Rogue Packets on Port 1027?

Randy Yates · External Since: Sep 07, 2006 Posts: 159

I monitored my network traffic using wireshark (a fantastic tool,
by the way) and found that I'm getting rogue packets that wireshark
is identifying as follows:

No Time Source Destination Protocol Info
-- ---- ------ ----------- -------- ----
36 30.879265 218.27.148.78 192.168.1.104 Messenger NetrSendMessage request

The message part of the packet is reported by wireshark as follows:

00b0 00 00 35 01 00 00 00 00 00 00 35 01 00 00 53 54 ..5..... ..5...ST
00c0 4f 50 21 20 57 49 4e 44 4f 57 53 20 52 45 51 55 OP! WIND OWS REQU
00d0 49 52 45 53 20 49 4d 4d 45 44 49 41 54 45 20 41 IRES IMM EDIATE A
00e0 54 54 45 4e 54 49 4f 4e 2e 0a 0a 57 69 6e 64 6f TTENTION ...Windo
00f0 77 73 20 68 61 73 20 66 6f 75 6e 64 20 35 35 20 ws has f ound 55
0100 43 72 69 74 69 63 61 6c 20 53 79 73 74 65 6d 20 Critical System
0110 45 72 72 6f 72 73 2e 0a 0a 54 6f 20 66 69 78 20 Errors.. .To fix
0120 74 68 65 20 65 72 72 6f 72 73 20 70 6c 65 61 73 the erro rs pleas
0130 65 20 64 6f 20 74 68 65 20 66 6f 6c 6c 6f 77 69 e do the followi
0140 6e 67 3a 0a 0a 31 2e 20 44 6f 77 6e 6c 6f 61 64 ng:..1. Download
0150 20 52 65 67 69 73 74 72 79 20 55 70 64 61 74 65 Registr y Update
0160 20 66 72 6f 6d 3a 20 77 77 77 2e 72 65 67 66 69 from: w ww.regfi
0170 78 69 74 2e 63 6f 6d 0a 32 2e 20 49 6e 73 74 61 xit.com. 2. Insta
0180 6c 6c 20 52 65 67 69 73 74 72 79 20 55 70 64 61 ll Regis try Upda
0190 74 65 0a 33 2e 20 52 75 6e 20 52 65 67 69 73 74 te.3. Ru n Regist
01a0 72 79 20 55 70 64 61 74 65 0a 34 2e 20 52 65 62 ry Updat e.4. Reb
01b0 6f 6f 74 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 oot your compute
01c0 72 0a 0a 46 41 49 4c 55 52 45 20 54 4f 20 41 43 r..FAILU RE TO AC
01d0 54 20 4e 4f 57 20 4d 41 59 20 4c 45 41 44 20 54 T NOW MA Y LEAD T
01e0 4f 20 53 59 53 54 45 4d 20 46 41 49 4c 55 52 45 O SYSTEM FAILURE
01f0 21 0a 00 !..

My system is responding with

No Time Source Destination Protocol Info
-- ---- ------ ----------- -------- ----
37 30.879333 192.168.1.104 218.27.148.78 ICMP Destination unreachable (Port unreachable)

There is an outgoing message that appears to be similar to the incoming one:

0000 00 14 bf 07 5f ac 00 11 5b 43 44 6a 08 00 45 c0 ...._... [CDj..E.
0010 02 01 a3 53 00 00 40 01 a4 6e c0 a8 01 68 da 1b ...S..@. .n...h..
0020 94 4e 03 03 2f 5a 00 00 00 00 45 00 01 e5 00 00 .N../Z.. ..E.....
0030 40 00 27 11 21 8e da 1b 94 4e c0 a8 01 68 bb 92 @.'.!... .N...h..
0040 04 03 01 d1 a4 8d 04 00 28 00 10 00 00 00 00 00 ........ (.......
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 ........ ........
0060 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 e6 fc ca 23 {Z...... ..O....#
0070 2a 88 87 c5 7d 05 ae e7 bd 9b 51 d1 6b ce 00 00 *...}... ..Q.k...
0080 00 00 01 00 00 00 00 00 00 00 00 00 ff ff ff ff ........ ........
0090 79 01 00 00 00 00 10 00 00 00 00 00 00 00 10 00 y....... ........
00a0 00 00 46 52 4f 4d 00 00 00 00 00 00 00 00 00 00 ..FROM.. ........
00b0 00 00 10 00 00 00 00 00 00 00 10 00 00 00 54 4f ........ ......TO
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 35 01 ........ ......5.
00d0 00 00 00 00 00 00 35 01 00 00 53 54 4f 50 21 20 ......5. ..STOP!
00e0 57 49 4e 44 4f 57 53 20 52 45 51 55 49 52 45 53 WINDOWS REQUIRES
00f0 20 49 4d 4d 45 44 49 41 54 45 20 41 54 54 45 4e IMMEDIA TE ATTEN
0100 54 49 4f 4e 2e 0a 0a 57 69 6e 64 6f 77 73 20 68 TION...W indows h
0110 61 73 20 66 6f 75 6e 64 20 35 35 20 43 72 69 74 as found 55 Crit
0120 69 63 61 6c 20 53 79 73 74 65 6d 20 45 72 72 6f ical Sys tem Erro
0130 72 73 2e 0a 0a 54 6f 20 66 69 78 20 74 68 65 20 rs...To fix the
0140 65 72 72 6f 72 73 20 70 6c 65 61 73 65 20 64 6f errors p lease do
0150 20 74 68 65 20 66 6f 6c 6c 6f 77 69 6e 67 3a 0a the fol lowing:.
0160 0a 31 2e 20 44 6f 77 6e 6c 6f 61 64 20 52 65 67 .1. Down load Reg
0170 69 73 74 72 79 20 55 70 64 61 74 65 20 66 72 6f istry Up date fro
0180 6d 3a 20 77 77 77 2e 72 65 67 66 69 78 69 74 2e m: www.r egfixit.
0190 63 6f 6d 0a 32 2e 20 49 6e 73 74 61 6c 6c 20 52 com.2. I nstall R
01a0 65 67 69 73 74 72 79 20 55 70 64 61 74 65 0a 33 egistry Update.3
01b0 2e 20 52 75 6e 20 52 65 67 69 73 74 72 79 20 55 . Run Re gistry U
01c0 70 64 61 74 65 0a 34 2e 20 52 65 62 6f 6f 74 20 pdate.4. Reboot
01d0 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 0a 0a 46 your com puter..F
01e0 41 49 4c 55 52 45 20 54 4f 20 41 43 54 20 4e 4f AILURE T O ACT NO
01f0 57 20 4d 41 59 20 4c 45 41 44 20 54 4f 20 53 59 W MAY LE AD TO SY
0200 53 54 45 4d 20 46 41 49 4c 55 52 45 21 0a 00 STEM FAI LURE!..

