.32.0-211.100.95.255 # NET263 group in Beijing P.R.China
> 220.166.64.0-220.166.65.255 # MAINT-CHINANET-SC China
> 220.178.0.0-220.180.255.255 # CHINANET anhui province networ
> 221.6.0.0-221.6.255.255 # China Network Communications Group Corp
> 221.208.0.0/14 # CNCGROUP Heilongjiang Province Network
>
>
> 0.0.0.0/0 udp 1024:1035
> 0.0.0.0/0 tcp 1023
> 0.0.0.0/0 tcp 1025 # network blackjack dasher.a
> 0.0.0.0/0 tcp 80 # AckCmd, Back End, CGI Backdoor, Executor, Hooker, RingZero
> 0.0.0.0/0 tcp 8080 # Brown Orifice , RemoConChubo, RingZero
> 0.0.0.0/0 tcp 21:25 # ftp, ssh, Telnet, any private mail system, smtp
> 0.0.0.0/0 tcp 4899 # Remote Administrator port
> 0.0.0.0/0 tcp 5900 # vnc Virtual Network Computer
> 0.0.0.0/0 tcp 10000 # Network Data Management Protocol (webmint)
> 0.0.0.0/0 udp 1434 # Microsoft-SQL-Monitor
> 0.0.0.0/0 tcp 1433 # Microsoft-SQL-Server
> 0.0.0.0/0 tcp 3306 # MySQL
> 0.0.0.0/0 tcp 3372 # TIP 2, satvid-datalnk - Satellite Video Data Link
> 0.0.0.0/0 tcp 5554 # Sasser trojan/worm ftp server
> 0.0.0.0/0 udp 6346 # Gnutella-svc
> 0.0.0.0/0 tcp 6348 # Gnutella works on this port too
> 0.0.0.0/0 udp 6348 # Gnutella works on this port too
> 0.0.0.0/0 tcp 9898 # dabber, MonkeyCom
> 0.0.0.0/0 tcp 2100 # Amiga Network Filesystem
> 0.0.0.0/0 udp 33435:33440
>

Interesting blacklist entries. Have you developed it from your own
observations, or imported it from some other source? Just interested!

Jim Ford

Re: Port 1574

The very strange thing is the fact that attacks, if you prefer calling
them so, always pass through UDP 1574 port: the port is always the same,
the protocol always the same. I've been logging them for months and
nothing has changed. It's a bit strange to me, don't you think so?

Anyway thanks for the answers.

Bye.

Bit Twister ha scritto:
> On Sat, 03 Feb 2007 20:18:55 +0100, Michele wrote:
>> First I'd rather know if those dropped ip's are attacks!
>
> When they attempt unsolicitated port connections to my system they are
> attempting unauthorize entry. What would you call it.
>
>
>> I know I could tell my firewall not to bore me with those logs but the
>> question is: do you know what kind of data passes through UDP 1574 port?
>> Do you use p2p software?
>
> No, to the above.
>
>> Then ip ranges are always different and that makes me think it may not
>> be a sort of attack.
>
> When you are part of a Peer 2 Peer network you will be getting
> attempts from all over that network. You would not be able to tell if
> they are valid p2p connects for sharing or crack attempts unless you
> analyze the connect data attempts.

Re: Port 1574

On Sat, 03 Feb 2007 19:40:16 GMT, Jim Ford wrote:
> Interesting blacklist entries. Have you developed it from your own
> observations, or imported it from some other source? Just interested!

Just from log entries that make it through the blacklist.

When a new port shows up, I check
http://www.dshield.org/port_report.html?port=
http://isc.sans.org/port.html?port=
http://lists.thedatalist.com/portlist/lookup.php?port=
to see if there is a malware description for my comment section.

Every copula months, I'll check the blacklist hit counter to see I want to
remove any entry.

Firewall frontend is Shorewall on Mandriva linux.

Re: Port 1574

Bit Twister wrote:
> On Sat, 03 Feb 2007 19:40:16 GMT, Jim Ford wrote:
>> Interesting blacklist entries. Have you developed it from your own
>> observations, or imported it from some other source? Just interested!
>
> Just from log entries that make it through the blacklist.
>
> When a new port shows up, I check
> http://www.dshield.org/port_report.html?port=
> http://isc.sans.org/port.html?port=
> http://lists.thedatalist.com/portlist/lookup.php?port=
> to see if there is a malware description for my comment section.
>
> Every copula months, I'll check the blacklist hit counter to see I want to
> remove any entry.
>
> Firewall frontend is Shorewall on Mandriva linux.

