Who are 24.64.9.177 & 24.64.8.158, etc.?

[PCR]

Kerio Firewall has begun a series of messages such as these, coming once
a minute or so, every so often...!...

Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port
1027 owned by 'Distributed COM Services' on your computer.

Someone from 24.64.8.158, port 32089 wants to send UDP datagram to port
1027 owned by 'Distributed COM Services' on your computer

Someone from 24.64.85.35, port 34996 wants to send UDP datagram to port
1027 owned by 'Distributed COM Services' on your computer

Someone from 24.64.210.84, port 28111 wants to send UDP datagram to port
1027 owned by 'Distributed COM Services' on your computer

Someone from 24.64.180.130, port 4241 wants to send UDP datagram to port
1027 owned by 'Distributed COM Services' on your computer

The port is owned by...
c:\windows\system\rpcss.exe


--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net

 

[PCR]

PCR wrote:
| Kerio Firewall has begun a series of messages such as these, coming
| once a minute or so, every so often...!...
|
| Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port
| 1027 owned by 'Distributed COM Services' on your computer.
|
| Someone from 24.64.8.158, port 32089 wants to send UDP datagram to
| port 1027 owned by 'Distributed COM Services' on your computer
|
| Someone from 24.64.85.35, port 34996 wants to send UDP datagram to
| port 1027 owned by 'Distributed COM Services' on your computer
|
| Someone from 24.64.210.84, port 28111 wants to send UDP datagram to
| port 1027 owned by 'Distributed COM Services' on your computer
|
| Someone from 24.64.180.130, port 4241 wants to send UDP datagram to
| port 1027 owned by 'Distributed COM Services' on your computer
|
| The port is owned by...
| c:\windows\system\rpcss.exe

OK, I see, by the word of...
http://www.networksolutions.com/whois/index.jsp

..........Quote..................................
24.64.9.177
Record Type: IP Address

OrgName: Shaw Communications Inc.
OrgID: SHAWC
Address: Suite 800
Address: 630 - 3rd Ave. SW
City: Calgary
StateProv: AB
PostalCode: T2P-4L4
Country: CA

ReferralServer: rwhois://rs1so.cg.shawcable.net:4321

NetRange: 24.64.0.0 - 24.71.255.255
CIDR: 24.64.0.0/13
NetName: SHAW-COMM
NetHandle: NET-24-64-0-0-1
Parent: NET-24-0-0-0-0
NetType: Direct Allocation
NameServer: NS7.NO.CG.SHAWCABLE.NET
NameServer: NS8.SO.CG.SHAWCABLE.NET
Comment:
RegDate: 1996-06-03
Updated: 2006-02-08

OrgAbuseHandle: SHAWA-ARIN
OrgAbuseName: SHAW ABUSE
OrgAbusePhone: +1-403-750-7420
OrgAbuseEmail: internet.abuse@sjrb.ca

OrgTechHandle: ZS178-ARIN
OrgTechName: Shaw High-Speed Internet
OrgTechPhone: +1-403-750-7428
OrgTechEmail: ipadmin@sjrb.ca
..........EOQ......................

I see every one of those in in SHAW-COMM's NET range. I've been denying
the access & will continue to do so. But what are they trying to do?

 

[98 Guy]

PCR wrote:

> Kerio Firewall has begun a series of messages such as these

Why don't you have a NAT router?

> Someone from 24.64.9.177

All those IP's belong to Shaw Cable internet, Calgary Alberta.

> port 3222 wants to send UDP datagram

No malware (as far as I can tell) is known to use port 3222. Recent
port usage:

http://isc.sans.org/port.html?port=3222

> to port 1027 owned by 'Distributed COM Services' on your computer.

I don't think that DCOM is normally installed on windows-98 systems.
The Shaw Cable computer is either trying to exploit a DCOM
vulnerability on your computer, or is attempting to connect to a
trojan that it thinks might be running on your computer and listening
on port 1027.

> The port is owned by...
> c:\windows\system\rpcss.exe

Unless I'm mistaken, your computer is running win-2k or XP, not
win-98.

A home computer located somewhere in Alberta is performing a port-scan
on your computer, attempting to either install some malware on your
system via a DCOM exploit, or is attempting to contact a trojan
running on your computer and give it instructions to do something (to
obtain some new software, to send spam to someone, etc).