The packets are coming perhaps once every 2 to 5 minutes.

I don't understand why these packets are getting through my router
since I do not have port 1027 enabled.

Can anyone identify these packets or give advice?

Also, is there a way to find out what processes are receiving/sending
a specific packet? For example, how do I determine what process/service
is generating the ICMP response above?
--
% Randy Yates % "Remember the good old 1980's, when
%% Fuquay-Varina, NC % things were so uncomplicated?"
%%% 919-577-9882 % 'Ticket To The Moon'
%%%% <yates.RemoveThis@ieee.org> % *Time*, Electric Light Orchestra
http://home.earthlink.net/~yatescr

Lew Pitcher · External Since: Jun 18, 2007 Posts: 33

On Jul 20, 10:59 am, Randy Yates <ya... DeleteThis @ieee.org> wrote:
> I monitored my network traffic using wireshark (a fantastic tool,
> by the way) and found that I'm getting rogue packets that wireshark
> is identifying as follows:
>
> No Time Source Destination Protocol Info
> -- ---- ------ ----------- -------- ----
> 36 30.879265 218.27.148.78 192.168.1.104 Messenger NetrSendMessage request
>
> The message part of the packet is reported by wireshark as follows:
>
> 00b0 00 00 35 01 00 00 00 00 00 00 35 01 00 00 53 54 ..5..... ..5...ST
> 00c0 4f 50 21 20 57 49 4e 44 4f 57 53 20 52 45 51 55 OP! WIND OWS REQU
[snip]

OK, your router received a packet (obviously meant for a MSWindows
system)

> My system is responding with
>
> No Time Source Destination Protocol Info
> -- ---- ------ ----------- -------- ----
> 37 30.879333 192.168.1.104 218.27.148.78 ICMP Destination unreachable (Port unreachable)
>
> There is an outgoing message that appears to be similar to the incoming one:
>
> 0000 00 14 bf 07 5f ac 00 11 5b 43 44 6a 08 00 45 c0 ...._... [CDj..E.
[snip]

and your router responded with an ICMP reject message.

>
> The packets are coming perhaps once every 2 to 5 minutes.
>
> I don't understand why these packets are getting through my router
> since I do not have port 1027 enabled.

The packets aren't "getting through your router". They are being
stopped by your router and rejected with the appropriate ICMP reject
message.

> Can anyone identify these packets or give advice?

Typical MSWindows "Windows Messaging Service" spam attack, answered by
your router as "please go away, there's no one at that address".

> Also, is there a way to find out what processes are receiving/sending
> a specific packet?

Sending the original packet? No, that's outside of your environment
Receiving the original packet? Why, your router is receiving the
packet and disposing of it nicely.
Sending the reply ICMP message? That's your router, telling the other
guy to go away.
Receiving the reply ICMP message? No, that's outside of your
environment.

> For example, how do I determine what process/service
> is generating the ICMP response above?

That's no process. That's your router.

Randy Yates · External Since: Sep 07, 2006 Posts: 159

Lew Pitcher <lpitcher.DeleteThis@teksavvy.com> writes:
> [...]
> The packets aren't "getting through your router". They are being
> stopped by your router

Then why would software that runs on my computer detect it? Note
that my "router" has two physical interfaces, one out to the "internet"
and one to my "computer."
--
% Randy Yates % "...the answer lies within your soul
%% Fuquay-Varina, NC % 'cause no one knows which side
%%% 919-577-9882 % the coin will fall."
%%%% <yates.DeleteThis@ieee.org> % 'Big Wheels', *Out of the Blue*, ELO
http://home.earthlink.net/~yatescr

Todd H. · External Since: Nov 01, 2006 Posts: 22

Randy Yates <yates DeleteThis @ieee.org> writes:

> I monitored my network traffic using wireshark (a fantastic tool,
> by the way) and found that I'm getting rogue packets that wireshark
> is identifying as follows:
>
> No Time Source Destination Protocol Info
> -- ---- ------ ----------- -------- ----
> 36 30.879265 218.27.148.78 192.168.1.104 Messenger
> NetrSendMessage request

Safe to assume 192.168.1.104 is the IP address of your LAN connected
computer running wireshark?

1027 is this a udp port number? I'm assuming udp since that's what
windows messenger listend on -- dynamic port > 1024.

If so, it is a bit disconcerting. What make/model/hardware
rev/software level of the router? Have you verified that your
computer hasn't somehow been put in the dmz of the router? There are
some web-based sploits out there for some popular home router
appliances that do this just by visiting a web page.

Or, it could be that your router isn't blocking inbound udp (but is
likely blocking inbound tcp).

> My system is responding with
>
> No Time Source Destination Protocol Info
> -- ---- ------ ----------- -------- ----
> 37 30.879333 192.168.1.104 218.27.148.78 ICMP Destination unreachable (Port unreachable)

> I don't understand why these packets are getting through my router
> since I do not have port 1027 enabled.

Nor do I.

> Can anyone identify these packets or give advice?

They're windows messenger messages - the ones that aim to pop up an
announcement window on your machine if they were to ever reach it and
the messenger service process it.

> Also, is there a way to find out what processes are receiving/sending
> a specific packet? For example, how do I determine what process/service
> is generating the ICMP response above?

If I had to guess, the process sending the ICMP would be windows
firewall, a third party firewall if any, or the tcp/ip stack of the
machine itself.

netstat -an | grep 1027 on your local machine should tell you if 1027
is listening from the localhost perspective. If it is, then a
software firewall is probably doing the ICMP reply. If not, then it's
possible either the firewall or the tcp/ip stack itself is sayin no
one's home.

I'm not an expert in this, so I invite others to clarify/correct, but
I share you concern as to why this inbound traffic isn't being
filtered by your border device.

Best Regards,
--
Todd H.
http://www.toddh.net/

Randy Yates · External Since: Sep 07, 2006 Posts: 159

Hi Todd,

Thanks for responding.

comphelp RemoveThis @toddh.net (Todd H.) writes:

> Randy Yates <yates RemoveThis @ieee.org> writes:
>
>> I monitored my network traffic using wireshark (a fantastic tool,
>> by the way) and found that I'm getting rogue packets that wireshark
>> is identifying as follows:
>>
>> No Time Source Destination Protocol Info
>> -- ---- ------ ----------- -------- ----
>> 36 30.879265 218.27.148.78 192.168.1.104 Messenger
>> NetrSendMessage request
>
> Safe to assume 192.168.1.104 is the IP address of your LAN connected
> computer running wireshark?

Correct.

> 1027 is this a udp port number? I'm assuming udp since that's what
> windows messenger listend on -- dynamic port > 1024.

Since wireshark lists the entry

User Datagram Protocol, Src Port: 32924 (32924), Dst Port: cap (1026)

for the packet, I guess that means it's a UDB packet? Oh, by the way,
it seems to shuffle the ports a bit - the one above was capture just
a minute ago and uses port 1026.

> If so, it is a bit disconcerting. What make/model/hardware
> rev/software level of the router?

Linksys WRT54G, Firmware Version: v3.03.9.

> Have you verified that your computer hasn't somehow been put in the
> dmz of the router?

I have now - that option is disabled (and had been disabled).

> There are some web-based sploits out there for some popular home
> router appliances that do this just by visiting a web page.

Even through a linux system? By the way, I'm running

Linux localhost.localdomain 2.6.20-1.2948.fc6 #1 SMP Fri Apr 27 19:18:54 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux

> Or, it could be that your router isn't blocking inbound udp (but is
> likely blocking inbound tcp).

It looks to me like it blocks both unless either is explicitly enabled in the
"Applications and Gaming" tab of the configuration page.

>> My system is responding with
>>
>> No Time Source Destination Protocol Info
>> -- ---- ------ ----------- -------- ----
>> 37 30.879333 192.168.1.104 218.27.148.78 ICMP Destination unreachable (Port unreachable)
>
>> I don't understand why these packets are getting through my router
>> since I do not have port 1027 enabled.
>
> Nor do I.
>
>> Can anyone identify these packets or give advice?
>
> They're windows messenger messages - the ones that aim to pop up an
> announcement window on your machine if they were to ever reach it and
> the messenger service process it.

But that doesn't work on linux, right?

>> Also, is there a way to find out what processes are receiving/sending
>> a specific packet? For example, how do I determine what process/service
>> is generating the ICMP response above?
>
> If I had to guess, the process sending the ICMP would be windows
> firewall, a third party firewall if any, or the tcp/ip stack of the
> machine itself.

Since this is linux, probably the latter, no?

> netstat -an | grep 1027 on your local machine should tell you if 1027
> is listening from the localhost perspective.

I get no matches.

> If it is, then a
> software firewall is probably doing the ICMP reply. If not, then it's
> possible either the firewall or the tcp/ip stack itself is sayin no
> one's home.
>
> I'm not an expert in this, so I invite others to clarify/correct, but
> I share you concern as to why this inbound traffic isn't being
> filtered by your border device.

Thanks for your input, Todd. Every little bit helps.
--
% Randy Yates % "Watching all the days go by...
%% Fuquay-Varina, NC % Who are you and who am I?"
%%% 919-577-9882 % 'Mission (A World Record)',
%%%% <yates RemoveThis @ieee.org> % *A New World Record*, ELO
http://home.earthlink.net/~yatescr

Todd H. · External Since: Nov 01, 2006 Posts: 22

Randy Yates <yates RemoveThis @ieee.org> writes:

> Hi Todd,
>
> Thanks for responding.
>
> comphelp RemoveThis @toddh.net (Todd H.) writes:
>
> > Randy Yates <yates RemoveThis @ieee.org> writes:
> >
> >> I monitored my network traffic using wireshark (a fantastic tool,
> >> by the way) and found that I'm getting rogue packets that wireshark
> >> is identifying as follows:
> >>
> >> No Time Source Destination Protocol Info
> >> -- ---- ------ ----------- -------- ----
> >> 36 30.879265 218.27.148.78 192.168.1.104 Messenger
> >> NetrSendMessage request
> >
> > Safe to assume 192.168.1.104 is the IP address of your LAN connected
> > computer running wireshark?
>
> Correct.
>
> > 1027 is this a udp port number? I'm assuming udp since that's what
> > windows messenger listend on -- dynamic port > 1024.
>
> Since wireshark lists the entry
>
> User Datagram Protocol, Src Port: 32924 (32924), Dst Port: cap (1026)
>
> for the packet, I guess that means it's a UDB packet? Oh, by the way,
> it seems to shuffle the ports a bit - the one above was capture just
> a minute ago and uses port 1026.

