Guest PCR Posted July 19, 2007 Posted July 19, 2007 Kerio Firewall has begun a series of messages such as these, coming once a minute or so, every so often...!... Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port 1027 owned by 'Distributed COM Services' on your computer. Someone from 24.64.8.158, port 32089 wants to send UDP datagram to port 1027 owned by 'Distributed COM Services' on your computer Someone from 24.64.85.35, port 34996 wants to send UDP datagram to port 1027 owned by 'Distributed COM Services' on your computer Someone from 24.64.210.84, port 28111 wants to send UDP datagram to port 1027 owned by 'Distributed COM Services' on your computer Someone from 24.64.180.130, port 4241 wants to send UDP datagram to port 1027 owned by 'Distributed COM Services' on your computer The port is owned by... c:\windows\system\rpcss.exe -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest PCR Posted July 19, 2007 Posted July 19, 2007 Re: Who are 24.64.9.177 & 24.64.8.158, etc.? PCR wrote: | Kerio Firewall has begun a series of messages such as these, coming | once a minute or so, every so often...!... | | Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port | 1027 owned by 'Distributed COM Services' on your computer. | | Someone from 24.64.8.158, port 32089 wants to send UDP datagram to | port 1027 owned by 'Distributed COM Services' on your computer | | Someone from 24.64.85.35, port 34996 wants to send UDP datagram to | port 1027 owned by 'Distributed COM Services' on your computer | | Someone from 24.64.210.84, port 28111 wants to send UDP datagram to | port 1027 owned by 'Distributed COM Services' on your computer | | Someone from 24.64.180.130, port 4241 wants to send UDP datagram to | port 1027 owned by 'Distributed COM Services' on your computer | | The port is owned by... | c:\windows\system\rpcss.exe OK, I see, by the word of... http://www.networksolutions.com/whois/index.jsp ..........Quote.................................. 24.64.9.177 Record Type: IP Address OrgName: Shaw Communications Inc. OrgID: SHAWC Address: Suite 800 Address: 630 - 3rd Ave. SW City: Calgary StateProv: AB PostalCode: T2P-4L4 Country: CA ReferralServer: rwhois://rs1so.cg.shawcable.net:4321 NetRange: 24.64.0.0 - 24.71.255.255 CIDR: 24.64.0.0/13 NetName: SHAW-COMM NetHandle: NET-24-64-0-0-1 Parent: NET-24-0-0-0-0 NetType: Direct Allocation NameServer: NS7.NO.CG.SHAWCABLE.NET NameServer: NS8.SO.CG.SHAWCABLE.NET Comment: RegDate: 1996-06-03 Updated: 2006-02-08 OrgAbuseHandle: SHAWA-ARIN OrgAbuseName: SHAW ABUSE OrgAbusePhone: +1-403-750-7420 OrgAbuseEmail: internet.abuse@sjrb.ca OrgTechHandle: ZS178-ARIN OrgTechName: Shaw High-Speed Internet OrgTechPhone: +1-403-750-7428 OrgTechEmail: ipadmin@sjrb.ca ..........EOQ...................... I see every one of those in in SHAW-COMM's NET range. I've been denying the access & will continue to do so. But what are they trying to do?
Guest 98 Guy Posted July 19, 2007 Posted July 19, 2007 Re: Who are 24.64.9.177 & 24.64.8.158, etc.? PCR wrote: > Kerio Firewall has begun a series of messages such as these Why don't you have a NAT router? > Someone from 24.64.9.177 All those IP's belong to Shaw Cable internet, Calgary Alberta. > port 3222 wants to send UDP datagram No malware (as far as I can tell) is known to use port 3222. Recent port usage: http://isc.sans.org/port.html?port=3222 > to port 1027 owned by 'Distributed COM Services' on your computer. I don't think that DCOM is normally installed on windows-98 systems. The Shaw Cable computer is either trying to exploit a DCOM vulnerability on your computer, or is attempting to connect to a trojan that it thinks might be running on your computer and listening on port 1027. > The port is owned by... > c:\windows\system\rpcss.exe Unless I'm mistaken, your computer is running win-2k or XP, not win-98. A home computer located somewhere in Alberta is performing a port-scan on your computer, attempting to either install some malware on your system via a DCOM exploit, or is attempting to contact a trojan running on your computer and give it instructions to do something (to obtain some new software, to send spam to someone, etc). The fact that they are coming from different addresses every few minutes is strange - it would indicate that it's coming from different machines - as in some sort of coordinated scan directly on to machine. Not sure what would be the reason for that.
Guest 98 Guy Posted July 19, 2007 Posted July 19, 2007 Re: Who are 24.64.9.177 & 24.64.8.158, etc.? Ok, what's going on is this: Your modem recently obtained a new IP address (maybe it does this once a day, once an hour, once a month, I don't know). In any case, the IP address you have now once belonged to someone that was part of a P2P network. They were part of a file-sharing network. Their IP address is known to the network (for the time being). Other computers are trying to access some file that they think is located on your computer. So either those attempts will fade away with time, or you can re-boot your modem and obtain a new IP address. Looks like there are lots of downloaders in Alberta... :)
Guest glee Posted July 19, 2007 Posted July 19, 2007 Re: Who are 24.64.9.177 & 24.64.8.158, etc.? It is most likely a Windows Messenger spam attempt: http://www.linklogger.com/messenger_spam.htm http://www.linklogger.com/UDP1026.htm http://isc.sans.org/port.html?port=1027 -- Glen Ventura, MS MVP Shell/User, A+ http://dts-l.org/ http://dts-l.org/goodpost.htm "PCR" <pcrrcp@netzero.net> wrote in message news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl... > PCR wrote: > | Kerio Firewall has begun a series of messages such as these, coming > | once a minute or so, every so often...!... > | > | Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port > | 1027 owned by 'Distributed COM Services' on your computer. > | > | Someone from 24.64.8.158, port 32089 wants to send UDP datagram to > | port 1027 owned by 'Distributed COM Services' on your computer > | > | Someone from 24.64.85.35, port 34996 wants to send UDP datagram to > | port 1027 owned by 'Distributed COM Services' on your computer > | > | Someone from 24.64.210.84, port 28111 wants to send UDP datagram to > | port 1027 owned by 'Distributed COM Services' on your computer > | > | Someone