The fact that they are coming from different addresses every few
minutes is strange - it would indicate that it's coming from different
machines - as in some sort of coordinated scan directly on to
machine. Not sure what would be the reason for that.

 

[98 Guy]

Ok, what's going on is this:

Your modem recently obtained a new IP address (maybe it does this once
a day, once an hour, once a month, I don't know).

In any case, the IP address you have now once belonged to someone that
was part of a P2P network. They were part of a file-sharing network.
Their IP address is known to the network (for the time being).

Other computers are trying to access some file that they think is
located on your computer.

So either those attempts will fade away with time, or you can re-boot
your modem and obtain a new IP address.

Looks like there are lots of downloaders in Alberta...

 

[glee]

It is most likely a Windows Messenger spam attempt:
http://www.linklogger.com/messenger_spam.htm
http://www.linklogger.com/UDP1026.htm
http://isc.sans.org/port.html?port=1027
--
Glen Ventura, MS MVP Shell/User, A+
http://dts-l.org/
http://dts-l.org/goodpost.htm


"PCR" <pcrrcp@netzero.net> wrote in message
news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl...
> PCR wrote:
> | Kerio Firewall has begun a series of messages such as these, coming
> | once a minute or so, every so often...!...
> |
> | Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port
> | 1027 owned by 'Distributed COM Services' on your computer.
> |
> | Someone from 24.64.8.158, port 32089 wants to send UDP datagram to
> | port 1027 owned by 'Distributed COM Services' on your computer
> |
> | Someone from 24.64.85.35, port 34996 wants to send UDP datagram to
> | port 1027 owned by 'Distributed COM Services' on your computer
> |
> | Someone from 24.64.210.84, port 28111 wants to send UDP datagram to
> | port 1027 owned by 'Distributed COM Services' on your computer
> |
> | Someone from 24.64.180.130, port 4241 wants to send UDP datagram to
> | port 1027 owned by 'Distributed COM Services' on your computer
> |
> | The port is owned by...
> | c:\windows\system\rpcss.exe
>
> OK, I see, by the word of...
> http://www.networksolutions.com/whois/index.jsp
>
> .........Quote..................................
> 24.64.9.177
> Record Type: IP Address
>
> OrgName: Shaw Communications Inc.
> OrgID: SHAWC
> Address: Suite 800
> Address: 630 - 3rd Ave. SW
> City: Calgary
> StateProv: AB
> PostalCode: T2P-4L4
> Country: CA
>
> ReferralServer: rwhois://rs1so.cg.shawcable.net:4321
>
> NetRange: 24.64.0.0 - 24.71.255.255
> CIDR: 24.64.0.0/13
> NetName: SHAW-COMM
> NetHandle: NET-24-64-0-0-1
> Parent: NET-24-0-0-0-0
> NetType: Direct Allocation
> NameServer: NS7.NO.CG.SHAWCABLE.NET
> NameServer: NS8.SO.CG.SHAWCABLE.NET
> Comment:
> RegDate: 1996-06-03
> Updated: 2006-02-08
>
> OrgAbuseHandle: SHAWA-ARIN
> OrgAbuseName: SHAW ABUSE
> OrgAbusePhone: +1-403-750-7420
> OrgAbuseEmail: internet.abuse@sjrb.ca
>
> OrgTechHandle: ZS178-ARIN
> OrgTechName: Shaw High-Speed Internet
> OrgTechPhone: +1-403-750-7428
> OrgTechEmail: ipadmin@sjrb.ca
> .........EOQ......................
>
> I see every one of those in in SHAW-COMM's NET range. I've been denying
> the access & will continue to do so. But what are they trying to do?
>
>

 

[Franc Zabkar]

On Wed, 18 Jul 2007 20:20:29 -0400, "PCR" <pcrrcp@netzero.net> put
finger to keyboard and composed:

>Kerio Firewall has begun a series of messages such as these, coming once
>a minute or so, every so often...!...
>
>Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port
>1027 owned by 'Distributed COM Services' on your computer.

<snip>

>The port is owned by...
>c:\windows\system\rpcss.exe

What is RPCSS.EXE?
http://cexx.org/rpc.htm

===================================================================
In any event, what rpcss.exe does is to handle a number of API calls
that relate to RPC. In general (and this is somewhat of a
simplification to prevent techie talk overload), a program can
register certain entry points (the "procedures" in remote procedure
call) that can be accessed by external applications. This is known as
the "portmapper" function. