Jump to content

Who are 24.64.9.177 & 24.64.8.158, etc.?

Guest PCR

By Guest PCR
in Windows 98

 Share

Recommended Posts

Guest PCR

Guest PCR

Posted
Posted

Kerio Firewall has begun a series of messages such as these, coming once

a minute or so, every so often...!...

 

Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port

1027 owned by 'Distributed COM Services' on your computer.

 

Someone from 24.64.8.158, port 32089 wants to send UDP datagram to port

1027 owned by 'Distributed COM Services' on your computer

 

Someone from 24.64.85.35, port 34996 wants to send UDP datagram to port

1027 owned by 'Distributed COM Services' on your computer

 

Someone from 24.64.210.84, port 28111 wants to send UDP datagram to port

1027 owned by 'Distributed COM Services' on your computer

 

Someone from 24.64.180.130, port 4241 wants to send UDP datagram to port

1027 owned by 'Distributed COM Services' on your computer

 

The port is owned by...

c:\windows\system\rpcss.exe

 

 

--

Thanks or Good Luck,

There may be humor in this post, and,

Naturally, you will not sue,

Should things get worse after this,

PCR

pcrrcp@netzero.net

  • Replies 18
  • Created
  • Last Reply

Popular Days

Popular Days

Guest PCR

Guest PCR

Posted
Posted

Re: Who are 24.64.9.177 & 24.64.8.158, etc.?

 

PCR wrote:

| Kerio Firewall has begun a series of messages such as these, coming

| once a minute or so, every so often...!...

|

| Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port

| 1027 owned by 'Distributed COM Services' on your computer.

|

| Someone from 24.64.8.158, port 32089 wants to send UDP datagram to

| port 1027 owned by 'Distributed COM Services' on your computer

|

| Someone from 24.64.85.35, port 34996 wants to send UDP datagram to

| port 1027 owned by 'Distributed COM Services' on your computer

|

| Someone from 24.64.210.84, port 28111 wants to send UDP datagram to

| port 1027 owned by 'Distributed COM Services' on your computer

|

| Someone from 24.64.180.130, port 4241 wants to send UDP datagram to

| port 1027 owned by 'Distributed COM Services' on your computer

|

| The port is owned by...

| c:\windows\system\rpcss.exe

 

OK, I see, by the word of...

http://www.networksolutions.com/whois/index.jsp

 

..........Quote..................................

24.64.9.177

Record Type: IP Address

 

OrgName: Shaw Communications Inc.

OrgID: SHAWC

Address: Suite 800

Address: 630 - 3rd Ave. SW

City: Calgary

StateProv: AB

PostalCode: T2P-4L4

Country: CA

 

ReferralServer: rwhois://rs1so.cg.shawcable.net:4321

 

NetRange: 24.64.0.0 - 24.71.255.255

CIDR: 24.64.0.0/13

NetName: SHAW-COMM

NetHandle: NET-24-64-0-0-1

Parent: NET-24-0-0-0-0

NetType: Direct Allocation

NameServer: NS7.NO.CG.SHAWCABLE.NET

NameServer: NS8.SO.CG.SHAWCABLE.NET

Comment:

RegDate: 1996-06-03

Updated: 2006-02-08

 

OrgAbuseHandle: SHAWA-ARIN

OrgAbuseName: SHAW ABUSE

OrgAbusePhone: +1-403-750-7420

OrgAbuseEmail: internet.abuse@sjrb.ca

 

OrgTechHandle: ZS178-ARIN

OrgTechName: Shaw High-Speed Internet

OrgTechPhone: +1-403-750-7428

OrgTechEmail: ipadmin@sjrb.ca

..........EOQ......................

 

I see every one of those in in SHAW-COMM's NET range. I've been denying

the access & will continue to do so. But what are they trying to do?

Guest 98 Guy

Guest 98 Guy

Posted
Posted

Re: Who are 24.64.9.177 & 24.64.8.158, etc.?

 

PCR wrote:

> Kerio Firewall has begun a series of messages such as these

 

Why don't you have a NAT router?

> Someone from 24.64.9.177

 

All those IP's belong to Shaw Cable internet, Calgary Alberta.

> port 3222 wants to send UDP datagram

 

No malware (as far as I can tell) is known to use port 3222. Recent

port usage:

 

http://isc.sans.org/port.html?port=3222

> to port 1027 owned by 'Distributed COM Services' on your computer.

 

I don't think that DCOM is normally installed on windows-98 systems.

The Shaw Cable computer is either trying to exploit a DCOM

vulnerability on your computer, or is attempting to connect to a

trojan that it thinks might be running on your computer and listening

on port 1027.

> The port is owned by...

> c:\windows\system\rpcss.exe

 

Unless I'm mistaken, your computer is running win-2k or XP, not

win-98.

 

A home computer located somewhere in Alberta is performing a port-scan

on your computer, attempting to either install some malware on your

system via a DCOM exploit, or is attempting to contact a trojan

running on your computer and give it instructions to do something (to

obtain some new software, to send spam to someone, etc).

 

The fact that they are coming from different addresses every few

minutes is strange - it would indicate that it's coming from different

machines - as in some sort of coordinated scan directly on to

machine. Not sure what would be the reason for that.

Guest 98 Guy

Guest 98 Guy

Posted
Posted

Re: Who are 24.64.9.177 & 24.64.8.158, etc.?

 

Ok, what's going on is this:

 

Your modem recently obtained a new IP address (maybe it does this once

a day, once an hour, once a month, I don't know).

 

In any case, the IP address you have now once belonged to someone that

was part of a P2P network. They were part of a file-sharing network.

Their IP address is known to the network (for the time being).

 

Other computers are trying to access some file that they think is

located on your computer.

 

So either those attempts will fade away with time, or you can re-boot

your modem and obtain a new IP address.

 

Looks like there are lots of downloaders in Alberta... :)

Guest glee

Guest glee

Posted
Posted

Re: Who are 24.64.9.177 & 24.64.8.158, etc.?

 

It is most likely a Windows Messenger spam attempt:

http://www.linklogger.com/messenger_spam.htm

http://www.linklogger.com/UDP1026.htm

http://isc.sans.org/port.html?port=1027

--

Glen Ventura, MS MVP Shell/User, A+

http://dts-l.org/

http://dts-l.org/goodpost.htm

 

 

"PCR" <pcrrcp@netzero.net> wrote in message

news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl...

> PCR wrote:

> | Kerio Firewall has begun a series of messages such as these, coming

> | once a minute or so, every so often...!...

> |

> | Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port

> | 1027 owned by 'Distributed COM Services' on your computer.

> |

> | Someone from 24.64.8.158, port 32089 wants to send UDP datagram to

> | port 1027 owned by 'Distributed COM Services' on your computer

> |

> | Someone from 24.64.85.35, port 34996 wants to send UDP datagram to

> | port 1027 owned by 'Distributed COM Services' on your computer

> |

> | Someone from 24.64.210.84, port 28111 wants to send UDP datagram to

> | port 1027 owned by 'Distributed COM Services' on your computer

> |

> | Someone from 24.64.180.130, port 4241 wants to send UDP datagram to

> | port 1027 owned by 'Distributed COM Services' on your computer

> |

> | The port is owned by...

> | c:\windows\system\rpcss.exe

>

> OK, I see, by the word of...

> http://www.networksolutions.com/whois/index.jsp

>

> .........Quote..................................

> 24.64.9.177

> Record Type: IP Address

>

> OrgName: Shaw Communications Inc.