Thanks - I'm using Shorewall on a Leaf router/firewall.

Jim

Re: Port 1574

On Sat, 03 Feb 2007 23:24:44 GMT, Jim Ford wrote:
>
> Thanks - I'm using Shorewall on a Leaf router/firewall.

You selection of blacklisted ips can be different than mine.

I run a
xconsole -geom 1032x50+400+00 -file /var/log/messages &
on my firewall and $DISPLAY points to my lan box.

To use the blacklist, you have to have blacklist as one of your net
options in /etc/shorewall/interfaces

I use /etc/shorewall/params for variables.


# cd /etc/shorewall

# tail -3 interfaces | head -2
net $NET_NIC $NET_BCAST $NET_OPTIONS
loc $LOC_NIC $LOC_BCAST

# grep NET_ params
NET_BCAST=192.168.2.255
NET_NIC=eth1
NET_OPTIONS=dhcp,routefilter,blacklist,tcpflags,logmartians

Re: Port 1574

Bit Twister wrote:
> On Sat, 03 Feb 2007 23:24:44 GMT, Jim Ford wrote:
>> Thanks - I'm using Shorewall on a Leaf router/firewall.
>
> You selection of blacklisted ips can be different than mine.
>
> I run a
> xconsole -geom 1032x50+400+00 -file /var/log/messages &
> on my firewall and $DISPLAY points to my lan box.
>
> To use the blacklist, you have to have blacklist as one of your net
> options in /etc/shorewall/interfaces
>
> I use /etc/shorewall/params for variables.
>
>
> # cd /etc/shorewall
>
> # tail -3 interfaces | head -2
> net $NET_NIC $NET_BCAST $NET_OPTIONS
> loc $LOC_NIC $LOC_BCAST
>
> # grep NET_ params
> NET_BCAST=192.168.2.255
> NET_NIC=eth1
> NET_OPTIONS=dhcp,routefilter,blacklist,tcpflags,logmartians

I've got a blacklist, but I've really not bothered to pore over the log
files and enter the 'bad' ip addresses and ports that I see regularly
dropped. I just have a quick scan through them to see if anything 'leaps
out', and then dump the log. I've occasionally been tempted to set up a
Tarpit/Teergrube in an attempt to take a more pro-active approach, but
as I understand it can create problems with contracking, not looked very
deeply. Another problem is that it won't necessarily hit the bad guys,
but as often as not their unwitting zombies.

Comments, anyone? (Come on Seb - you know you can't resist! ;^) )

Jim Ford

Re: Port 1574

On Sun, 04 Feb 2007 14:14:21 GMT, Jim Ford wrote:
>
> I've got a blacklist, but I've really not bothered to pore over the log

I do not pore over my logs. I do have a terminal open doing a
tail -f /var/log/messages
and pinned the
xconsole -geom 1032x50+400+00 -file /var/log/messages &
to the top of my desktop. That is about a 4 line view of the log and
the only thing seen is the hourly msec log runs and any ntp time sync
messages.

> files and enter the 'bad' ip addresses and ports that I see regularly
> dropped.

When I see a port or several ip drops, I'll put it in the black list.
For port range I'll use whois ip_here

> I just have a quick scan through them to see if anything 'leaps
> out', and then dump the log.

That is the advantage of the blacklist. Whatever is there is something
to look at and all the noise is damped out by the blacklist.

Matter of fact just saw 3 different ips hitting the same port.
Tells me they have a new exploit, or gone back to a very old one. New
blacklist entry is
0.0.0.0/0 tcp 3389 # MS WBT Server


> I've occasionally been tempted to set up a
> Tarpit/Teergrube in an attempt to take a more pro-active approach, but
> as I understand it can create problems with contracking, not looked very
> deeply. Another problem is that it won't necessarily hit the bad guys,
> but as often as not their unwitting zombies.

Yes, and odds would be the unwitting zombies.