Yeah UDP is user datagram protocol.

Okay, and the messenger spim is using random ports trying to look for
a running messenger process.

> > If so, it is a bit disconcerting. What make/model/hardware
> > rev/software level of the router?
>
> Linksys WRT54G, Firmware Version: v3.03.9.

Which hardware version? It's on the sticker on the bottom.

> > There are some web-based sploits out there for some popular home
> > router appliances that do this just by visiting a web page.
>
> Even through a linux system? By the way, I'm running

Yeah. Even mozila with javascript enabled can be triggered to send
and HTTP POST request from teh browser, but looks like you may be fine
all the same. Verify remote management is turned off on the router
and consider the latest firmware.

despite the title of this one the wrt54g is affected in certain hw
revisions:
http://www.securityfocus.com/bid/19347

and
http://www.securityfocus.com/bid/14822/info

and there are others.

> Linux localhost.localdomain 2.6.20-1.2948.fc6 #1 SMP Fri Apr 27 19:18:54 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
>
> > Or, it could be that your router isn't blocking inbound udp (but
> > is likely blocking inbound tcp).
>
> It looks to me like it blocks both unless either is explicitly enabled in the
> "Applications and Gaming" tab of the configuration page.

Tried any online port scanner thingees to see what seems to get
through?

http://www.broadbandreports.com/tools
portscan (down at the moment it seems)

or, more annoyingly:

https://www.grc.com/x/ne.dll?bh0bkyd2

and you can even spim yourself:
https://www.grc.com/x/ne.dll?rh1dkyd2

> > They're windows messenger messages - the ones that aim to pop up an
> > announcement window on your machine if they were to ever reach it and
> > the messenger service process it.
>
> But that doesn't work on linux, right?

Correct. It won't find a listening messenger service. Depending on
whether you have the linux firewall up and configured will probably
determine which process or the kernel is actually sending the ICMP
message in response

These messenger SPIM's (spam, via instant messages) being sent all
over are nearly always using spoofed source addresses anyway so the
ICMP network unreachable is probably going back to a host that either
doesn't exist or didn't send it in the first place.

Best Regards,
--
Todd H.
http://www.toddh.net/

Randy Yates · External Since: Sep 07, 2006 Posts: 159

comphelp.RemoveThis@toddh.net (Todd H.) writes:

> Randy Yates <yates.RemoveThis@ieee.org> writes:
>> Linksys WRT54G, Firmware Version: v3.03.9.
>
> Which hardware version? It's on the sticker on the bottom.

V.3

Thanks for the links - I'm checking them out now.
--
% Randy Yates % "My Shangri-la has gone away, fading like
%% Fuquay-Varina, NC % the Beatles on 'Hey Jude'"
%%% 919-577-9882 %
%%%% <yates.RemoveThis@ieee.org> % 'Shangri-La', *A New World Record*, ELO
http://home.earthlink.net/~yatescr

Randy Yates · External Since: Sep 07, 2006 Posts: 159

Todd,

I've since upgraded to firmware version 4.21.1, verified remote
access is off, disabled wireless web access, and disabled UPnP,
but I'm still getting the exact same packets.

--Stumped

comphelp RemoveThis @toddh.net (Todd H.) writes:

> Randy Yates <yates RemoveThis @ieee.org> writes:
>
>> Hi Todd,
>>
>> Thanks for responding.
>>
>> comphelp RemoveThis @toddh.net (Todd H.) writes:
>>
>> > Randy Yates <yates RemoveThis @ieee.org> writes:
>> >
>> >> I monitored my network traffic using wireshark (a fantastic tool,
>> >> by the way) and found that I'm getting rogue packets that wireshark
>> >> is identifying as follows:
>> >>
>> >> No Time Source Destination Protocol Info
>> >> -- ---- ------ ----------- -------- ----
>> >> 36 30.879265 218.27.148.78 192.168.1.104 Messenger
>> >> NetrSendMessage request
>> >
>> > Safe to assume 192.168.1.104 is the IP address of your LAN connected
>> > computer running wireshark?
>>
>> Correct.
>>
>> > 1027 is this a udp port number? I'm assuming udp since that's what
>> > windows messenger listend on -- dynamic port > 1024.
>>
>> Since wireshark lists the entry
>>
>> User Datagram Protocol, Src Port: 32924 (32924), Dst Port: cap (1026)
>>
>> for the packet, I guess that means it's a UDB packet? Oh, by the way,
>> it seems to shuffle the ports a bit - the one above was capture just
>> a minute ago and uses port 1026.
>
> Yeah UDP is user datagram protocol.
>
> Okay, and the messenger spim is using random ports trying to look for
> a running messenger process.
>
>> > If so, it is a bit disconcerting. What make/model/hardware
>> > rev/software level of the router?
>>
>> Linksys WRT54G, Firmware Version: v3.03.9.
>
> Which hardware version? It's on the sticker on the bottom.
>
>> > There are some web-based sploits out there for some popular home
>> > router appliances that do this just by visiting a web page.
>>
>> Even through a linux system? By the way, I'm running
>
> Yeah. Even mozila with javascript enabled can be triggered to send
> and HTTP POST request from teh browser, but looks like you may be fine
> all the same. Verify remote management is turned off on the router
> and consider the latest firmware.
>
>
> despite the title of this one the wrt54g is affected in certain hw
> revisions:
> http://www.securityfocus.com/bid/19347
>
> and
> http://www.securityfocus.com/bid/14822/info
>
> and there are others.
>
>
>> Linux localhost.localdomain 2.6.20-1.2948.fc6 #1 SMP Fri Apr 27 19:18:54 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
>>
>> > Or, it could be that your router isn't blocking inbound udp (but
>> > is likely blocking inbound tcp).
>>
>> It looks to me like it blocks both unless either is explicitly enabled in the
>> "Applications and Gaming" tab of the configuration page.
>
> Tried any online port scanner thingees to see what seems to get
> through?
>
> http://www.broadbandreports.com/tools
> portscan (down at the moment it seems)
>
> or, more annoyingly:
>
> https://www.grc.com/x/ne.dll?bh0bkyd2
>
>
> and you can even spim yourself:
> https://www.grc.com/x/ne.dll?rh1dkyd2
>
>
>
>> > They're windows messenger messages - the ones that aim to pop up an
>> > announcement window on your machine if they were to ever reach it and
>> > the messenger service process it.
>>
>> But that doesn't work on linux, right?
>
> Correct. It won't find a listening messenger service. Depending on
> whether you have the linux firewall up and configured will probably
> determine which process or the kernel is actually sending the ICMP
> message in response
>
> These messenger SPIM's (spam, via instant messages) being sent all
> over are nearly always using spoofed source addresses anyway so the
> ICMP network unreachable is probably going back to a host that either
> doesn't exist or didn't send it in the first place.
>
> Best Regards,
> --
> Todd H.
> http://www.toddh.net/

--
% Randy Yates % "My Shangri-la has gone away, fading like
%% Fuquay-Varina, NC % the Beatles on 'Hey Jude'"
%%% 919-577-9882 %
%%%% <yates RemoveThis @ieee.org> % 'Shangri-La', *A New World Record*, ELO
http://home.earthlink.net/~yatescr

Randy Yates · External Since: Sep 07, 2006 Posts: 159

Should I click on the "Filter Internet NAT Redirection" box? Should
I disable IPSec, PPTP, and L2TP passthroughs?

--Randy

Randy Yates <yates.DeleteThis@ieee.org> writes:

> Todd,
>
> I've since upgraded to firmware version 4.21.1, verified remote
> access is off, disabled wireless web access, and disabled UPnP,
> but I'm still getting the exact same packets.
>
> --Stumped
>
>
> comphelp.DeleteThis@toddh.net (Todd H.) writes:
>
>> Randy Yates <yates.DeleteThis@ieee.org> writes:
>>
>>> Hi Todd,
>>>
>>> Thanks for responding.
>>>
>>> comphelp.DeleteThis@toddh.net (Todd H.) writes:
>>>
>>> > Randy Yates <yates.DeleteThis@ieee.org> writes:
>>> >
>>> >> I monitored my network traffic using wireshark (a fantastic tool,
>>> >> by the way) and found that I'm getting rogue packets that wireshark
>>> >> is identifying as follows:
>>> >>
>>> >> No Time Source Destination Protocol Info
>>> >> -- ---- ------ ----------- -------- ----
>>> >> 36 30.879265 218.27.148.78 192.168.1.104 Messenger
>>> >> NetrSendMessage request
>>> >
>>> > Safe to assume 192.168.1.104 is the IP address of your LAN connected
>>> > computer running wireshark?
>>>
>>> Correct.
>>>
>>> > 1027 is this a udp port number? I'm assuming udp since that's what
>>> > windows messenger listend on -- dynamic port > 1024.
>>>
>>> Since wireshark lists the entry
>>>
>>> User Datagram Protocol, Src Port: 32924 (32924), Dst Port: cap (1026)
>>>
>>> for the packet, I guess that means it's a UDB packet? Oh, by the way,
>>> it seems to shuffle the ports a bit - the one above was capture just
>>> a minute ago and uses port 1026.
>>
>> Yeah UDP is user datagram protocol.
>>
>> Okay, and the messenger spim is using random ports trying to look for
>> a running messenger process.
>>
>>> > If so, it is a bit disconcerting. What make/model/hardware
>>> > rev/software level of the router?
>>>
>>> Linksys WRT54G, Firmware Version: v3.03.9.
>>
>> Which hardware version? It's on the sticker on the bottom.
>>
>>> > There are some web-based sploits out there for some popular home
>>> > router appliances that do this just by visiting a web page.
>>>
>>> Even through a linux system? By the way, I'm running
>>
>> Yeah. Even mozila with javascript enabled can be triggered to send
>> and HTTP POST request from teh browser, but looks like you may be fine
>> all the same. Verify remote management is turned off on the router
>> and consider the latest firmware.
>>
>>
>> despite the title of this one the wrt54g is affected in certain hw
>> revisions:
>> http://www.securityfocus.com/bid/19347
>>
>> and
>> http://www.securityfocus.com/bid/14822/info
>>
>> and there are others.
>>
>>
>>> Linux localhost.localdomain 2.6.20-1.2948.fc6 #1 SMP Fri Apr 27 19:18:54 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
>>>
>>> > Or, it could be that your router isn't blocking inbound udp (but
>>> > is likely blocking inbound tcp).
>>>
>>> It looks to me like it blocks both unless either is explicitly enabled in the
>>> "Applications and Gaming" tab of the configuration page.
>>
>> Tried any online port scanner thingees to see what seems to get
>> through?
>>
>> http://www.broadbandreports.com/tools
>> portscan (down at the moment it seems)
>>
>> or, more annoyingly:
>>
>> https://www.grc.com/x/ne.dll?bh0bkyd2
>>
>>
>> and you can even spim yourself:
>> https://www.grc.com/x/ne.dll?rh1dkyd2
>>
>>
>>
>>> > They're windows messenger messages - the ones that aim to pop up an
>>> > announcement window on your machine if they were to ever reach it and
>>> > the messenger service process it.
>>>
>>> But that doesn't work on linux, right?
>>
>> Correct. It won't find a listening messenger service. Depending on
>> whether you have the linux firewall up and configured will probably
>> determine which process or the kernel is actually sending the ICMP
>> message in response
>>
>> These messenger SPIM's (spam, via instant messages) being sent all
>> over are nearly always using spoofed source addresses anyway so the
>> ICMP network unreachable is probably going back to a host that either
>> doesn't exist or didn't send it in the first place.
>>
>> Best Regards,
>> --
>> Todd H.
>> http://www.toddh.net/
>
> --
> % Randy Yates % "My Shangri-la has gone away, fading like
> %% Fuquay-Varina, NC % the Beatles on 'Hey Jude'"
> %%% 919-577-9882 %
> %%%% <yates.DeleteThis@ieee.org> % 'Shangri-La', *A New World Record*, ELO
> http://home.earthlink.net/~yatescr