> OrgID: SHAWC

> Address: Suite 800

> Address: 630 - 3rd Ave. SW

> City: Calgary

> StateProv: AB

> PostalCode: T2P-4L4

> Country: CA

>

> ReferralServer: rwhois://rs1so.cg.shawcable.net:4321

>

> NetRange: 24.64.0.0 - 24.71.255.255

> CIDR: 24.64.0.0/13

> NetName: SHAW-COMM

> NetHandle: NET-24-64-0-0-1

> Parent: NET-24-0-0-0-0

> NetType: Direct Allocation

> NameServer: NS7.NO.CG.SHAWCABLE.NET

> NameServer: NS8.SO.CG.SHAWCABLE.NET

> Comment:

> RegDate: 1996-06-03

> Updated: 2006-02-08

>

> OrgAbuseHandle: SHAWA-ARIN

> OrgAbuseName: SHAW ABUSE

> OrgAbusePhone: +1-403-750-7420

> OrgAbuseEmail: internet.abuse@sjrb.ca

>

> OrgTechHandle: ZS178-ARIN

> OrgTechName: Shaw High-Speed Internet

> OrgTechPhone: +1-403-750-7428

> OrgTechEmail: ipadmin@sjrb.ca

> .........EOQ......................

>

> I see every one of those in in SHAW-COMM's NET range. I've been denying

> the access & will continue to do so. But what are they trying to do?

>

>

Guest Franc Zabkar

Guest Franc Zabkar

Posted
Posted

Re: Who are 24.64.9.177 & 24.64.8.158, etc.?

 

On Wed, 18 Jul 2007 20:20:29 -0400, "PCR" <pcrrcp@netzero.net> put

finger to keyboard and composed:

>Kerio Firewall has begun a series of messages such as these, coming once

>a minute or so, every so often...!...

>

>Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port

>1027 owned by 'Distributed COM Services' on your computer.

 

<snip>

>The port is owned by...

>c:\windows\system\rpcss.exe

 

What is RPCSS.EXE?

http://cexx.org/rpc.htm

 

===================================================================

In any event, what rpcss.exe does is to handle a number of API calls

that relate to RPC. In general (and this is somewhat of a

simplification to prevent techie talk overload), a program can

register certain entry points (the "procedures" in remote procedure

call) that can be accessed by external applications. This is known as

the "portmapper" function. Once registered, anyone contacting the RPC

port and asking, in the appropriate format, for a particular function

provided by a particular program will be allowed to execute the

function. Any security checks are up to the contacted program, as all

the portmapper does is to make the necessary procedure call on behalf

of the client.

 

"WAIT JUST A MINUTE," you scream as your face turns red. "You mean ANY

program can ask ANY OTHER program on MY MACHINE to do something for it

WITHOUT MY KNOWLEDGE?" The sad truth is that, yes, this is true, and

yes, this has been a constant source of security flaws in UNIX systems

as such-and-such RPC service has this unchecked buffer or that

improper security check which allows any remote user with the proper

script to gain full control of the machine. Since no such flaws have

been found in the rpcss.exe portmapper proper -- probably because no

one's really looked -- the real threat comes from the programs that

utilize the portmapper. Unlike UNIX, however, very few Windows

programs use RPC; hell, most Windows 9x programmers aren't even aware

that RPC exists, and RPC as a direct communications method is being

replaced by DCOM and COM+ (which can, but do not necessarily, use RPC)

in Windows 2000. Therefore, the likelihood of you even having a

portmapped program on Windows 9x is extremely low, and thus the risk

that RPC presents is also quite low.

===================================================================

 

- Franc Zabkar

--

Please remove one 'i' from my address when replying by email.

Guest MEB

Guest MEB

Posted
Posted

Re: Who are 24.64.9.177 & 24.64.8.158, etc.?

 

 

"PCR" <pcrrcp@netzero.net> wrote in message

news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl...

| PCR wrote:

| | Kerio Firewall has begun a series of messages such as these, coming

| | once a minute or so, every so often...!...

| |

| | Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port

| | 1027 owned by 'Distributed COM Services' on your computer.

| |

| | Someone from 24.64.8.158, port 32089 wants to send UDP datagram to

| | port 1027 owned by 'Distributed COM Services' on your computer

| |

| | Someone from 24.64.85.35, port 34996 wants to send UDP datagram to

| | port 1027 owned by 'Distributed COM Services' on your computer

| |

| | Someone from 24.64.210.84, port 28111 wants to send UDP datagram to

| | port 1027 owned by 'Distributed COM Services' on your computer

| |

| | Someone from 24.64.180.130, port 4241 wants to send UDP datagram to

| | port 1027 owned by 'Distributed COM Services' on your computer

| |

| | The port is owned by...

| | c:\windows\system\rpcss.exe

|

| OK, I see, by the word of...

| http://www.networksolutions.com/whois/index.jsp

|

| .........Quote..................................

| 24.64.9.177

| Record Type: IP Address

|

| OrgName: Shaw Communications Inc.

| OrgID: SHAWC

| Address: Suite 800

| Address: 630 - 3rd Ave. SW

| City: Calgary

| StateProv: AB

| PostalCode: T2P-4L4

| Country: CA

|

| ReferralServer: rwhois://rs1so.cg.shawcable.net:4321

|

| NetRange: 24.64.0.0 - 24.71.255.255

| CIDR: 24.64.0.0/13

| NetName: SHAW-COMM

| NetHandle: NET-24-64-0-0-1

| Parent: NET-24-0-0-0-0

| NetType: Direct Allocation

| NameServer: NS7.NO.CG.SHAWCABLE.NET

| NameServer: NS8.SO.CG.SHAWCABLE.NET

| Comment:

| RegDate: 1996-06-03

| Updated: 2006-02-08

|

| OrgAbuseHandle: SHAWA-ARIN

| OrgAbuseName: SHAW ABUSE

| OrgAbusePhone: +1-403-750-7420

| OrgAbuseEmail: internet.abuse@sjrb.ca

|

| OrgTechHandle: ZS178-ARIN

| OrgTechName: Shaw High-Speed Internet

| OrgTechPhone: +1-403-750-7428

| OrgTechEmail: ipadmin@sjrb.ca

| .........EOQ......................

|

| I see every one of those in in SHAW-COMM's NET range. I've been denying

| the access & will continue to do so. But what are they trying to do?

|

|

 

Just an HEADS UP, I also had that same Shaw attack a while ago, all those

addresses {which are slightly different than yours - though 24.64.*.* and

Shaw} are BLOCKED/DENIED in my PFW firewall.

Guest MEB

Guest MEB

Posted
Posted

Re: Who are 24.64.9.177 & 24.64.8.158, etc.?

 

Here, I just turned on logging and popup alerts and am connected to this

group...

 

19/Jul/2007 03:09:54 Shaw Comm block blocked; In UDP;

S010600e04c8a2715.rd.shawcable.net [24.64.43.218:2880]->localhost:1026;

Owner: no owner

19/Jul/2007 03:11:20 Shaw Comm block blocked; In UDP;

S01060020ed1d11bc.lb.shawcable.net [24.64.180.89:20542]->localhost:1026;

Owner: no owner

19/Jul/2007 03:14:50 Shaw Comm block blocked; In UDP;

S0106000ae694e9c1.cn.shawcable.net [24.64.50.56:20710]->localhost:1026;

Owner: no owner

19/Jul/2007 03:21:32 Shaw Comm block blocked; In UDP;

24.64.230.110:24538->localhost:1026; Owner: no owner

19/Jul/2007 03:21:58 Shaw Comm block blocked; In UDP;

S0106001346b90d71.lb.shawcable.net [24.64.160.64:7051]->localhost:1026;

Owner: no owner

19/Jul/2007 03:30:58 Shaw Comm block blocked; In UDP;

S01060004ac8b9494.lb.shawcable.net [24.64.191.235:9685]->localhost:1026;

Owner: no owner

 

Comes via UDP as you noted, apparently when using IE or OE... so a router

WOULDN'T stop it... another lurker busted ....