Reading http://www.theregister.co.uk/2007/02/04/teacher_conviction/
should provide you with a caution.
You do not want to be in court trying to defend what your computer did
to someone. :(

I have see a few laws where just a ping is an unlawful "access" attempt
and can land you into the barbed wire hotel.

Law makers were tired of seeing the bad guy walk away because the prosecutors
could not prove unlawful /access/ attempt. Look at what the Texas
lawmakers passed while thinking of your tarpit. Just read the first 2
definitions of this Texas Statute CHAPTER 33. COMPUTER CRIMES

http://tlo2.tlc.state.tx.us/statutes/docs/PE/content/word/pe .007.00.000033.00.doc
or in pdf format
http://tlo2.tlc.state.tx.us/statutes/docs/PE/content/pdf/pe. 007.00.000033.00.pd

Re: Port 1574

Bit Twister wrote:
> On Sun, 04 Feb 2007 14:14:21 GMT, Jim Ford wrote:
>> I've got a blacklist, but I've really not bothered to pore over the log
>
> I do not pore over my logs. I do have a terminal open doing a
> tail -f /var/log/messages
> and pinned the
> xconsole -geom 1032x50+400+00 -file /var/log/messages &
> to the top of my desktop. That is about a 4 line view of the log and
> the only thing seen is the hourly msec log runs and any ntp time sync
> messages.
>
>> files and enter the 'bad' ip addresses and ports that I see regularly
>> dropped.
>
> When I see a port or several ip drops, I'll put it in the black list.
> For port range I'll use whois ip_here
>
>> I just have a quick scan through them to see if anything 'leaps
>> out', and then dump the log.
>
> That is the advantage of the blacklist. Whatever is there is something
> to look at and all the noise is damped out by the blacklist.
>
> Matter of fact just saw 3 different ips hitting the same port.
> Tells me they have a new exploit, or gone back to a very old one. New
> blacklist entry is
> 0.0.0.0/0 tcp 3389 # MS WBT Server

I'm not sure what the purpose of monitoring the Shorewall hits is. So
what do you do with the 'residue' of hits - the ones you don't
blacklist? Of what interest are they? Why not do as I do and just shrug
your shoulders and dump the Shorewall hit log from time to time without
any more than a cursory inspection?

I'm not being critical - it's just that I feel that perhaps I'm missing
something here!

Jim Ford

Re: Port 1574

On Sun, 04 Feb 2007 17:14:30 GMT, Jim Ford wrote:
>
> I'm not sure what the purpose of monitoring the Shorewall hits is.

Well, blacklist hits show me which lines to remove when there are very
low/no hits.

> So what do you do with the 'residue' of hits - the ones you don't
> blacklist? Of what interest are they? Why not do as I do and just
> shrug your shoulders and dump the Shorewall hit log from time to
> time without any more than a cursory inspection?

When I see a drop entry on the screen, I'll look to see who it is.

Since I am running linux with 8 desktops, it is no problem to click
the log desktop, quick cut/paste ip into whois
and decide what to do with a log entry.

I have been supprised at some and have sent them an abuse report.
It was nice to see them clean up their problem.


> I'm not being critical -

I would not care if you were. :)

> it's just that I feel that perhaps I'm missing something here!

Well, if you are going to "shrug your shoulders and dump the log" you
aught to set Shorewall to just drop/nolog. :)

As you can see from the links I gave you, trying to retaliate could
get you into deep dodo with the law at worst, at best lose your
internet connection.

Not much I can do with China and known Russian malware ip ranges, so those I'll
blacklist. If I can reconize a know business or someone I think will
look into it, I'll tell them.

Seeing a new port which is not a part of port scan, tells me something
new has been found.

If you want to help with the problem you could get with
http://www.dshield.org and see what it would take for you to submit
your logs. It might be as simple as a batch/cron job to email them to
dshield before logs are rotated out of sight.
Dshield parses them for port/ip and merge that with their data to
detect new events, identify computers spewing crap and try to get
their ISP to tell the ownere to clean it up.

I have no idea where the good work is going on, but in the last two
years I have seen a marked drop in number of hits on my firewall.
Maybe it is just Comcast using filters on their internet connect points.
I was switched to RoadRunner about 5 months ago and I only added a few
IP addresses lines to my blacklist.

There are 31 ranges commented out of my blacklist where the count was zero.
Another month and I'll remove those.