--
% Randy Yates % "Midnight, on the water...
%% Fuquay-Varina, NC % I saw... the ocean's daughter."
%%% 919-577-9882 % 'Can't Get It Out Of My Head'
%%%% <yates.DeleteThis@ieee.org> % *El Dorado*, Electric Light Orchestra
http://home.earthlink.net/~yatescr

Dave {Reply Address in.Si · External Since: May 11, 2007 Posts: 14

This message is not archived

Randy Yates · External Since: Sep 07, 2006 Posts: 159

"Dave {Reply Address in.Sig}" <noone$$@llondel.org> writes:

> How about having a DMZ set up to point to that machine? that way it gets
> everything by default.

I don't get you - can you please explain more? I don't think I really
understand what a DMZ is.
--
% Randy Yates % "My Shangri-la has gone away, fading like
%% Fuquay-Varina, NC % the Beatles on 'Hey Jude'"
%%% 919-577-9882 %
%%%% <yates.DeleteThis@ieee.org> % 'Shangri-La', *A New World Record*, ELO
http://home.earthlink.net/~yatescr

Todd H. · External Since: Nov 01, 2006 Posts: 22

Randy Yates <yates.DeleteThis@ieee.org> writes:

> "Dave {Reply Address in.Sig}" <noone$$@llondel.org> writes:
>
> > How about having a DMZ set up to point to that machine? that way it gets
> > everything by default.
>
> I don't get you - can you please explain more? I don't think I really
> understand what a DMZ is.

I think Dave may have been suggesting that perhaps your linux machine
was configured to be in the DMZ of the router (in which case it
wouldn't see any filtering from the router). I mentioned this as well
and you had checked and verified in the config that it wasn't the
case.

If, on the other hand Dave was suggesting you add the host to the DMZ,
nah, I don't understand that either, or Dave may have misunderstood
the question you were asking.

Best Regards,
--
Todd H.
http://www.toddh.net/

Dave {Reply Address in.Si · External Since: May 11, 2007 Posts: 14

This message is not archived

Dave {Reply Address in.Si · External Since: May 11, 2007 Posts: 14

This message is not archived

Randy Yates · External Since: Sep 07, 2006 Posts: 159

Here's another, related question.

The router is itself a computer, no? I
think they use some type of embedded linux
system.

Isn't it possible that the router has been
owned, and that various attacks/spoofs/whatever
is being executed by the router?

After my upgrade yesterday, I realized that if
you owned the router, you could even fake firmware
upgrades by parsing the binary and extracting and
reporting the new firmware revision number without
actually upgrading anything.

--Randy

comphelp RemoveThis @toddh.net (Todd H.) writes:

> Randy Yates <yates RemoveThis @ieee.org> writes:
>
>> "Dave {Reply Address in.Sig}" <noone$$@llondel.org> writes:
>>
>> > How about having a DMZ set up to point to that machine? that way it gets
>> > everything by default.
>>
>> I don't get you - can you please explain more? I don't think I really
>> understand what a DMZ is.
>
> I think Dave may have been suggesting that perhaps your linux machine
> was configured to be in the DMZ of the router (in which case it
> wouldn't see any filtering from the router). I mentioned this as well
> and you had checked and verified in the config that it wasn't the
> case.
>
> If, on the other hand Dave was suggesting you add the host to the DMZ,
> nah, I don't understand that either, or Dave may have misunderstood
> the question you were asking.
>
> Best Regards,
> --
> Todd H.
> http://www.toddh.net/

--
% Randy Yates % "Bird, on the wing,
%% Fuquay-Varina, NC % goes floating by
%%% 919-577-9882 % but there's a teardrop in his eye..."
%%%% <yates RemoveThis @ieee.org> % 'One Summer Dream', *Face The Music*, ELO
http://home.earthlink.net/~yatescr

Randy Yates · External Since: Sep 07, 2006 Posts: 159

OK, are you ready for this?????? ....

I had mistakenly (a long time ago) configured my router
(via the applications and gaming tab) to forward ALL ports
in the range 80 to 8080 to one of my local computers instead
of just port 80.

SHEESH!!!!!

Thanks for all the help, especially to you, Todd.

--Randy

Randy Yates <yates.RemoveThis@ieee.org> writes:

> I monitored my network traffic using wireshark (a fantastic tool,
> by the way) and found that I'm getting rogue packets that wireshark
> is identifying as follows:
>
> No Time Source Destination Protocol Info
> -- ---- ------ ----------- -------- ----
> 36 30.879265 218.27.148.78 192.168.1.104 Messenger NetrSendMessage request
>
> The message part of the packet is reported by wireshark as follows:
>
> 00b0 00 00 35 01 00 00 00 00 00 00 35 01 00 00 53 54 ..5..... ..5...ST
> 00c0 4f 50 21 20 57 49 4e 44 4f 57 53 20 52 45 51 55 OP! WIND OWS REQU
> 00d0 49 52 45 53 20 49 4d 4d 45 44 49 41 54 45 20 41 IRES IMM EDIATE A
> 00e0 54 54 45 4e 54 49 4f 4e 2e 0a 0a 57 69 6e 64 6f TTENTION ...Windo
> 00f0 77 73 20 68 61 73 20 66 6f 75 6e 64 20 35 35 20 ws has f ound 55
> 0100 43 72 69 74 69 63 61 6c 20 53 79 73 74 65 6d 20 Critical System
> 0110 45 72 72 6f 72 73 2e 0a 0a 54 6f 20 66 69 78 20 Errors.. .To fix
> 0120 74 68 65 20 65 72 72 6f 72 73 20 70 6c 65 61 73 the erro rs pleas
> 0130 65 20 64 6f 20 74 68 65 20 66 6f 6c 6c 6f 77 69 e do the followi
> 0140 6e 67 3a 0a 0a 31 2e 20 44 6f 77 6e 6c 6f 61 64 ng:..1. Download
> 0150 20 52 65 67 69 73 74 72 79 20 55 70 64 61 74 65 Registr y Update
> 0160 20 66 72 6f 6d 3a 20 77 77 77 2e 72 65 67 66 69 from: w ww.regfi
> 0170 78 69 74 2e 63 6f 6d 0a 32 2e 20 49 6e 73 74 61 xit.com. 2. Insta
> 0180 6c 6c 20 52 65 67 69 73 74 72 79 20 55 70 64 61 ll Regis try Upda
> 0190 74 65 0a 33 2e 20 52 75 6e 20 52 65 67 69 73 74 te.3. Ru n Regist
> 01a0 72 79 20 55 70 64 61 74 65 0a 34 2e 20 52 65 62 ry Updat e.4. Reb
> 01b0 6f 6f 74 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 oot your compute
> 01c0 72 0a 0a 46 41 49 4c 55 52 45 20 54 4f 20 41 43 r..FAILU RE TO AC
> 01d0 54 20 4e 4f 57 20 4d 41 59 20 4c 45 41 44 20 54 T NOW MA Y LEAD T
> 01e0 4f 20 53 59 53 54 45 4d 20 46 41 49 4c 55 52 45 O SYSTEM FAILURE
> 01f0 21 0a 00 !..
>
> My system is responding with
>
> No Time Source Destination Protocol Info
> -- ---- ------ ----------- -------- ----
> 37 30.879333 192.168.1.104 218.27.148.78 ICMP Destination unreachable (Port unreachable)
>
> There is an outgoing message that appears to be similar to the incoming one:
>
> 0000 00 14 bf 07 5f ac 00 11 5b 43 44 6a 08 00 45 c0 ...._... [CDj..E.
> 0010 02 01 a3 53 00 00 40 01 a4 6e c0 a8 01 68 da 1b ...S..@. .n...h..
> 0020 94 4e 03 03 2f 5a 00 00 00 00 45 00 01 e5 00 00 .N../Z.. ..E.....
> 0030 40 00 27 11 21 8e da 1b 94 4e c0 a8 01 68 bb 92 @.'.!... .N...h..
> 0040 04 03 01 d1 a4 8d 04 00 28 00 10 00 00 00 00 00 ........ (.......
> 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 ........ ........
> 0060 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 e6 fc ca 23 {Z...... ..O....#
> 0070 2a 88 87 c5 7d 05 ae e7 bd 9b 51 d1 6b ce 00 00 *...}... ..Q.k...
> 0080 00 00 01 00 00 00 00 00 00 00 00 00 ff ff ff ff ........ ........
> 0090 79 01 00 00 00 00 10 00 00 00 00 00 00 00 10 00 y....... ........
> 00a0 00 00 46 52 4f 4d 00 00 00 00 00 00 00 00 00 00 ..FROM.. ........
> 00b0 00 00 10 00 00 00 00 00 00 00 10 00 00 00 54 4f ........ ......TO
> 00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 35 01 ........ ......5.
> 00d0 00 00 00 00 00 00 35 01 00 00 53 54 4f 50 21 20 ......5. ..STOP!
> 00e0 57 49 4e 44 4f 57 53 20 52 45 51 55 49 52 45 53 WINDOWS REQUIRES
> 00f0 20 49 4d 4d 45 44 49 41 54 45 20 41 54 54 45 4e IMMEDIA TE ATTEN
> 0100 54 49 4f 4e 2e 0a 0a 57 69 6e 64 6f 77 73 20 68 TION...W indows h
> 0110 61 73 20 66 6f 75 6e 64 20 35 35 20 43 72 69 74 as found 55 Crit
> 0120 69 63 61 6c 20 53 79 73 74 65 6d 20 45 72 72 6f ical Sys tem Erro
> 0130 72 73 2e 0a 0a 54 6f 20 66 69 78 20 74 68 65 20 rs...To fix the
> 0140 65 72 72 6f 72 73 20 70 6c 65 61 73 65 20 64 6f errors p lease do
> 0150 20 74 68 65 20 66 6f 6c 6c 6f 77 69 6e 67 3a 0a the fol lowing:.
> 0160 0a 31 2e 20 44 6f 77 6e 6c 6f 61 64 20 52 65 67 .1. Down load Reg
> 0170 69 73 74 72 79 20 55 70 64 61 74 65 20 66 72 6f istry Up date fro
> 0180 6d 3a 20 77 77 77 2e 72 65 67 66 69 78 69 74 2e m: www.r egfixit.
> 0190 63 6f 6d 0a 32 2e 20 49 6e 73 74 61 6c 6c 20 52 com.2. I nstall R
> 01a0 65 67 69 73 74 72 79 20 55 70 64 61 74 65 0a 33 egistry Update.3
> 01b0 2e 20 52 75 6e 20 52 65 67 69 73 74 72 79 20 55 . Run Re gistry U
> 01c0 70 64 61 74 65 0a 34 2e 20 52 65 62 6f 6f 74 20 pdate.4. Reboot
> 01d0 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 0a 0a 46 your com puter..F
> 01e0 41 49 4c 55 52 45 20 54 4f 20 41 43 54 20 4e 4f AILURE T O ACT NO
> 01f0 57 20 4d 41 59 20 4c 45 41 44 20 54 4f 20 53 59 W MAY LE AD TO SY
> 0200 53 54 45 4d 20 46 41 49 4c 55 52 45 21 0a 00 STEM FAI LURE!..
>
> The packets are coming perhaps once every 2 to 5 minutes.
>
> I don't understand why these packets are getting through my router
> since I do not have port 1027 enabled.
>
> Can anyone identify these packets or give advice?
>
> Also, is there a way to find out what processes are receiving/sending
> a specific packet? For example, how do I determine what process/service
> is generating the ICMP response above?
> --
> % Randy Yates % "Remember the good old 1980's, when
> %% Fuquay-Varina, NC % things were so uncomplicated?"
> %%% 919-577-9882 % 'Ticket To The Moon'
> %%%% <yates.RemoveThis@ieee.org> % *Time*, Electric Light Orchestra
> http://home.earthlink.net/~yatescr