 

 

 

"MEB" <meb@not here@hotmail.com> wrote in message

news:eMN1HAdyHHA.4276@TK2MSFTNGP05.phx.gbl...

|

| "PCR" <pcrrcp@netzero.net> wrote in message

| news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl...

| | PCR wrote:

| | | Kerio Firewall has begun a series of messages such as these, coming

| | | once a minute or so, every so often...!...

| | |

| | | Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port

| | | 1027 owned by 'Distributed COM Services' on your computer.

| | |

| | | Someone from 24.64.8.158, port 32089 wants to send UDP datagram to

| | | port 1027 owned by 'Distributed COM Services' on your computer

| | |

| | | Someone from 24.64.85.35, port 34996 wants to send UDP datagram to

| | | port 1027 owned by 'Distributed COM Services' on your computer

| | |

| | | Someone from 24.64.210.84, port 28111 wants to send UDP datagram to

| | | port 1027 owned by 'Distributed COM Services' on your computer

| | |

| | | Someone from 24.64.180.130, port 4241 wants to send UDP datagram to

| | | port 1027 owned by 'Distributed COM Services' on your computer

| | |

| | | The port is owned by...

| | | c:\windows\system\rpcss.exe

| |

| | OK, I see, by the word of...

| | http://www.networksolutions.com/whois/index.jsp

| |

| | .........Quote..................................

| | 24.64.9.177

| | Record Type: IP Address

| |

| | OrgName: Shaw Communications Inc.

| | OrgID: SHAWC

| | Address: Suite 800

| | Address: 630 - 3rd Ave. SW

| | City: Calgary

| | StateProv: AB

| | PostalCode: T2P-4L4

| | Country: CA

| |

| | ReferralServer: rwhois://rs1so.cg.shawcable.net:4321

| |

| | NetRange: 24.64.0.0 - 24.71.255.255

| |

| |

|

| Just an HEADS UP, I also had that same Shaw attack a while ago, all those

| addresses {which are slightly different than yours - though 24.64.*.* and

| Shaw} are BLOCKED/DENIED in my PFW firewall.

|

|

Guest Curt Christianson

Guest Curt Christianson

Posted
Posted

Re: Who are 24.64.9.177 & 24.64.8.158, etc.?

 

You goof,

 

Those are the lottery numbers you've been expecting,that Augie promised to

get to you somehow. Firewall intrusions..haaruumphh!

 

--

HTH,

Curt

 

Windows Support Center

http://www.aumha.org

Practically Nerded,...

http://dundats.mvps.org/Index.htm

 

"PCR" <pcrrcp@netzero.net> wrote in message

news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl...

| PCR wrote:

|| Kerio Firewall has begun a series of messages such as these, coming

|| once a minute or so, every so often...!...

||

|| Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port

|| 1027 owned by 'Distributed COM Services' on your computer.

||

|| Someone from 24.64.8.158, port 32089 wants to send UDP datagram to

|| port 1027 owned by 'Distributed COM Services' on your computer

||

|| Someone from 24.64.85.35, port 34996 wants to send UDP datagram to

|| port 1027 owned by 'Distributed COM Services' on your computer

||

|| Someone from 24.64.210.84, port 28111 wants to send UDP datagram to

|| port 1027 owned by 'Distributed COM Services' on your computer

||

|| Someone from 24.64.180.130, port 4241 wants to send UDP datagram to

|| port 1027 owned by 'Distributed COM Services' on your computer

||

|| The port is owned by...

|| c:\windows\system\rpcss.exe

|

| OK, I see, by the word of...

| http://www.networksolutions.com/whois/index.jsp

|

| .........Quote..................................

| 24.64.9.177

| Record Type: IP Address

|

| OrgName: Shaw Communications Inc.

| OrgID: SHAWC

| Address: Suite 800

| Address: 630 - 3rd Ave. SW

| City: Calgary

| StateProv: AB

| PostalCode: T2P-4L4

| Country: CA

|

| ReferralServer: rwhois://rs1so.cg.shawcable.net:4321

|

| NetRange: 24.64.0.0 - 24.71.255.255

| CIDR: 24.64.0.0/13

| NetName: SHAW-COMM

| NetHandle: NET-24-64-0-0-1

| Parent: NET-24-0-0-0-0

| NetType: Direct Allocation

| NameServer: NS7.NO.CG.SHAWCABLE.NET

| NameServer: NS8.SO.CG.SHAWCABLE.NET

| Comment:

| RegDate: 1996-06-03

| Updated: 2006-02-08

|

| OrgAbuseHandle: SHAWA-ARIN

| OrgAbuseName: SHAW ABUSE

| OrgAbusePhone: +1-403-750-7420

| OrgAbuseEmail: internet.abuse@sjrb.ca

|

| OrgTechHandle: ZS178-ARIN

| OrgTechName: Shaw High-Speed Internet

| OrgTechPhone: +1-403-750-7428

| OrgTechEmail: ipadmin@sjrb.ca

| .........EOQ......................

|

| I see every one of those in in SHAW-COMM's NET range. I've been denying

| the access & will continue to do so. But what are they trying to do?

|

|

Guest MEB

Guest MEB

Posted
Posted

Re: Who are 24.64.9.177 & 24.64.8.158, etc.?

 

 

"Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message

news:Oa1IXSfyHHA.5204@TK2MSFTNGP03.phx.gbl...

| You goof,

|

| Those are the lottery numbers you've been expecting,that Augie promised to

| get to you somehow. Firewall intrusions..haaruumphh!

|

| --

| HTH,

| Curt

|

| Windows Support Center

| http://www.aumha.org

| Practically Nerded,...

| http://dundats.mvps.org/Index.htm

 

 

SO Curt, are you claiming these as yours? Or was this a little hahaha,, not

very funny when we ARE discussing systems intrusions or other attempts at

monitoring activities ...

I never consider any of these types of activities as laughable or

ignorable... Sorry Curt, but with the present activities the people are

being subjected to, without their knowledge or consent, I do take issue ....

 

--

MEB

http://peoplescounsel.orgfree.com

________

 

 

 

|

| "PCR" <pcrrcp@netzero.net> wrote in message

| news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl...

| | PCR wrote:

| || Kerio Firewall has begun a series of messages such as these, coming

| || once a minute or so, every so often...!...

| ||

| || Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port

| || 1027 owned by 'Distributed COM Services' on your computer.

| ||

| || Someone from 24.64.8.158, port 32089 wants to send UDP datagram to

| || port 1027 owned by 'Distributed COM Services' on your computer

| ||

| || Someone from 24.64.85.35, port 34996 wants to send UDP datagram to

| || port 1027 owned by 'Distributed COM Services' on your computer

| ||

| || Someone from 24.64.210.84, port 28111 wants to send UDP datagram to

| || port 1027 owned by 'Distributed COM Services' on your computer

| ||

| || Someone from 24.64.180.130, port 4241 wants to send UDP datagram to

| || port 1027 owned by 'Distributed COM Services' on your computer

| ||

| || The port is owned by...

| || c:\windows\system\rpcss.exe

| |

| | OK, I see, by the word of...

| | http://www.networksolutions.com/whois/index.jsp

| |

| | .........Quote..................................

| | 24.64.9.177

| | Record Type: IP Address

| |

| | OrgName: Shaw Communications Inc.

| | OrgID: SHAWC

| | Address: Suite 800

| | Address: 630 - 3rd Ave. SW

| | City: Calgary

| | StateProv: AB

| | PostalCode: T2P-4L4

| | Country: CA

| |

| | ReferralServer: rwhois://rs1so.cg.shawcable.net:4321

| |

| | NetRange: 24.64.0.0 - 24.71.255.255

| | CIDR: 24.64.0.0/13

| | NetName: SHAW-COMM

| | NetHandle: NET-24-64-0-0-1

| | Parent: NET-24-0-0-0-0

| | NetType: Direct Allocation

| | NameServer: NS7.NO.CG.SHAWCABLE.NET

| | NameServer: NS8.SO.CG.SHAWCABLE.NET

| | Comment:

| | RegDate: 1996-06-03

| | Updated: 2006-02-08

| |

| | OrgAbuseHandle: SHAWA-ARIN

| | OrgAbuseName: SHAW ABUSE

| | OrgAbusePhone: +1-403-750-7420

| | OrgAbuseEmail: internet.abuse@sjrb.ca

| |

| | OrgTechHandle: ZS178-ARIN

| | OrgTechName: Shaw High-Speed Internet

| | OrgTechPhone: +1-403-750-7428

| | OrgTechEmail: ipadmin@sjrb.ca

| | .........EOQ......................

| |

| | I see every one of those in in SHAW-COMM's NET range. I've been denying

| | the access & will continue to do so. But what are they trying to do?

| |

| |

|

|

Guest Curt Christianson

Guest Curt Christianson

Posted
Posted

Re: Who are 24.64.9.177 & 24.64.8.158, etc.?