from 24.64.180.130, port 4241 wants to send UDP datagram to > | port 1027 owned by 'Distributed COM Services' on your computer > | > | The port is owned by... > | c:\windows\system\rpcss.exe > > OK, I see, by the word of... > http://www.networksolutions.com/whois/index.jsp > > .........Quote.................................. > 24.64.9.177 > Record Type: IP Address > > OrgName: Shaw Communications Inc. > OrgID: SHAWC > Address: Suite 800 > Address: 630 - 3rd Ave. SW > City: Calgary > StateProv: AB > PostalCode: T2P-4L4 > Country: CA > > ReferralServer: rwhois://rs1so.cg.shawcable.net:4321 > > NetRange: 24.64.0.0 - 24.71.255.255 > CIDR: 24.64.0.0/13 > NetName: SHAW-COMM > NetHandle: NET-24-64-0-0-1 > Parent: NET-24-0-0-0-0 > NetType: Direct Allocation > NameServer: NS7.NO.CG.SHAWCABLE.NET > NameServer: NS8.SO.CG.SHAWCABLE.NET > Comment: > RegDate: 1996-06-03 > Updated: 2006-02-08 > > OrgAbuseHandle: SHAWA-ARIN > OrgAbuseName: SHAW ABUSE > OrgAbusePhone: +1-403-750-7420 > OrgAbuseEmail: internet.abuse@sjrb.ca > > OrgTechHandle: ZS178-ARIN > OrgTechName: Shaw High-Speed Internet > OrgTechPhone: +1-403-750-7428 > OrgTechEmail: ipadmin@sjrb.ca > .........EOQ...................... > > I see every one of those in in SHAW-COMM's NET range. I've been denying > the access & will continue to do so. But what are they trying to do? > >
Guest Franc Zabkar Posted July 19, 2007 Posted July 19, 2007 Re: Who are 24.64.9.177 & 24.64.8.158, etc.? On Wed, 18 Jul 2007 20:20:29 -0400, "PCR" <pcrrcp@netzero.net> put finger to keyboard and composed: >Kerio Firewall has begun a series of messages such as these, coming once >a minute or so, every so often...!... > >Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port >1027 owned by 'Distributed COM Services' on your computer. <snip> >The port is owned by... >c:\windows\system\rpcss.exe What is RPCSS.EXE? http://cexx.org/rpc.htm =================================================================== In any event, what rpcss.exe does is to handle a number of API calls that relate to RPC. In general (and this is somewhat of a simplification to prevent techie talk overload), a program can register certain entry points (the "procedures" in remote procedure call) that can be accessed by external applications. This is known as the "portmapper" function. Once registered, anyone contacting the RPC port and asking, in the appropriate format, for a particular function provided by a particular program will be allowed to execute the function. Any security checks are up to the contacted program, as all the portmapper does is to make the necessary procedure call on behalf of the client. "WAIT JUST A MINUTE," you scream as your face turns red. "You mean ANY program can ask ANY OTHER program on MY MACHINE to do something for it WITHOUT MY KNOWLEDGE?" The sad truth is that, yes, this is true, and yes, this has been a constant source of security flaws in UNIX systems as such-and-such RPC service has this unchecked buffer or that improper security check which allows any remote user with the proper script to gain full control of the machine. Since no such flaws have been found in the rpcss.exe portmapper proper -- probably because no one's really looked -- the real threat comes from the programs that utilize the portmapper. Unlike UNIX, however, very few Windows programs use RPC; hell, most Windows 9x programmers aren't even aware that RPC exists, and RPC as a direct communications method is being replaced by DCOM and COM+ (which can, but do not necessarily, use RPC) in Windows 2000. Therefore, the likelihood of you even having a portmapped program on Windows 9x is extremely low, and thus the risk that RPC presents is also quite low. =================================================================== - Franc Zabkar -- Please remove one 'i' from my address when replying by email.
Guest MEB Posted July 19, 2007 Posted July 19, 2007 Re: Who are 24.64.9.177 & 24.64.8.158, etc.? "PCR" <pcrrcp@netzero.net> wrote in message news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl... | PCR wrote: | | Kerio Firewall has begun a series of messages such as these, coming | | once a minute or so, every so often...!... | | | | Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port | | 1027 owned by 'Distributed COM Services' on your computer. | | | | Someone from 24.64.8.158, port 32089 wants to send UDP datagram to | | port 1027 owned by 'Distributed COM Services' on your computer | | | | Someone from 24.64.85.35, port 34996 wants to send UDP datagram to | | port 1027 owned by 'Distributed COM Services' on your computer | | | | Someone from 24.64.210.84, port 28111 wants to send UDP datagram to | | port 1027 owned by 'Distributed COM Services' on your computer | | | | Someone from 24.64.180.130, port 4241 wants to send UDP datagram to | | port 1027 owned by 'Distributed COM Services' on your computer | | | | The port is owned by... | | c:\windows\system\rpcss.exe | | OK, I see, by the word of... | http://www.networksolutions.com/whois/index.jsp | | .........Quote.................................. | 24.64.9.177 | Record Type: IP Address | | OrgName: Shaw Communications Inc. | OrgID: SHAWC | Address: Suite 800 | Address: 630 - 3rd Ave. SW | City: Calgary | StateProv: AB | PostalCode: T2P-4L4 | Country: CA | | ReferralServer: rwhois://rs1so.cg.shawcable.net:4321 | | NetRange: 24.64.0.0 - 24.71.255.255 | CIDR: 24.64.0.0/13 | NetName: SHAW-COMM | NetHandle: NET-24-64-0-0-1 | Parent: NET-24-0-0-0-0 | NetType: Direct Allocation | NameServer: NS7.NO.CG.SHAWCABLE.NET | NameServer: NS8.SO.CG.SHAWCABLE.NET | Comment: | RegDate: 1996-06-03 | Updated: 2006-02-08 | | OrgAbuseHandle: SHAWA-ARIN | OrgAbuseName: SHAW ABUSE | OrgAbusePhone: +1-403-750-7420 | OrgAbuseEmail: internet.abuse@sjrb.ca | | OrgTechHandle: ZS178-ARIN | OrgTechName: Shaw High-Speed Internet | OrgTechPhone: +1-403-750-7428 | OrgTechEmail: ipadmin@sjrb.ca | .........EOQ...................... | | I see every one of those in in SHAW-COMM's NET range. I've been denying | the access & will continue to do so. But what are they trying to do? | | Just an HEADS UP, I also had that same Shaw attack a while ago, all those addresses {which are slightly different than yours - though 24.64.*.* and Shaw} are BLOCKED/DENIED in my PFW firewall.