--
% Randy Yates % "Rollin' and riding and slippin' and
%% Fuquay-Varina, NC % sliding, it's magic."
%%% 919-577-9882 %
%%%% <yates.RemoveThis@ieee.org> % 'Living' Thing', *A New World Record*, ELO
http://home.earthlink.net/~yatescr

saucily · External Since: Jul 21, 2007 Posts: 4

On Jul 21, 7:30 am, Randy Yates <ya....TakeThisOut@ieee.org> wrote:
> Here's another, related question.
>
> The router is itself a computer, no? I
> think they use some type of embedded linux
> system.
>
> Isn't it possible that the router has been
> owned, and that various attacks/spoofs/whatever
> is being executed by the router?

Possible, but fairly unlikely in my experience. Most real exploits
out there are targeted at MS and I've never heard of anyone having a
hacked WRT54G, but that's not so say it's not possible (a quick google
yielded this http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gc...24857,0)

If you're a Linux user though, I would definitely recommend installing
a third-party firmware for this device. I run DD-WRT on my 54G and
I'm fairly happy with it, but there are several other options as well;
I've heard good things about both OpenWRT and tomato. One of these
will allow you to see exactly what the firmware is doing by inspecting
the firewall rules and connection status directly. They'll also have
the fringe benefit of being imune to any exploits that are found in
the stock Linksys firmware. Smile

Back to solving the issue of these packets getting through your NAT,
though. If you don't have any port forwarding rules or DMZ set up I
would definitely agree that this is a problem. Can you put a hub on
the outside of the router and watch packets as they come in to verify
that they are in fact being NATed by your Linksys and not being
generated internally somehow?

saucily · External Since: Jul 21, 2007 Posts: 4

On Jul 20, 7:59 am, Randy Yates <ya....TakeThisOut@ieee.org> wrote:
>
> Also, is there a way to find out what processes are receiving/sending
> a specific packet? For example, how do I determine what process/service
> is generating the ICMP response above?

In Linux "netstat -tanp" will show all active/established/listening
TCP connections numerically and their associated processes (you will
need to be root to see all processes). You can make this "netstat -
uanp" for UDP or "netstat -tuanp" for both TCP and UDP (try "man
netstat").

This is assuming that the resulting ICMP responses are coming from a
process however, and in this case it's more likely they're coming
directly from the kernel because there probably is no service
listening on this port (you can verify that by using the above
commands and ensuring there is nothing in state LISTEN on the ports in
question). You will need to install a firewall or other filter device
if you want to block these ICMP response packets because they are
default behavior when UDP packets reach a port where nothing is
listening (TCP instead generates RSTs). You can look into iptables,
but I would recommend trying to figure out why the Linksys is doing
NAT it shouldn't.

Randy Yates · External Since: Sep 07, 2006 Posts: 159

Hi,

THANKS much for the education/information. Perhaps the post
hadn't migrated to your usenet server yet, but I found the
problem - a misconfigured port forwarding page.

Thanks so much for your help and ideas. I may check into the
openWRT firmware you wrote about, and it's nice to know the
netstat command information.

--Randy

saucily <MisterESauce.TakeThisOut@gmail.com> writes:

> On Jul 20, 7:59 am, Randy Yates <ya....TakeThisOut@ieee.org> wrote:
>>
>> Also, is there a way to find out what processes are receiving/sending
>> a specific packet? For example, how do I determine what process/service
>> is generating the ICMP response above?
>
> In Linux "netstat -tanp" will show all active/established/listening
> TCP connections numerically and their associated processes (you will
> need to be root to see all processes). You can make this "netstat -
> uanp" for UDP or "netstat -tuanp" for both TCP and UDP (try "man
> netstat").
>
> This is assuming that the resulting ICMP responses are coming from a
> process however, and in this case it's more likely they're coming
> directly from the kernel because there probably is no service
> listening on this port (you can verify that by using the above
> commands and ensuring there is nothing in state LISTEN on the ports in
> question). You will need to install a firewall or other filter device
> if you want to block these ICMP response packets because they are
> default behavior when UDP packets reach a port where nothing is
> listening (TCP instead generates RSTs). You can look into iptables,
> but I would recommend trying to figure out why the Linksys is doing
> NAT it shouldn't.
>

--
% Randy Yates % "Though you ride on the wheels of tomorrow,
%% Fuquay-Varina, NC % you still wander the fields of your
%%% 919-577-9882 % sorrow."
%%%% <yates.TakeThisOut@ieee.org> % '21st Century Man', *Time*, ELO
http://home.earthlink.net/~yatescr

saucily · External Since: Jul 21, 2007 Posts: 4

On Jul 21, 12:02 pm, Randy Yates <ya... RemoveThis @ieee.org> wrote:
> OK, are you ready for this?????? ....
>
> I had mistakenly (a long time ago) configured my router
> (via the applications and gaming tab) to forward ALL ports
> in the range 80 to 8080 to one of my local computers instead
> of just port 80.

Hehe, oops, glad to hear you figured it out!