 

MEB,

 

You made a very legitimate point, and is was a rather feeble attempt at

being facetious. While we aren't "good buds" PCR and I go back a long way,

and I'm reasonably sure he may have found it funny.

 

To all the others perusing this NG, it prolly *didn't* strike them as funny.

 

As you mentioned, Internet security is certainly nothing to be scoffed

at--especially at someone's else misfortune and expense.

 

My heartiest apologies to all!

 

Keep up the great work here.

 

--

HTH,

Curt

 

Windows Support Center

http://www.aumha.org

Practically Nerded,...

http://dundats.mvps.org/Index.htm

 

"MEB" <meb@not here@hotmail.com> wrote in message

news:%23SIVJEhyHHA.1576@TK2MSFTNGP03.phx.gbl...

|

| "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message

| news:Oa1IXSfyHHA.5204@TK2MSFTNGP03.phx.gbl...

|| You goof,

||

|| Those are the lottery numbers you've been expecting,that Augie promised

to

|| get to you somehow. Firewall intrusions..haaruumphh!

||

|| --

|| HTH,

|| Curt

||

|| Windows Support Center

|| http://www.aumha.org

|| Practically Nerded,...

|| http://dundats.mvps.org/Index.htm

|

|

| SO Curt, are you claiming these as yours? Or was this a little hahaha,,

not

| very funny when we ARE discussing systems intrusions or other attempts at

| monitoring activities ...

| I never consider any of these types of activities as laughable or

| ignorable... Sorry Curt, but with the present activities the people are

| being subjected to, without their knowledge or consent, I do take issue

.....

|

| --

| MEB

| http://peoplescounsel.orgfree.com

| ________

|

|

|

||

|| "PCR" <pcrrcp@netzero.net> wrote in message

|| news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl...

|| | PCR wrote:

|| || Kerio Firewall has begun a series of messages such as these, coming

|| || once a minute or so, every so often...!...

|| ||

|| || Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port

|| || 1027 owned by 'Distributed COM Services' on your computer.

|| ||

|| || Someone from 24.64.8.158, port 32089 wants to send UDP datagram to

|| || port 1027 owned by 'Distributed COM Services' on your computer

|| ||

|| || Someone from 24.64.85.35, port 34996 wants to send UDP datagram to

|| || port 1027 owned by 'Distributed COM Services' on your computer

|| ||

|| || Someone from 24.64.210.84, port 28111 wants to send UDP datagram to

|| || port 1027 owned by 'Distributed COM Services' on your computer

|| ||

|| || Someone from 24.64.180.130, port 4241 wants to send UDP datagram to

|| || port 1027 owned by 'Distributed COM Services' on your computer

|| ||

|| || The port is owned by...

|| || c:\windows\system\rpcss.exe

|| |

|| | OK, I see, by the word of...

|| | http://www.networksolutions.com/whois/index.jsp

|| |

|| | .........Quote..................................

|| | 24.64.9.177

|| | Record Type: IP Address

|| |

|| | OrgName: Shaw Communications Inc.

|| | OrgID: SHAWC

|| | Address: Suite 800

|| | Address: 630 - 3rd Ave. SW

|| | City: Calgary

|| | StateProv: AB

|| | PostalCode: T2P-4L4

|| | Country: CA

|| |

|| | ReferralServer: rwhois://rs1so.cg.shawcable.net:4321

|| |

|| | NetRange: 24.64.0.0 - 24.71.255.255

|| | CIDR: 24.64.0.0/13

|| | NetName: SHAW-COMM

|| | NetHandle: NET-24-64-0-0-1

|| | Parent: NET-24-0-0-0-0

|| | NetType: Direct Allocation

|| | NameServer: NS7.NO.CG.SHAWCABLE.NET

|| | NameServer: NS8.SO.CG.SHAWCABLE.NET

|| | Comment:

|| | RegDate: 1996-06-03

|| | Updated: 2006-02-08

|| |

|| | OrgAbuseHandle: SHAWA-ARIN

|| | OrgAbuseName: SHAW ABUSE

|| | OrgAbusePhone: +1-403-750-7420

|| | OrgAbuseEmail: internet.abuse@sjrb.ca

|| |

|| | OrgTechHandle: ZS178-ARIN

|| | OrgTechName: Shaw High-Speed Internet

|| | OrgTechPhone: +1-403-750-7428

|| | OrgTechEmail: ipadmin@sjrb.ca

|| | .........EOQ......................

|| |

|| | I see every one of those in in SHAW-COMM's NET range. I've been denying

|| | the access & will continue to do so. But what are they trying to do?

|| |

|| |

||

||

|

|

Guest glee

Guest glee

Posted
Posted

Re: Who are 24.64.9.177 & 24.64.8.158, etc.?

 

It's alright, Curt....I get the joke, and I suspect PCR got a chuckle out of

it.

--

Glen Ventura, MS MVP Shell/User, A+

 

"Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message

news:%23qizDKhyHHA.1208@TK2MSFTNGP03.phx.gbl...

> MEB,

>

> You made a very legitimate point, and is was a rather feeble attempt at

> being facetious. While we aren't "good buds" PCR and I go back a long

way,

> and I'm reasonably sure he may have found it funny.

>

> To all the others perusing this NG, it prolly *didn't* strike them as

funny.

>

> As you mentioned, Internet security is certainly nothing to be scoffed

> at--especially at someone's else misfortune and expense.

>

> My heartiest apologies to all!

>

> Keep up the great work here.

>

> --

> HTH,

> Curt

>

> Windows Support Center

> http://www.aumha.org

> Practically Nerded,...

> http://dundats.mvps.org/Index.htm

>

> "MEB" <meb@not here@hotmail.com> wrote in message

> news:%23SIVJEhyHHA.1576@TK2MSFTNGP03.phx.gbl...

> |

> | "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message

> | news:Oa1IXSfyHHA.5204@TK2MSFTNGP03.phx.gbl...

> || You goof,

> ||

> || Those are the lottery numbers you've been expecting,that Augie promised

> to

> || get to you somehow. Firewall intrusions..haaruumphh!

> ||

> || --

> || HTH,

> || Curt

> ||

> || Windows Support Center

> || http://www.aumha.org

> || Practically Nerded,...

> || http://dundats.mvps.org/Index.htm

> |

> |

> | SO Curt, are you claiming these as yours? Or was this a little hahaha,,

> not

> | very funny when we ARE discussing systems intrusions or other attempts

at

> | monitoring activities ...

> | I never consider any of these types of activities as laughable or

> | ignorable... Sorry Curt, but with the present activities the people are

> | being subjected to, without their knowledge or consent, I do take issue

> ....

> |

> | --

> | MEB

> | http://peoplescounsel.orgfree.com

> | ________

> |

> |

> |

> ||

> || "PCR" <pcrrcp@netzero.net> wrote in message

> || news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl...

> || | PCR wrote:

> || || Kerio Firewall has begun a series of messages such as these, coming

> || || once a minute or so, every so often...!...

> || ||

> || || Someone from 24.64.9.177, port 3222 wants to send UDP datagram to

port

> || || 1027 owned by 'Distributed COM Services' on your computer.