Guest MEB Posted July 19, 2007 Posted July 19, 2007 Re: Who are 24.64.9.177 & 24.64.8.158, etc.? Here, I just turned on logging and popup alerts and am connected to this group... 19/Jul/2007 03:09:54 Shaw Comm block blocked; In UDP; S010600e04c8a2715.rd.shawcable.net [24.64.43.218:2880]->localhost:1026; Owner: no owner 19/Jul/2007 03:11:20 Shaw Comm block blocked; In UDP; S01060020ed1d11bc.lb.shawcable.net [24.64.180.89:20542]->localhost:1026; Owner: no owner 19/Jul/2007 03:14:50 Shaw Comm block blocked; In UDP; S0106000ae694e9c1.cn.shawcable.net [24.64.50.56:20710]->localhost:1026; Owner: no owner 19/Jul/2007 03:21:32 Shaw Comm block blocked; In UDP; 24.64.230.110:24538->localhost:1026; Owner: no owner 19/Jul/2007 03:21:58 Shaw Comm block blocked; In UDP; S0106001346b90d71.lb.shawcable.net [24.64.160.64:7051]->localhost:1026; Owner: no owner 19/Jul/2007 03:30:58 Shaw Comm block blocked; In UDP; S01060004ac8b9494.lb.shawcable.net [24.64.191.235:9685]->localhost:1026; Owner: no owner Comes via UDP as you noted, apparently when using IE or OE... so a router WOULDN'T stop it... another lurker busted .... "MEB" <meb@not here@hotmail.com> wrote in message news:eMN1HAdyHHA.4276@TK2MSFTNGP05.phx.gbl... | | "PCR" <pcrrcp@netzero.net> wrote in message | news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl... | | PCR wrote: | | | Kerio Firewall has begun a series of messages such as these, coming | | | once a minute or so, every so often...!... | | | | | | Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port | | | 1027 owned by 'Distributed COM Services' on your computer. | | | | | | Someone from 24.64.8.158, port 32089 wants to send UDP datagram to | | | port 1027 owned by 'Distributed COM Services' on your computer | | | | | | Someone from 24.64.85.35, port 34996 wants to send UDP datagram to | | | port 1027 owned by 'Distributed COM Services' on your computer | | | | | | Someone from 24.64.210.84, port 28111 wants to send UDP datagram to | | | port 1027 owned by 'Distributed COM Services' on your computer | | | | | | Someone from 24.64.180.130, port 4241 wants to send UDP datagram to | | | port 1027 owned by 'Distributed COM Services' on your computer | | | | | | The port is owned by... | | | c:\windows\system\rpcss.exe | | | | OK, I see, by the word of... | | http://www.networksolutions.com/whois/index.jsp | | | | .........Quote.................................. | | 24.64.9.177 | | Record Type: IP Address | | | | OrgName: Shaw Communications Inc. | | OrgID: SHAWC | | Address: Suite 800 | | Address: 630 - 3rd Ave. SW | | City: Calgary | | StateProv: AB | | PostalCode: T2P-4L4 | | Country: CA | | | | ReferralServer: rwhois://rs1so.cg.shawcable.net:4321 | | | | NetRange: 24.64.0.0 - 24.71.255.255 | | | | | | Just an HEADS UP, I also had that same Shaw attack a while ago, all those | addresses {which are slightly different than yours - though 24.64.*.* and | Shaw} are BLOCKED/DENIED in my PFW firewall. | |
Guest Curt Christianson Posted July 19, 2007 Posted July 19, 2007 Re: Who are 24.64.9.177 & 24.64.8.158, etc.? You goof, Those are the lottery numbers you've been expecting,that Augie promised to get to you somehow. Firewall intrusions..haaruumphh! -- HTH, Curt Windows Support Center http://www.aumha.org Practically Nerded,... http://dundats.mvps.org/Index.htm "PCR" <pcrrcp@netzero.net> wrote in message news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl... | PCR wrote: || Kerio Firewall has begun a series of messages such as these, coming || once a minute or so, every so often...!... || || Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port || 1027 owned by 'Distributed COM Services' on your computer. || || Someone from 24.64.8.158, port 32089 wants to send UDP datagram to || port 1027 owned by 'Distributed COM Services' on your computer || || Someone from 24.64.85.35, port 34996 wants to send UDP datagram to || port 1027 owned by 'Distributed COM Services' on your computer || || Someone from 24.64.210.84, port 28111 wants to send UDP datagram to || port 1027 owned by 'Distributed COM Services' on your computer || || Someone from 24.64.180.130, port 4241 wants to send UDP datagram to || port 1027 owned by 'Distributed COM Services' on your computer || || The port is owned by... || c:\windows\system\rpcss.exe | | OK, I see, by the word of... | http://www.networksolutions.com/whois/index.jsp | | .........Quote.................................. | 24.64.9.177 | Record Type: IP Address | | OrgName: Shaw Communications Inc. | OrgID: SHAWC | Address: Suite 800 | Address: 630 - 3rd Ave. SW | City: Calgary | StateProv: AB | PostalCode: T2P-4L4 | Country: CA | | ReferralServer: rwhois://rs1so.cg.shawcable.net:4321 | | NetRange: 24.64.0.0 - 24.71.255.255 | CIDR: 24.64.0.0/13 | NetName: SHAW-COMM | NetHandle: NET-24-64-0-0-1 | Parent: NET-24-0-0-0-0 | NetType: Direct Allocation | NameServer: NS7.NO.CG.SHAWCABLE.NET | NameServer: NS8.SO.CG.SHAWCABLE.NET | Comment: | RegDate: 1996-06-03 | Updated: 2006-02-08 | | OrgAbuseHandle: SHAWA-ARIN | OrgAbuseName: SHAW ABUSE | OrgAbusePhone: +1-403-750-7420 | OrgAbuseEmail: internet.abuse@sjrb.ca | | OrgTechHandle: ZS178-ARIN | OrgTechName: Shaw High-Speed Internet | OrgTechPhone: +1-403-750-7428 | OrgTechEmail: ipadmin@sjrb.ca | .........EOQ...................... | | I see every one of those in in SHAW-COMM's NET range. I've been denying | the access & will continue to do so. But what are they trying to do? | |
Guest MEB Posted July 19, 2007 Posted July 19, 2007 Re: Who are 24.64.9.177 & 24.64.8.158, etc.? "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message news:Oa1IXSfyHHA.5204@TK2MSFTNGP03.phx.gbl... | You goof, | | Those are the lottery numbers you've been expecting,that Augie promised to | get to you somehow. Firewall intrusions..haaruumphh! | | -- | HTH, | Curt | | Windows Support Center | http://www.aumha.org | Practically Nerded,... | http://dundats.mvps.org/Index.htm SO Curt, are you claiming these as yours? Or was this a little hahaha,, not very funny when we ARE discussing systems intrusions or other attempts at monitoring activities ... I never consider any of these types of activities as laughable or ignorable... Sorry Curt, but with the present activities the people are being subjected to, without their knowledge or consent, I do take issue .... -- MEB http://peoplescounsel.orgfree.com ________ | | "PCR" <pcrrcp@netzero.net> wrote in message | news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl... | | PCR wrote: | || Kerio Firewall has begun a series of messages such as these, coming | || once a minute or so, every so often...!... | || | || Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port | || 1027 owned by 'Distributed COM Services' on your computer. | || | || Someone from 24.64.8.158, port 32089 wants to send UDP datagram to | || port 1027 owned by 'Distributed COM Services' on your computer | || | || Someone from 24.64.85.35, port 34996 wants to send UDP datagram to | || port 1027 owned by 'Distributed COM Services' on your computer | || | || Someone from 24.64.210.84, port 28111 wants to send UDP datagram to | || port 1027 owned by 'Distributed COM Services' on your computer | || | || Someone from 24.64.180.130, port 4241 wants to send UDP datagram to | || port 1027 owned by 'Distributed COM Services' on your computer | || | || The port is owned by... | || c:\windows\system\rpcss.exe | | | | OK, I see, by the word of... | | http://www.networksolutions.com/whois/index.jsp | | | | .........Quote.................................. | | 24.64.9.177 | | Record Type: IP Address | | | | OrgName: Shaw Communications Inc. | | OrgID: SHAWC | | Address: Suite 800 | | Address: 630 - 3rd Ave. SW | | City: Calgary | | StateProv: AB | | PostalCode: T2P-4L4 | | Country: CA | | | | ReferralServer: rwhois://rs1so.cg.shawcable.net:4321 | | | | NetRange: 24.64.0.0 - 24.71.255.255 | | CIDR: 24.64.0.0/13 | | NetName: SHAW-COMM | | NetHandle: NET-24-64-0-0-1 | | Parent: NET-24-0-0-0-0 | | NetType: Direct Allocation | | NameServer: NS7.NO.CG.SHAWCABLE.NET | | NameServer: NS8.SO.CG.SHAWCABLE.NET | | Comment: | | RegDate: 1996-06-03 | | Updated: 2006-02-08 | | | | OrgAbuseHandle: SHAWA-ARIN | | OrgAbuseName: SHAW ABUSE | | OrgAbusePhone: +1-403-750-7420 | | OrgAbuseEmail: internet.abuse@sjrb.ca | | | | OrgTechHandle: ZS178-ARIN | | OrgTechName: Shaw High-Speed Internet | | OrgTechPhone: +1-403-750-7428 | | OrgTechEmail: ipadmin@sjrb.ca | | .........EOQ...................... | | | | I see every one of those in in SHAW-COMM's NET range. I've been denying | | the access & will continue to do so. But what are they trying to do? | | | | | |
Guest Curt Christianson Posted July 19, 2007 Posted July 19, 2007 Re: Who are 24.64.9.177 & 24.64.8.158, etc.? MEB, You made a very legitimate point, and is was a rather feeble attempt at being facetious. While we aren't "good buds" PCR and I go back a long way, and I'm reasonably sure he may have found it funny. To all the others perusing this NG, it prolly *didn't* strike them as funny. As you mentioned, Internet security is certainly nothing to be scoffed at--especially at someone's else misfortune and expense. My heartiest apologies to all! Keep up the great work here. -- HTH, Curt Windows Support Center http://www.aumha.org Practically Nerded,... http://dundats.mvps.org/Index.htm "MEB" <meb@not here@hotmail.com> wrote in message news:%23SIVJEhyHHA.1576@TK2MSFTNGP03.phx.gbl... | | "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message | news:Oa1IXSfyHHA.5204@TK2MSFTNGP03.phx.gbl... || You goof, || || Those are the lottery numbers you've been expecting,that Augie promised to || get to you somehow. Firewall intrusions..haaruumphh! || || -- || HTH, || Curt || || Windows Support Center || http://www.aumha.org || Practically Nerded,... || http://dundats.mvps.org/Index.htm | | | SO Curt, are you claiming these as yours? Or was this a little hahaha,, not | very funny when we ARE discussing systems intrusions or other attempts at | monitoring activities ... | I never consider any of these types of activities as laughable or | ignorable... Sorry Curt, but with the present activities the people are | being subjected to, without their knowledge or consent, I do take issue ..... | | -- | MEB | http://peoplescounsel.orgfree.com | ________ | | | || || "PCR" <pcrrcp@netzero.net> wrote in message || news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl... || | PCR wrote: || || Kerio Firewall has begun a series of messages such as these, coming || || once a minute or so, every so often...!... || || || || Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port || || 1027 owned by 'Distributed COM Services' on your computer. || || || || Someone from 24.64.8.158, port 32089 wants to send UDP datagram to || || port 1027 owned by 'Distributed COM Services' on your computer || || || || Someone from 24.64.85.35, port 34996 wants to send UDP datagram to || || port 1027 owned by 'Distributed COM Services' on your computer || || || || Someone from 24.64.210.84, port 28111 wants to send UDP datagram to || || port 1027 owned by 'Distributed COM Services' on your computer || || || || Someone from 24.64.180.130, port 4241 wants to send UDP datagram to || || port 1027 owned by 'Distributed COM Services' on your computer || || || || The port is owned by... || || c:\windows\system\rpcss.exe || | || | OK, I see, by the word of... || | http://www.networksolutions.com/whois/index.jsp || | || | .........Quote.................................. || | 24.64.9.177 || | Record Type: IP Address || | || | OrgName: Shaw Communications Inc. || | OrgID: SHAWC || | Address: Suite 800 || | Address: 630 - 3rd Ave. SW || | City: Calgary || | StateProv: AB || | PostalCode: T2P-4L4 || | Country: CA || | || | ReferralServer: rwhois://rs1so.cg.shawcable.net:4321 || | || | NetRange: 24.64.0.0 - 24.71.255.255 || | CIDR: 24.64.0.0/13 || | NetName: SHAW-COMM || | NetHandle: NET-24-64-0-0-1 || | Parent: NET-24-0-0-0-0 || | NetType: Direct Allocation || | NameServer: NS7.NO.CG.SHAWCABLE.NET || | NameServer: NS8.SO.CG.SHAWCABLE.NET || | Comment: || | RegDate: 1996-06-03 || | Updated: 2006-02-08 || | || | OrgAbuseHandle: SHAWA-ARIN || | OrgAbuseName: SHAW ABUSE || | OrgAbusePhone: +1-403-750-7420 || | OrgAbuseEmail: internet.abuse@sjrb.ca || | || | OrgTechHandle: ZS178-ARIN || | OrgTechName: Shaw High-Speed Internet || | OrgTechPhone: +1-403-750-7428 || | OrgTechEmail: ipadmin@sjrb.ca || | .........EOQ...................... || | || | I see every one of those in in SHAW-COMM's NET range. I've been denying || | the access & will continue to do so. But what are they trying to do? || | || | || || | |
Guest glee Posted July 19, 2007 Posted July 19, 2007 Re: Who are 24.64.9.177 & 24.64.8.158, etc.? It's alright, Curt....I get the joke, and I suspect PCR got a chuckle out of it. -- Glen Ventura, MS MVP Shell/User, A+ "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message news:%23qizDKhyHHA.1208@TK2MSFTNGP03.phx.gbl... > MEB, > > You made a very legitimate point, and is was a rather feeble attempt at > being facetious. While we aren't "good buds" PCR and I go back a long way, > and I'm reasonably sure he may have found it funny. > > To all the others perusing this NG, it prolly *didn't* strike them as funny. > > As you mentioned, Internet security is certainly nothing to be scoffed > at--especially at someone's else misfortune and expense. > > My heartiest apologies to all! > > Keep up the great work here. > > -- > HTH, > Curt > > Windows Support Center > http://www.aumha.org > Practically Nerded,... > http://dundats.mvps.org/Index.htm > > "MEB" <meb@not here@hotmail.com> wrote in message > news:%23SIVJEhyHHA.1576@TK2MSFTNGP03.phx.gbl... > | > | "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message > | news:Oa1IXSfyHHA.5204@TK2MSFTNGP03.phx.gbl... > || You goof, > || > || Those are the lottery numbers you've been expecting,that Augie promised > to > || get to you somehow. Firewall intrusions..haaruumphh! > || > || -- > || HTH, > || Curt > || > || Windows Support Center > || http://www.aumha.org > || Practically Nerded,... > || http://dundats.mvps.org/Index.htm > | > | > | SO Curt, are you claiming these as yours? Or was this a little hahaha,, > not > | very funny when we ARE discussing systems intrusions or other attempts at > | monitoring activities ... > | I never consider any of these types of activities as laughable or > | ignorable... Sorry Curt, but with the present activities the people are > | being subjected to, without their knowledge or consent, I do take issue > .... > | > | -- > | MEB > | http://peoplescounsel.orgfree.com > | ________ > | > | > | > || > || "PCR" <pcrrcp@netzero.net> wrote in message > || news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl... > || | PCR wrote: > || || Kerio Firewall has begun a series of messages such as these, coming > || || once a minute or so, every so often...!... > || || > || || Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port > || || 1027 owned by 'Distributed COM Services' on your computer. > || || > || || Someone from 24.64.8.158, port 32089 wants to send UDP datagram to > || || port 1027 owned by 'Distributed COM Services' on your computer > || || > || || Someone from 24.64.85.35, port 34996 wants to send UDP datagram to > || || port 1027 owned by 'Distributed COM Services' on your computer > || || > || || Someone from 24.64.210.84, port 28111 wants to send UDP datagram to > || || port 1027 owned by 'Distributed COM Services' on your computer > || || > || || Someone from 24.64.180.130, port 4241 wants to send UDP datagram to > || || port 1027 owned by 'Distributed COM Services' on your computer > || || > || || The port is owned by... > || || c:\windows\system\rpcss.exe > || | > || | OK, I see, by the word of... > || | http://www.networksolutions.com/whois/index.jsp > || | > || | .........Quote.................................. > || | 24.64.9.177 > || | Record Type: IP Address > || | > || | OrgName: Shaw Communications Inc. > || | OrgID: SHAWC > || | Address: Suite 800 > || | Address: 630 - 3rd Ave. SW > || | City: Calgary > || | StateProv: AB > || | PostalCode: T2P-4L4 > || | Country: CA > || | > || | ReferralServer: rwhois://rs1so.cg.shawcable.net:4321 > || | > || | NetRange: 24.64.0.0 - 24.71.255.255 > || | CIDR: 24.64.0.0/13 > || | NetName: SHAW-COMM > || | NetHandle: NET-24-64-0-0-1 > || | Parent: NET-24-0-0-0-0 > || | NetType: Direct Allocation > || | NameServer: NS7.NO.CG.SHAWCABLE.NET > || | NameServer: NS8.SO.CG.SHAWCABLE.NET > || | Comment: > || | RegDate: 1996-06-03 > || | Updated: 2006-02-08 > || | > || | OrgAbuseHandle: SHAWA-ARIN > || | OrgAbuseName: SHAW ABUSE > || | OrgAbusePhone: +1-403-750-7420 > || | OrgAbuseEmail: internet.abuse@sjrb.ca > || | > || | OrgTechHandle: ZS178-ARIN > || | OrgTechName: Shaw High-Speed Internet > || | OrgTechPhone: +1-403-750-7428 > || | OrgTechEmail: ipadmin@sjrb.ca > || | .........EOQ...................... > || | > || | I see every one of those in in SHAW-COMM's NET range. I've been denying > || | the access & will continue to do so. But what are they trying to do? > || | > || | > || > || > | > | > >
Guest MEB Posted July 19, 2007 Posted July 19, 2007 Re: Who are 24.64.9.177 & 24.64.8.158, etc.? "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message news:%23qizDKhyHHA.1208@TK2MSFTNGP03.phx.gbl... | MEB, | | You made a very legitimate point, and is was a rather feeble attempt at | being facetious. While we aren't "good buds" PCR and I go back a long way, | and I'm reasonably sure he may have found it funny. | | To all the others perusing this NG, it prolly *didn't* strike them as funny. | | As you mentioned, Internet security is certainly nothing to be scoffed | at--especially at someone's else misfortune and expense. | | My heartiest apologies to all! | | Keep up the great work here. | | -- | HTH, | Curt | | Windows Support Center | http://www.aumha.org | Practically Nerded,... | http://dundats.mvps.org/Index.htm | | "MEB" <meb@not here@hotmail.com> wrote in message | news:%23SIVJEhyHHA.1576@TK2MSFTNGP03.phx.gbl... | | | | "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message | | news:Oa1IXSfyHHA.5204@TK2MSFTNGP03.phx.gbl... | || You goof, | || | || Those are the lottery numbers you've been expecting,that Augie promised | to | || get to you somehow. Firewall intrusions..haaruumphh! | || | || -- | || HTH, | || Curt | || | || Windows Support Center | || http://www.aumha.org | || Practically Nerded,... | || http://dundats.mvps.org/Index.htm | | | | | | SO Curt, are you claiming these as yours? Or was this a little hahaha,, | not | | very funny when we ARE discussing systems intrusions or other attempts at | | monitoring activities ... | | I never consider any of these types of activities as laughable or | | ignorable... Sorry Curt, but with the present activities the people are | | being subjected to, without their knowledge or consent, I do take issue | .... | | | | -- | | MEB | | ________ | | Well, to admit it, I also thought it was funny, at first, but when it carried your sig I thought it best to take the hardline,,, sorry,, So I guess its now appropriate to post these: Related material per this discussion: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-199A Mozilla Updates for Multiple Vulnerabilities Original release date: July 18, 2007 Last revised: -- Source: US-CERT Systems Affected * Mozilla Firefox * Mozilla Thunderbird Other products based on Mozilla components may also be affected. Overview The Mozilla web browser and derived products contain several vulnerabilities, the most severe of which could allow a remote attacker to execute arbitrary code on an affected system. I. Description Mozilla has released new versions of Firefox and Thunderbird to address several vulnerabilities. Further details about these vulnerabilities are available from Mozilla and the Vulnerability Notes Database. An attacker could exploit these vulnerabilities by convincing a user to view a specially-crafted HTML document, such as a web page or an HTML email message. II. Impact While the impacts of the individual vulnerabilities vary, the most severe could allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. An attacker may also be able to cause a denial of service or obtain private information. III. Solution Upgrade These vulnerabilities are addressed in Mozilla Firefox 2.0.0.5 and Thunderbird 2.0.0.5. Disable JavaScript Some of these vulnerabilities can be mitigated by disabling JavaScript or using the NoScript extension. For more information about configuring Firefox, please see the Securing Your Web Browser document. Thunderbird disables JavaScript and Java by default. IV. References * US-CERT Vulnerability Notes - <http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_20070717> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/browser_security.html# Mozilla_Firefox> * Mozilla Foundation Security Advisories - <http://www.mozilla.org/security/announce/> * Known Vulnerabilities in Mozilla Products - <http://www.mozilla.org/projects/security/known-vulnerabilities.html> * Mozilla Hall of Fame - <http://www.mozilla.org/university/HOF.html> * NoScript Firefox Extension - <http://noscript.net/> _________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA07-199A.html> _________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA07-199A Feedback VU#143297" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html> _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use Revision History July 18, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRp53HfRFkHkM87XOAQLeRwf/QqMX0I06N0r/bctdkce0RqUa9ZwpLSsM 42Ihq6NSQDOGM1cfqa8TxtYbITjV2cOQAmAYsi7HGdMF6zbZbkAZ5e/Lo06Be3mW Rw9s+ci5mLOiFHQ1mBAYn5/1+iK9WJPrbL3tvE9ejAjdIzSieWz4wwYE/A4gIJxh XnlwZT+EXafixy8qu/uLUjhwlfs+HiOtjaSP4q+N+LLfeSk+UeAXbT6nPt6d+B7Z hd7RKOJR2eesWpc9L7/oq0tmJdXSkW9Qel3L9KssOiir/ZKqpyVISkBxTbce9Pq8 hqXne3HWJXBT19YBmRMSDD693J6siCPXuLSLJbTFN4d/NKM5MF7kTQ== =jDnr -----END PGP SIGNATURE----- To the below I would add the types of activities discussed under this heading AND occurring in this news group and elsewhere upon the Internet: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Cyber Security Tip ST04-014 Avoiding Social Engineering and Phishing Attacks Do not give sensitive information to anyone unless you are sure that they are indeed who they claim to be and that they should have access to the information. What is a social engineering attack? To launch a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility. What is a phishing attack? Phishing is a form of social engineering. Phishing attacks use email or malicious web sites to solicit personal, often financial, information. Attackers may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts. How do you avoid being a victim? * Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company. * Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information. * Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email. * Don't send sensitive information over the Internet before checking a web site's security policy or looking for evidence that the information is being encrypted (see Protecting Your Privacy and Understanding Web Site Certificates for more information). * Pay attention to the URL of a web site. Malicious web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). * If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a web site connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org/phishing_archive.html). * Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (see Understanding Firewalls, Understanding Anti-Virus Software, and Reducing Spam for more information). What do you do if you think you are a victim? * If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity. * If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account (see Preventing and Responding to Identity Theft for more information). * Consider reporting the attack to the police, and file a report with the Federal Trade Commission (http://www.ftc.gov/). _________________________________________________________________ Author: Mindi McDowell _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Note: This tip was previously published and is being re-distributed to increase awareness. Terms of use <http://www.us-cert.gov/legal.html> This document can also be found at <http://www.us-cert.gov/cas/tips/ST04-014.html> For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRp9k5vRFkHkM87XOAQL4bAf/QrdRKgj6nbUXJKf0PSH2L2MHruDeD8++ gVMVDGB2zvCiR5OrNbJ/I4AlfbSCIpigoL3jyoID15aPtZfeRzozc+MvOJsh6LW9 jH2TUCZjct2Md7EeGLPTemzydzYTUlzWj+YHs7T1qtQThq82jSiegFwCO8gnGzkH ItDwogX7B/hu15R8kLcM+j4fLYXvpaPIe8CsAW5xa7oA48FNy++Y3+SLm3H1M129 GSNHpRPzpg6/Z0GCdp0187gie17pWBGy0aYL+qxHFMpVFnZWZKXetAYYmTpcPprj fbbzMu5bfxeBmFKcDs/UEZzvsBEGENcG9C5E/UVNVI4UYYgBfit7kw== =7EFh -----END PGP SIGNATURE----- One may also contact and supply information [such as any related logs - firwall, system, etc.] to the various government agencies dealing with cyber terrorism, electronic communications, and other like activities for potential prosecution under (as example in the USA), The Anti-Terrorism Acts, The Patriot Act, The Homeland Security Act, The Electronic Communications Privacy Act, and several others. Check with your respective {international} governments related to and/or having jurisdiction over such activities. -- MEB http://peoplescounsel.orgfree.com ________
Guest PCR Posted July 19, 2007 Posted July 19, 2007 Re: Who are 24.64.9.177 & 24.64.8.158, etc.? glee wrote: | It's alright, Curt....I get the joke, and I suspect PCR got a chuckle | out of it. Ah, ha, ha-- yea, it was funny. But what am I supposed to do with all these lottery tickets now? | -- | Glen Ventura, MS MVP Shell/User, A+ | | "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message | news:%23qizDKhyHHA.1208@TK2MSFTNGP03.phx.gbl... |> MEB, |> |> You made a very legitimate point, and is was a rather feeble attempt |> at being facetious. While we aren't "good buds" PCR and I go back a |> long way, and I'm reasonably sure he may have found it funny. |> |> To all the others perusing this NG, it prolly *didn't* strike them |> as funny. |> |> As you mentioned, Internet security is certainly nothing to be |> scoffed at--especially at someone's else misfortune and expense. |> |> My heartiest apologies to all! |> |> Keep up the great work here. |> |> -- |> HTH, |> Curt |> |> Windows Support Center |> http://www.aumha.org |> Practically Nerded,... |> http://dundats.mvps.org/Index.htm |> |> "MEB" <meb@not here@hotmail.com> wrote in message |> news:%23SIVJEhyHHA.1576@TK2MSFTNGP03.phx.gbl... |> | |> | "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in |> | message news:Oa1IXSfyHHA.5204@TK2MSFTNGP03.phx.gbl... |> || You goof, |> || |> || Those are the lottery numbers you've been expecting,that Augie |> || promised to get to you somehow. Firewall intrusions..haaruumphh! |> || |> || -- |> || HTH, |> || Curt |> || |> || Windows Support Center |> || http://www.aumha.org |> || Practically Nerded,... |> || http://dundats.mvps.org/Index.htm |> | |> | |> | SO Curt, are you claiming these as yours? Or was this a little |> | hahaha,, not very funny when we ARE discussing systems intrusions |> | or other attempts at monitoring activities ... |> | I never consider any of these types of activities as laughable or |> | ignorable... Sorry Curt, but with the present activities the |> | people are being subjected to, without their knowledge or consent, |> | I do take issue .... |> | |> | -- |> | MEB |> | http://peoplescounsel.orgfree.com |> | ________ ....snip -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest PCR Posted July 19, 2007 Posted July 19, 2007 Re: Who are 24.64.9.177 & 24.64.8.158, etc.? Franc Zabkar wrote: | On Wed, 18 Jul 2007 20:20:29 -0400, "PCR" <pcrrcp@netzero.net> put | finger to keyboard and composed: | |>Kerio Firewall has begun a series of messages such as these, coming |>once a minute or so, every so often...!... |> |>Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port |>1027 owned by 'Distributed COM Services' on your computer. | | <snip> | |>The port is owned by... |>c:\windows\system\rpcss.exe | | What is RPCSS.EXE? | http://cexx.org/rpc.htm | | =================================================================== | In any event, what rpcss.exe does is to handle a number of API calls | that relate to RPC. In general (and this is somewhat of a | simplification to prevent techie talk overload), a program can | register certain entry points (the "procedures" in remote procedure | call) that can be accessed by external applications. This is known as | the "portmapper" function. Once registered, anyone contacting the RPC | port and asking, in the appropriate format, for a particular function | provided by a particular program will be allowed to execute the | function. Any security checks are up to the contacted program, as all | the portmapper does is to make the necessary procedure call on behalf | of the client. | | "WAIT JUST A MINUTE," you scream as your face turns red. "You mean ANY | program can ask ANY OTHER program on MY MACHINE to do something for it | WITHOUT MY KNOWLEDGE?" The sad truth is that, yes, this is true, and | yes, this has been a constant source of security flaws in UNIX systems | as such-and-such RPC service has this unchecked buffer or that | improper security check which allows any remote user with the proper | script to gain full control of the machine. Since no such flaws have | been found in the rpcss.exe portmapper proper -- probably because no | one's really looked -- the real threat comes from the programs that | utilize the portmapper. Unlike UNIX, however, very few Windows | programs use RPC; hell, most Windows 9x programmers aren't even aware | that RPC exists, and RPC as a direct communications method is being | replaced by DCOM and COM+ (which can, but do not necessarily, use RPC) | in Windows 2000. Therefore, the likelihood of you even having a | portmapped program on Windows 9x is extremely low, and thus the risk | that RPC presents is also quite low. | =================================================================== I see. Thanks, Zabcar. Glee also posted that URL, I believe. From what I can make of it, I shouldn't disable rpcss.exe altogether. Suppose I were to set Kerio to block all traffic to & from it, though-- does that constitute disabling it altogether? There, it's done-- UDP/TCP both directions is blocked for RPCSS.EXE-- any address, any port! That may be a bit impulsive, but I know I can recover from a major crash. Also, I fully intend to continue to research the matter until I 3/4 understand what I've done! (I'm still working on responses to the replies, but thanks to all.) | | - Franc Zabkar | -- | Please remove one 'i' from my address when replying by email. -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest PCR Posted July 19, 2007 Posted July 19, 2007 Re: Who are 24.64.9.177 & 24.64.8.158, etc.? Curt Christianson wrote: | You goof, | | Those are the lottery numbers you've been expecting,that Augie | promised to get to you somehow. Firewall intrusions..haaruumphh! Ah, ha, ha! That's rich! | -- | HTH, | Curt | | Windows Support Center | http://www.aumha.org | Practically Nerded,... | http://dundats.mvps.org/Index.htm | | "PCR" <pcrrcp@netzero.net> wrote in message | news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl... || PCR wrote: ||| Kerio Firewall has begun a series of messages such as these, coming ||| once a minute or so, every so often...!... ||| ||| Someone from 24.64.9.177, port 3222 wants to send UDP datagram to ||| port 1027 owned by 'Distributed COM Services' on your computer. ||| ||| Someone from 24.64.8.158, port 32089 wants to send UDP datagram to ||| port 1027 owned by 'Distributed COM Services' on your computer ||| ||| Someone from 24.64.85.35, port 34996 wants to send UDP datagram to ||| port 1027 owned by 'Distributed COM Services' on your computer ||| ||| Someone from 24.64.210.84, port 28111 wants to send UDP datagram to ||| port 1027 owned by 'Distributed COM Services' on your computer ||| ||| Someone from 24.64.180.130, port 4241 wants to send UDP datagram to ||| port 1027 owned by 'Distributed COM Services' on your computer ||| ||| The port is owned by... ||| c:\windows\system\rpcss.exe || || OK, I see, by the word of... || http://www.networksolutions.com/whois/index.jsp || || .........Quote.................................. || 24.64.9.177 || Record Type: IP Address || || OrgName: Shaw Communications Inc. || OrgID: SHAWC || Address: Suite 800 || Address: 630 - 3rd Ave. SW || City: Calgary || StateProv: AB || PostalCode: T2P-4L4 || Country: CA || || ReferralServer: rwhois://rs1so.cg.shawcable.net:4321 || || NetRange: 24.64.0.0 - 24.71.255.255 || CIDR: 24.64.0.0/13 || NetName: SHAW-COMM || NetHandle: NET-24-64-0-0-1 || Parent: NET-24-0-0-0-0 || NetType: Direct Allocation || NameServer: NS7.NO.CG.SHAWCABLE.NET || NameServer: NS8.SO.CG.SHAWCABLE.NET || Comment: || RegDate: 1996-06-03 || Updated: 2006-02-08 || || OrgAbuseHandle: SHAWA-ARIN || OrgAbuseName: SHAW ABUSE || OrgAbusePhone: +1-403-750-7420 || OrgAbuseEmail: internet.abuse@sjrb.ca || || OrgTechHandle: ZS178-ARIN || OrgTechName: Shaw High-Speed Internet || OrgTechPhone: +1-403-750-7428 || OrgTechEmail: ipadmin@sjrb.ca || .........EOQ...................... || || I see every one of those in in SHAW-COMM's NET range. I've been || denying the access & will continue to do so. But what are they || trying to do? -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest PCR Posted July 19, 2007 Posted July 19, 2007 Re: Who are 24.64.9.177 & 24.64.8.158, etc.? glee wrote: | It is most likely a Windows Messenger spam attempt: | http://www.linklogger.com/messenger_spam.htm I don't have "NET SEND", although I do have "NET"... C:\>net send The command SEND is unknown. For a list of valid commands, type NET HELP at the command prompt. For help, type NET /? at the command prompt. Can I suppose I don't need to allow RPCSS.EXE to use UDP/TCP at all? | http://www.linklogger.com/UDP1026.htm ..........Quote that URL.......... Inbound Scan Typically inbound traffic to this port is Messenger Spam which is more annoying then anything else, and hence not really worthy of a Link Logger alert, but still there is enough of this traffic that an explanation is helpful. Outbound Scan Outbound scans, if occurring in volume should be considered an indication of a possible worm infection on the source computer and should be investigated. ..........EOQ.............................. The ones I get are all inbound. So, probably I am safe yet, so long as I don't accept any. | http://isc.sans.org/port.html?port=1027 I divine that is one possibility of what is trying to come in. There's no chance I will accept one now. As I posted elsewhere, I've