> || ||

> || || Someone from 24.64.8.158, port 32089 wants to send UDP datagram to

> || || port 1027 owned by 'Distributed COM Services' on your computer

> || ||

> || || Someone from 24.64.85.35, port 34996 wants to send UDP datagram to

> || || port 1027 owned by 'Distributed COM Services' on your computer

> || ||

> || || Someone from 24.64.210.84, port 28111 wants to send UDP datagram to

> || || port 1027 owned by 'Distributed COM Services' on your computer

> || ||

> || || Someone from 24.64.180.130, port 4241 wants to send UDP datagram to

> || || port 1027 owned by 'Distributed COM Services' on your computer

> || ||

> || || The port is owned by...

> || || c:\windows\system\rpcss.exe

> || |

> || | OK, I see, by the word of...

> || | http://www.networksolutions.com/whois/index.jsp

> || |

> || | .........Quote..................................

> || | 24.64.9.177

> || | Record Type: IP Address

> || |

> || | OrgName: Shaw Communications Inc.

> || | OrgID: SHAWC

> || | Address: Suite 800

> || | Address: 630 - 3rd Ave. SW

> || | City: Calgary

> || | StateProv: AB

> || | PostalCode: T2P-4L4

> || | Country: CA

> || |

> || | ReferralServer: rwhois://rs1so.cg.shawcable.net:4321

> || |

> || | NetRange: 24.64.0.0 - 24.71.255.255

> || | CIDR: 24.64.0.0/13

> || | NetName: SHAW-COMM

> || | NetHandle: NET-24-64-0-0-1

> || | Parent: NET-24-0-0-0-0

> || | NetType: Direct Allocation

> || | NameServer: NS7.NO.CG.SHAWCABLE.NET

> || | NameServer: NS8.SO.CG.SHAWCABLE.NET

> || | Comment:

> || | RegDate: 1996-06-03

> || | Updated: 2006-02-08

> || |

> || | OrgAbuseHandle: SHAWA-ARIN

> || | OrgAbuseName: SHAW ABUSE

> || | OrgAbusePhone: +1-403-750-7420

> || | OrgAbuseEmail: internet.abuse@sjrb.ca

> || |

> || | OrgTechHandle: ZS178-ARIN

> || | OrgTechName: Shaw High-Speed Internet

> || | OrgTechPhone: +1-403-750-7428

> || | OrgTechEmail: ipadmin@sjrb.ca

> || | .........EOQ......................

> || |

> || | I see every one of those in in SHAW-COMM's NET range. I've been

denying

> || | the access & will continue to do so. But what are they trying to do?

> || |

> || |

> ||

> ||

> |

> |

>

>

Guest MEB

Guest MEB

Posted
Posted

Re: Who are 24.64.9.177 & 24.64.8.158, etc.?

 

 

"Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message

news:%23qizDKhyHHA.1208@TK2MSFTNGP03.phx.gbl...

| MEB,

|

| You made a very legitimate point, and is was a rather feeble attempt at

| being facetious. While we aren't "good buds" PCR and I go back a long

way,

| and I'm reasonably sure he may have found it funny.

|

| To all the others perusing this NG, it prolly *didn't* strike them as

funny.

|

| As you mentioned, Internet security is certainly nothing to be scoffed

| at--especially at someone's else misfortune and expense.

|

| My heartiest apologies to all!

|

| Keep up the great work here.

|

| --

| HTH,

| Curt

|

| Windows Support Center

| http://www.aumha.org

| Practically Nerded,...

| http://dundats.mvps.org/Index.htm

|

| "MEB" <meb@not here@hotmail.com> wrote in message

| news:%23SIVJEhyHHA.1576@TK2MSFTNGP03.phx.gbl...

| |

| | "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message

| | news:Oa1IXSfyHHA.5204@TK2MSFTNGP03.phx.gbl...

| || You goof,

| ||

| || Those are the lottery numbers you've been expecting,that Augie promised

| to

| || get to you somehow. Firewall intrusions..haaruumphh!

| ||

| || --

| || HTH,

| || Curt

| ||

| || Windows Support Center

| || http://www.aumha.org

| || Practically Nerded,...

| || http://dundats.mvps.org/Index.htm

| |

| |

| | SO Curt, are you claiming these as yours? Or was this a little hahaha,,

| not

| | very funny when we ARE discussing systems intrusions or other attempts

at

| | monitoring activities ...

| | I never consider any of these types of activities as laughable or

| | ignorable... Sorry Curt, but with the present activities the people are

| | being subjected to, without their knowledge or consent, I do take issue

| ....

| |

| | --

| | MEB

| | ________

| |

 

Well, to admit it, I also thought it was funny, at first, but when it

carried your sig I thought it best to take the hardline,,, sorry,,

 

So I guess its now appropriate to post these:

 

Related material per this discussion:

 

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

National Cyber Alert System

 

Technical Cyber Security Alert TA07-199A

 

 

Mozilla Updates for Multiple Vulnerabilities

 

Original release date: July 18, 2007

Last revised: --

Source: US-CERT

 

 

Systems Affected

 

* Mozilla Firefox

* Mozilla Thunderbird

 

Other products based on Mozilla components may also be affected.

 

 

Overview

 

The Mozilla web browser and derived products contain several

vulnerabilities, the most severe of which could allow a remote

attacker to execute arbitrary code on an affected system.

 

 

I. Description

 

Mozilla has released new versions of Firefox and Thunderbird to

address several vulnerabilities. Further details about these

vulnerabilities are available from Mozilla and the Vulnerability Notes

Database. An attacker could exploit these vulnerabilities by

convincing a user to view a specially-crafted HTML document, such as a

web page or an HTML email message.

 

 

II. Impact

 

While the impacts of the individual vulnerabilities vary, the most

severe could allow a remote, unauthenticated attacker to execute

arbitrary code on a vulnerable system. An attacker may also be able to

cause a denial of service or obtain private information.

 

 

III. Solution

 

 

Upgrade

 

These vulnerabilities are addressed in Mozilla Firefox 2.0.0.5 and

Thunderbird 2.0.0.5.

 

 

Disable JavaScript

 

Some of these vulnerabilities can be mitigated by disabling JavaScript

or using the NoScript extension. For more information about

configuring Firefox, please see the Securing Your Web Browser

document. Thunderbird disables JavaScript and Java by default.

 

 

IV. References

 

* US-CERT Vulnerability Notes -

<http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_20070717>

 

* Securing Your Web Browser -

 

<http://www.us-cert.gov/reading_room/securing_browser/browser_security.html#

Mozilla_Firefox>

 

* Mozilla Foundation Security Advisories -

<http://www.mozilla.org/security/announce/>

 

* Known Vulnerabilities in Mozilla Products -

<http://www.mozilla.org/projects/security/known-vulnerabilities.html>

 

* Mozilla Hall of Fame - <http://www.mozilla.org/university/HOF.html>

 

* NoScript Firefox Extension - <http://noscript.net/>

 

 

_________________________________________________________________

 

The most recent version of this document can be found at:

 

<http://www.us-cert.gov/cas/techalerts/TA07-199A.html>

_________________________________________________________________

 

Feedback can be directed to US-CERT Technical Staff. Please send

email to <cert@cert.org> with "TA07-199A Feedback VU#143297" in the

subject.

_________________________________________________________________

 

For instructions on subscribing to or unsubscribing from this

mailing list, visit <http://www.us-cert.gov/cas/signup.html>

_________________________________________________________________

 

Produced 2007 by US-CERT, a government organization.

 

Terms of use:

 

<http://www.us-cert.gov/legal.html>

_________________________________________________________________

 

Produced 2007 by US-CERT, a government organization. Terms of use

 

Revision History

 

July 18, 2007: Initial release

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.2.1 (GNU/Linux)

 

iQEVAwUBRp53HfRFkHkM87XOAQLeRwf/QqMX0I06N0r/bctdkce0RqUa9ZwpLSsM

42Ihq6NSQDOGM1cfqa8TxtYbITjV2cOQAmAYsi7HGdMF6zbZbkAZ5e/Lo06Be3mW

Rw9s+ci5mLOiFHQ1mBAYn5/1+iK9WJPrbL3tvE9ejAjdIzSieWz4wwYE/A4gIJxh

XnlwZT+EXafixy8qu/uLUjhwlfs+HiOtjaSP4q+N+LLfeSk+UeAXbT6nPt6d+B7Z

hd7RKOJR2eesWpc9L7/oq0tmJdXSkW9Qel3L9KssOiir/ZKqpyVISkBxTbce9Pq8

hqXne3HWJXBT19YBmRMSDD693J6siCPXuLSLJbTFN4d/NKM5MF7kTQ==

=jDnr

-----END PGP SIGNATURE-----

 

 

 

 

To the below I would add the types of activities discussed under this

heading AND occurring in this news group and elsewhere upon the Internet:

 

 

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

National Cyber Alert System

Cyber Security Tip ST04-014

 

Avoiding Social Engineering and Phishing Attacks

 

Do not give sensitive information to anyone unless you are sure that

they are indeed who they claim to be and that they should have access

to the information.

 

What is a social engineering attack?

 

To launch a social engineering attack, an attacker uses human

interaction (social skills) to obtain or compromise information about

an organization or its computer systems. An attacker may seem

unassuming and respectable, possibly claiming to be a new employee,

repair person, or researcher and even offering credentials to support

that identity. However, by asking questions, he or she may be able to

piece together enough information to infiltrate an organization's

network. If an attacker is not able to gather enough information from

one source, he or she may contact another source within the same

organization and rely on the information from the first source to add

to his or her credibility.

 

What is a phishing attack?

 

Phishing is a form of social engineering. Phishing attacks use email

or malicious web sites to solicit personal, often financial,

information. Attackers may send email seemingly from a reputable

credit card company or financial institution that requests account

information, often suggesting that there is a problem. When users

respond with the requested information, attackers can use it to gain

access to the accounts.

 

How do you avoid being a victim?

 

* Be suspicious of unsolicited phone calls, visits, or email

messages from individuals asking about employees or other internal

information. If an unknown individual claims to be from a

legitimate organization, try to verify his or her identity

directly with the company.

* Do not provide personal information or information about your

organization, including its structure or networks, unless you are

certain of a person's authority to have the information.

* Do not reveal personal or financial information in email, and do

not respond to email solicitations for this information. This

includes following links sent in email.

* Don't send sensitive information over the Internet before checking

a web site's security policy or looking for evidence that the

information is being encrypted (see Protecting Your Privacy and

Understanding Web Site Certificates for more information).

* Pay attention to the URL of a web site. Malicious web sites may

look identical to a legitimate site, but the URL may use a

variation in spelling or a different domain (e.g., .com vs. .net).

* If you are unsure whether an email request is legitimate, try to

verify it by contacting the company directly. Do not use contact

information provided on a web site connected to the request;

instead, check previous statements for contact information.

Information about known phishing attacks is also available online

from groups such as the Anti-Phishing Working Group

(http://www.antiphishing.org/phishing_archive.html).

* Install and maintain anti-virus software, firewalls, and email

filters to reduce some of this traffic (see Understanding

Firewalls, Understanding Anti-Virus Software, and Reducing Spam

for more information).

 

What do you do if you think you are a victim?

 

* If you believe you might have revealed sensitive information about

your organization, report it to the appropriate people within the

organization, including network administrators. They can be alert

for any suspicious or unusual activity.

* If you believe your financial accounts may be compromised, contact

your financial institution immediately and close any accounts that

may have been compromised. Watch for any unexplainable charges to

your account (see Preventing and Responding to Identity Theft for

more information).

* Consider reporting the attack to the police, and file a report

with the Federal Trade Commission (http://www.ftc.gov/).

_________________________________________________________________

 

Author: Mindi McDowell

_________________________________________________________________

 

Produced 2007 by US-CERT, a government organization.

 

Note: This tip was previously published and is being re-distributed

to increase awareness.

 

Terms of use

 

<http://www.us-cert.gov/legal.html>

 

This document can also be found at

 

<http://www.us-cert.gov/cas/tips/ST04-014.html>

 

 

For instructions on subscribing to or unsubscribing from this

mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

 

 

 

 

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.2.1 (GNU/Linux)

 

iQEVAwUBRp9k5vRFkHkM87XOAQL4bAf/QrdRKgj6nbUXJKf0PSH2L2MHruDeD8++

gVMVDGB2zvCiR5OrNbJ/I4AlfbSCIpigoL3jyoID15aPtZfeRzozc+MvOJsh6LW9

jH2TUCZjct2Md7EeGLPTemzydzYTUlzWj+YHs7T1qtQThq82jSiegFwCO8gnGzkH

ItDwogX7B/hu15R8kLcM+j4fLYXvpaPIe8CsAW5xa7oA48FNy++Y3+SLm3H1M129

GSNHpRPzpg6/Z0GCdp0187gie17pWBGy0aYL+qxHFMpVFnZWZKXetAYYmTpcPprj

fbbzMu5bfxeBmFKcDs/UEZzvsBEGENcG9C5E/UVNVI4UYYgBfit7kw==

=7EFh

-----END PGP SIGNATURE-----

 

 

One may also contact and supply information [such as any related logs -

firwall, system, etc.] to the various government agencies dealing with cyber

terrorism, electronic communications, and other like activities for

potential prosecution under (as example in the USA), The Anti-Terrorism

Acts, The Patriot Act, The Homeland Security Act, The Electronic

Communications Privacy Act, and several others.

Check with your respective {international} governments related to and/or

having jurisdiction over such activities.

 

--

MEB

http://peoplescounsel.orgfree.com

________

Guest PCR

Guest PCR

Posted
Posted

Re: Who are 24.64.9.177 & 24.64.8.158, etc.?

 

glee wrote:

| It's alright, Curt....I get the joke, and I suspect PCR got a chuckle

| out of it.

 

Ah, ha, ha-- yea, it was funny. But what am I supposed to do with all

these lottery tickets now?

 

| --

| Glen Ventura, MS MVP Shell/User, A+

|

| "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message

| news:%23qizDKhyHHA.1208@TK2MSFTNGP03.phx.gbl...

|> MEB,

|>

|> You made a very legitimate point, and is was a rather feeble attempt

|> at being facetious. While we aren't "good buds" PCR and I go back a

|> long way, and I'm reasonably sure he may have found it funny.

|>

|> To all the others perusing this NG, it prolly *didn't* strike them

|> as funny.

|>

|> As you mentioned, Internet security is certainly nothing to be

|> scoffed at--especially at someone's else misfortune and expense.

|>

|> My heartiest apologies to all!

|>

|> Keep up the great work here.

|>

|> --

|> HTH,

|> Curt

|>

|> Windows Support Center

|> http://www.aumha.org

|> Practically Nerded,...

|> http://dundats.mvps.org/Index.htm

|>

|> "MEB" <meb@not here@hotmail.com> wrote in message

|> news:%23SIVJEhyHHA.1576@TK2MSFTNGP03.phx.gbl...

|> |

|> | "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in

|> | message news:Oa1IXSfyHHA.5204@TK2MSFTNGP03.phx.gbl...

|> || You goof,

|> ||

|> || Those are the lottery numbers you've been expecting,that Augie

|> || promised to get to you somehow. Firewall intrusions..haaruumphh!

|> ||

|> || --

|> || HTH,

|> || Curt

|> ||

|> || Windows Support Center

|> || http://www.aumha.org

|> || Practically Nerded,...

|> || http://dundats.mvps.org/Index.htm

|> |

|> |

|> | SO Curt, are you claiming these as yours? Or was this a little

|> | hahaha,, not very funny when we ARE discussing systems intrusions

|> | or other attempts at monitoring activities ...

|> | I never consider any of these types of activities as laughable or

|> | ignorable... Sorry Curt, but with the present activities the

|> | people are being subjected to, without their knowledge or consent,

|> | I do take issue ....

|> |

|> | --

|> | MEB

|> | http://peoplescounsel.orgfree.com

|> | ________

 

....snip

--

Thanks or Good Luck,

There may be humor in this post, and,

Naturally, you will not sue,

Should things get worse after this,

PCR

pcrrcp@netzero.net

Guest PCR

Guest PCR

Posted
Posted

Re: Who are 24.64.9.177 & 24.64.8.158, etc.?