blocked UDP/TCP both directions for RPCSS.EXE-- any address, any port! I'll just keep it that way, until I suffer a crash or other suspicious symptom-- or unless someone can definitively say I should not. I am on Dial-Up & use no networking other than normal Internet surfing. Let me see whether those FTP sites still work... ftp://ftp.microsoft.com/ Yea, that one still works. However (not that it's any different), I do have to permit... Someone from 207.46.236.102, port 20 wants to connect to port 1341 owned by 'Internet Explorer' on your computer ....for every folder I click. But that's normal! Thanks, glee & all others who responded-- with the possible exception of Christianson! [Just joking. :-).] I do have another firewall question or two, but will post it in new thread(s). | -- | Glen Ventura, MS MVP Shell/User, A+ | http://dts-l.org/ | http://dts-l.org/goodpost.htm | | | "PCR" <pcrrcp@netzero.net> wrote in message | news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl... |> PCR wrote: |> | Kerio Firewall has begun a series of messages such as these, coming |> | once a minute or so, every so often...!... |> | |> | Someone from 24.64.9.177, port 3222 wants to send UDP datagram to |> | port 1027 owned by 'Distributed COM Services' on your computer. |> | |> | Someone from 24.64.8.158, port 32089 wants to send UDP datagram to |> | port 1027 owned by 'Distributed COM Services' on your computer |> | |> | Someone from 24.64.85.35, port 34996 wants to send UDP datagram to |> | port 1027 owned by 'Distributed COM Services' on your computer |> | |> | Someone from 24.64.210.84, port 28111 wants to send UDP datagram to |> | port 1027 owned by 'Distributed COM Services' on your computer |> | |> | Someone from 24.64.180.130, port 4241 wants to send UDP datagram to |> | port 1027 owned by 'Distributed COM Services' on your computer |> | |> | The port is owned by... |> | c:\windows\system\rpcss.exe |> |> OK, I see, by the word of... |> http://www.networksolutions.com/whois/index.jsp |> |> .........Quote.................................. |> 24.64.9.177 |> Record Type: IP Address |> |> OrgName: Shaw Communications Inc. |> OrgID: SHAWC |> Address: Suite 800 |> Address: 630 - 3rd Ave. SW |> City: Calgary |> StateProv: AB |> PostalCode: T2P-4L4 |> Country: CA |> |> ReferralServer: rwhois://rs1so.cg.shawcable.net:4321 |> |> NetRange: 24.64.0.0 - 24.71.255.255 |> CIDR: 24.64.0.0/13 |> NetName: SHAW-COMM |> NetHandle: NET-24-64-0-0-1 |> Parent: NET-24-0-0-0-0 |> NetType: Direct Allocation |> NameServer: NS7.NO.CG.SHAWCABLE.NET |> NameServer: NS8.SO.CG.SHAWCABLE.NET |> Comment: |> RegDate: 1996-06-03 |> Updated: 2006-02-08 |> |> OrgAbuseHandle: SHAWA-ARIN |> OrgAbuseName: SHAW ABUSE |> OrgAbusePhone: +1-403-750-7420 |> OrgAbuseEmail: internet.abuse@sjrb.ca |> |> OrgTechHandle: ZS178-ARIN |> OrgTechName: Shaw High-Speed Internet |> OrgTechPhone: +1-403-750-7428 |> OrgTechEmail: ipadmin@sjrb.ca |> .........EOQ...................... |> |> I see every one of those in in SHAW-COMM's NET range. I've been |> denying the access & will continue to do so. But what are they |> trying to do? -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest PCR Posted July 19, 2007 Posted July 19, 2007 Re: Who are 24.64.9.177 & 24.64.8.158, etc.? 98 Guy wrote: | Ok, what's going on is this: | | Your modem recently obtained a new IP address (maybe it does this once | a day, once an hour, once a month, I don't know). I'm on dial-up, & I believe I get a new one each connection. | In any case, the IP address you have now once belonged to someone that | was part of a P2P network. They were part of a file-sharing network. | Their IP address is known to the network (for the time being). | | Other computers are trying to access some file that they think is | located on your computer. I guess that is a possibility. But, whether innocent or guilty-- I don't want them to have it! | So either those attempts will fade away with time, or you can re-boot | your modem and obtain a new IP address. | | Looks like there are lots of downloaders in Alberta... :) -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest PCR Posted July 19, 2007 Posted July 19, 2007 Re: Who are 24.64.9.177 & 24.64.8.158, etc.? 98 Guy wrote: | PCR wrote: | |> Kerio Firewall has begun a series of messages such as these | | Why don't you have a NAT router? Thanks, 98 Guy. I don't have a Network connection (other than what the Internet is), & I am on dial-up. |> Someone from 24.64.9.177 | | All those IP's belong to Shaw Cable internet, Calgary Alberta. That's right, I later found an URL that said... http://www.networksolutions.com/whois/index.jsp ..........Quote............. NetRange: 24.64.0.0 - 24.71.255.255 ....snip NetName: SHAW-COMM ..........EOQ................ |> port 3222 wants to send UDP datagram | | No malware (as far as I can tell) is known to use port 3222. Recent | port usage: | | http://isc.sans.org/port.html?port=3222 I can't click that, I've been thrown offline by NetZero. But, as I understand it, that port is on SHAW-COMM's computer. Why should I trust it wouldn't be used for an ill purpose? |> to port 1027 owned by 'Distributed COM Services' on your computer. | | I don't think that DCOM is normally installed on windows-98 systems. Yea, it is-- at least, Compaq installed it in this 7470! | The Shaw Cable computer is either trying to exploit a DCOM | vulnerability on your computer, or is attempting to connect to a | trojan that it thinks might be running on your computer and listening | on port 1027. There certainly is something listening on "localhost:1027". That is RPCSS.exe. It also is listening on "all:135"-- which was my Junior High School! And that evokes particularly horrid memories! |> The port is owned by... |> c:\windows\system\rpcss.exe | | Unless I'm mistaken, your computer is running win-2k or XP, not | win-98. You are mistaken, but it could be something Compaq did. Well, wait a minute,... Cabinet WIN98_46.CAB 04-23-1999 10:22:00p A--- 20,480 rpcss.exe .... it's in my 98SE .cab's! | A home computer located somewhere in Alberta is performing a port-scan | on your computer, attempting to either install some malware on your | system via a DCOM exploit, or is attempting to contact a trojan | running on your computer and give it instructions to do something (to | obtain some new software, to send spam to someone, etc). That's what I was afraid of! Oh, my God! | The fact that they are coming from different addresses every few | minutes is strange - it would indicate that it's coming from different | machines - as in some sort of coordinated scan directly on to | machine. Not sure what would be the reason for that. I GUESS, because I kept disallowing it, it was tried from different IPs, thinking I was just blocking a specific one. But now I've blocked all UDP/TCP, both directions, all ports for rpcss.exe. Let's see what happens with that! -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Recommended Posts