 

Franc Zabkar wrote:

| On Wed, 18 Jul 2007 20:20:29 -0400, "PCR" <pcrrcp@netzero.net> put

| finger to keyboard and composed:

|

|>Kerio Firewall has begun a series of messages such as these, coming

|>once a minute or so, every so often...!...

|>

|>Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port

|>1027 owned by 'Distributed COM Services' on your computer.

|

| <snip>

|

|>The port is owned by...

|>c:\windows\system\rpcss.exe

|

| What is RPCSS.EXE?

| http://cexx.org/rpc.htm

|

| ===================================================================

| In any event, what rpcss.exe does is to handle a number of API calls

| that relate to RPC. In general (and this is somewhat of a

| simplification to prevent techie talk overload), a program can

| register certain entry points (the "procedures" in remote procedure

| call) that can be accessed by external applications. This is known as

| the "portmapper" function. Once registered, anyone contacting the RPC

| port and asking, in the appropriate format, for a particular function

| provided by a particular program will be allowed to execute the

| function. Any security checks are up to the contacted program, as all

| the portmapper does is to make the necessary procedure call on behalf

| of the client.

|

| "WAIT JUST A MINUTE," you scream as your face turns red. "You mean ANY

| program can ask ANY OTHER program on MY MACHINE to do something for it

| WITHOUT MY KNOWLEDGE?" The sad truth is that, yes, this is true, and

| yes, this has been a constant source of security flaws in UNIX systems

| as such-and-such RPC service has this unchecked buffer or that

| improper security check which allows any remote user with the proper

| script to gain full control of the machine. Since no such flaws have

| been found in the rpcss.exe portmapper proper -- probably because no

| one's really looked -- the real threat comes from the programs that

| utilize the portmapper. Unlike UNIX, however, very few Windows

| programs use RPC; hell, most Windows 9x programmers aren't even aware

| that RPC exists, and RPC as a direct communications method is being

| replaced by DCOM and COM+ (which can, but do not necessarily, use RPC)

| in Windows 2000. Therefore, the likelihood of you even having a

| portmapped program on Windows 9x is extremely low, and thus the risk

| that RPC presents is also quite low.

| ===================================================================

 

I see. Thanks, Zabcar. Glee also posted that URL, I believe. From what I

can make of it, I shouldn't disable rpcss.exe altogether. Suppose I were

to set Kerio to block all traffic to & from it, though-- does that

constitute disabling it altogether?

 

There, it's done-- UDP/TCP both directions is blocked for RPCSS.EXE--

any address, any port!

 

That may be a bit impulsive, but I know I can recover from a major

crash. Also, I fully intend to continue to research the matter until I

3/4 understand what I've done!

 

(I'm still working on responses to the replies, but thanks to all.)

 

|

| - Franc Zabkar

| --

| Please remove one 'i' from my address when replying by email.

 

--

Thanks or Good Luck,

There may be humor in this post, and,

Naturally, you will not sue,

Should things get worse after this,

PCR

pcrrcp@netzero.net

Guest PCR

Guest PCR

Posted
Posted

Re: Who are 24.64.9.177 & 24.64.8.158, etc.?

 

Curt Christianson wrote:

| You goof,

|

| Those are the lottery numbers you've been expecting,that Augie

| promised to get to you somehow. Firewall intrusions..haaruumphh!

 

Ah, ha, ha! That's rich!

 

| --

| HTH,

| Curt

|

| Windows Support Center

| http://www.aumha.org

| Practically Nerded,...

| http://dundats.mvps.org/Index.htm

|

| "PCR" <pcrrcp@netzero.net> wrote in message

| news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl...

|| PCR wrote:

||| Kerio Firewall has begun a series of messages such as these, coming

||| once a minute or so, every so often...!...

|||

||| Someone from 24.64.9.177, port 3222 wants to send UDP datagram to

||| port 1027 owned by 'Distributed COM Services' on your computer.

|||

||| Someone from 24.64.8.158, port 32089 wants to send UDP datagram to

||| port 1027 owned by 'Distributed COM Services' on your computer

|||

||| Someone from 24.64.85.35, port 34996 wants to send UDP datagram to

||| port 1027 owned by 'Distributed COM Services' on your computer

|||

||| Someone from 24.64.210.84, port 28111 wants to send UDP datagram to

||| port 1027 owned by 'Distributed COM Services' on your computer

|||

||| Someone from 24.64.180.130, port 4241 wants to send UDP datagram to

||| port 1027 owned by 'Distributed COM Services' on your computer

|||

||| The port is owned by...

||| c:\windows\system\rpcss.exe

||

|| OK, I see, by the word of...

|| http://www.networksolutions.com/whois/index.jsp

||

|| .........Quote..................................

|| 24.64.9.177

|| Record Type: IP Address

||

|| OrgName: Shaw Communications Inc.

|| OrgID: SHAWC

|| Address: Suite 800

|| Address: 630 - 3rd Ave. SW

|| City: Calgary

|| StateProv: AB

|| PostalCode: T2P-4L4

|| Country: CA

||

|| ReferralServer: rwhois://rs1so.cg.shawcable.net:4321

||

|| NetRange: 24.64.0.0 - 24.71.255.255

|| CIDR: 24.64.0.0/13

|| NetName: SHAW-COMM

|| NetHandle: NET-24-64-0-0-1

|| Parent: NET-24-0-0-0-0

|| NetType: Direct Allocation

|| NameServer: NS7.NO.CG.SHAWCABLE.NET

|| NameServer: NS8.SO.CG.SHAWCABLE.NET

|| Comment:

|| RegDate: 1996-06-03

|| Updated: 2006-02-08

||

|| OrgAbuseHandle: SHAWA-ARIN

|| OrgAbuseName: SHAW ABUSE

|| OrgAbusePhone: +1-403-750-7420

|| OrgAbuseEmail: internet.abuse@sjrb.ca

||

|| OrgTechHandle: ZS178-ARIN

|| OrgTechName: Shaw High-Speed Internet

|| OrgTechPhone: +1-403-750-7428

|| OrgTechEmail: ipadmin@sjrb.ca

|| .........EOQ......................

||

|| I see every one of those in in SHAW-COMM's NET range. I've been

|| denying the access & will continue to do so. But what are they

|| trying to do?

 

--

Thanks or Good Luck,

There may be humor in this post, and,

Naturally, you will not sue,

Should things get worse after this,

PCR

pcrrcp@netzero.net

Guest PCR

Guest PCR

Posted
Posted

Re: Who are 24.64.9.177 & 24.64.8.158, etc.?

 

glee wrote:

| It is most likely a Windows Messenger spam attempt:

| http://www.linklogger.com/messenger_spam.htm

 

I don't have "NET SEND", although I do have "NET"...

 

C:\>net send

The command SEND is unknown. For a list of valid commands, type NET HELP

at

the command prompt.

For help, type NET /? at the command prompt.

 

Can I suppose I don't need to allow RPCSS.EXE to use UDP/TCP at all?

 

| http://www.linklogger.com/UDP1026.htm

 

..........Quote that URL..........

Inbound Scan

 

Typically inbound traffic to this port is Messenger Spam which is more

annoying then anything else, and hence not really worthy of a Link

Logger alert, but still there is enough of this traffic that an

explanation is helpful.

 

Outbound Scan

 

Outbound scans, if occurring in volume should be considered an

indication of a possible worm infection on the source computer and

should be investigated.

..........EOQ..............................

 

The ones I get are all inbound. So, probably I am safe yet, so long as I

don't accept any.

 

| http://isc.sans.org/port.html?port=1027

 

I divine that is one possibility of what is trying to come in.

 

There's no chance I will accept one now. As I posted elsewhere, I've

blocked UDP/TCP both directions for RPCSS.EXE-- any address, any port!

I'll just keep it that way, until I suffer a crash or other suspicious

symptom-- or unless someone can definitively say I should not. I am on

Dial-Up & use no networking other than normal Internet surfing. Let me

see whether those FTP sites still work...

ftp://ftp.microsoft.com/

Yea, that one still works. However (not that it's any different), I do

have to permit...

 

Someone from 207.46.236.102, port 20 wants to connect to port 1341 owned

by 'Internet Explorer' on your computer

 

....for every folder I click. But that's normal!

 

Thanks, glee & all others who responded-- with the possible exception of

Christianson! [Just joking. :-).]

 

I do have another firewall question or two, but will post it in new

thread(s).

 

| --

| Glen Ventura, MS MVP Shell/User, A+

| http://dts-l.org/

| http://dts-l.org/goodpost.htm

|

|

| "PCR" <pcrrcp@netzero.net> wrote in message

| news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl...

|> PCR wrote:

|> | Kerio Firewall has begun a series of messages such as these, coming

|> | once a minute or so, every so often...!...

|> |

|> | Someone from 24.64.9.177, port 3222 wants to send UDP datagram to

|> | port 1027 owned by 'Distributed COM Services' on your computer.

|> |

|> | Someone from 24.64.8.158, port 32089 wants to send UDP datagram to

|> | port 1027 owned by 'Distributed COM Services' on your computer

|> |

|> | Someone from 24.64.85.35, port 34996 wants to send UDP datagram to

|> | port 1027 owned by 'Distributed COM Services' on your computer

|> |

|> | Someone from 24.64.210.84, port 28111 wants to send UDP datagram to

|> | port 1027 owned by 'Distributed COM Services' on your computer

|> |

|> | Someone from 24.64.180.130, port 4241 wants to send UDP datagram to

|> | port 1027 owned by 'Distributed COM Services' on your computer

|> |

|> | The port is owned by...

|> | c:\windows\system\rpcss.exe

|>

|> OK, I see, by the word of...

|> http://www.networksolutions.com/whois/index.jsp

|>

|> .........Quote..................................

|> 24.64.9.177

|> Record Type: IP Address

|>

|> OrgName: Shaw Communications Inc.

|> OrgID: SHAWC

|> Address: Suite 800

|> Address: 630 - 3rd Ave. SW

|> City: Calgary

|> StateProv: AB

|> PostalCode: T2P-4L4

|> Country: CA

|>

|> ReferralServer: rwhois://rs1so.cg.shawcable.net:4321

|>

|> NetRange: 24.64.0.0 - 24.71.255.255

|> CIDR: 24.64.0.0/13

|> NetName: SHAW-COMM

|> NetHandle: NET-24-64-0-0-1

|> Parent: NET-24-0-0-0-0

|> NetType: Direct Allocation

|> NameServer: NS7.NO.CG.SHAWCABLE.NET

|> NameServer: NS8.SO.CG.SHAWCABLE.NET

|> Comment:

|> RegDate: 1996-06-03

|> Updated: 2006-02-08

|>

|> OrgAbuseHandle: SHAWA-ARIN

|> OrgAbuseName: SHAW ABUSE

|> OrgAbusePhone: +1-403-750-7420

|> OrgAbuseEmail: internet.abuse@sjrb.ca

|>

|> OrgTechHandle: ZS178-ARIN

|> OrgTechName: Shaw High-Speed Internet

|> OrgTechPhone: +1-403-750-7428

|> OrgTechEmail: ipadmin@sjrb.ca

|> .........EOQ......................

|>

|> I see every one of those in in SHAW-COMM's NET range. I've been

|> denying the access & will continue to do so. But what are they

|> trying to do?

 

--

Thanks or Good Luck,

There may be humor in this post, and,

Naturally, you will not sue,

Should things get worse after this,

PCR

pcrrcp@netzero.net

Guest PCR

Guest PCR

Posted
Posted

Re: Who are 24.64.9.177 & 24.64.8.158, etc.?

 

98 Guy wrote:

| Ok, what's going on is this:

|

| Your modem recently obtained a new IP address (maybe it does this once

| a day, once an hour, once a month, I don't know).

 

I'm on dial-up, & I believe I get a new one each connection.

 

| In any case, the IP address you have now once belonged to someone that

| was part of a P2P network. They were part of a file-sharing network.

| Their IP address is known to the network (for the time being).

|

| Other computers are trying to access some file that they think is

| located on your computer.

 

I guess that is a possibility. But, whether innocent or guilty-- I don't

want them to have it!

 

| So either those attempts will fade away with time, or you can re-boot

| your modem and obtain a new IP address.

|

| Looks like there are lots of downloaders in Alberta... :)

 

--

Thanks or Good Luck,

There may be humor in this post, and,

Naturally, you will not sue,

Should things get worse after this,

PCR

pcrrcp@netzero.net

Guest PCR

Guest PCR

Posted
Posted

Re: Who are 24.64.9.177 & 24.64.8.158, etc.?

 

98 Guy wrote:

| PCR wrote:

|

|> Kerio Firewall has begun a series of messages such as these

|

| Why don't you have a NAT router?

 

Thanks, 98 Guy. I don't have a Network connection (other than what the

Internet is), & I am on dial-up.

 

|> Someone from 24.64.9.177

|

| All those IP's belong to Shaw Cable internet, Calgary Alberta.

 

That's right, I later found an URL that said...

http://www.networksolutions.com/whois/index.jsp

..........Quote.............

NetRange: 24.64.0.0 - 24.71.255.255

....snip

NetName: SHAW-COMM

..........EOQ................

 

|> port 3222 wants to send UDP datagram

|

| No malware (as far as I can tell) is known to use port 3222. Recent

| port usage:

|

| http://isc.sans.org/port.html?port=3222

 

I can't click that, I've been thrown offline by NetZero. But, as I

understand it, that port is on SHAW-COMM's computer. Why should I trust

it wouldn't be used for an ill purpose?

 

|> to port 1027 owned by 'Distributed COM Services' on your computer.

|

| I don't think that DCOM is normally installed on windows-98 systems.

 

Yea, it is-- at least, Compaq installed it in this 7470!

 

| The Shaw Cable computer is either trying to exploit a DCOM

| vulnerability on your computer, or is attempting to connect to a

| trojan that it thinks might be running on your computer and listening

| on port 1027.

 

There certainly is something listening on "localhost:1027". That is

RPCSS.exe. It also is listening on "all:135"-- which was my Junior High

School! And that evokes particularly horrid memories!

 

|> The port is owned by...

|> c:\windows\system\rpcss.exe

|

| Unless I'm mistaken, your computer is running win-2k or XP, not

| win-98.

 

You are mistaken, but it could be something Compaq did. Well, wait a

minute,...

 

Cabinet WIN98_46.CAB

04-23-1999 10:22:00p A--- 20,480 rpcss.exe

 

.... it's in my 98SE .cab's!

 

| A home computer located somewhere in Alberta is performing a port-scan

| on your computer, attempting to either install some malware on your

| system via a DCOM exploit, or is attempting to contact a trojan

| running on your computer and give it instructions to do something (to

| obtain some new software, to send spam to someone, etc).

 

That's what I was afraid of! Oh, my God!

 

| The fact that they are coming from different addresses every few

| minutes is strange - it would indicate that it's coming from different

| machines - as in some sort of coordinated scan directly on to

| machine. Not sure what would be the reason for that.

 

I GUESS, because I kept disallowing it, it was tried from different IPs,

thinking I was just blocking a specific one. But now I've blocked all

UDP/TCP, both directions, all ports for rpcss.exe. Let's see what

happens with that!

 

--

Thanks or Good Luck,

There may be humor in this post, and,

Naturally, you will not sue,

Should things get worse after this,

PCR

pcrrcp@netzero.net

 Share
Go to topic listing
×
×
  • Create New...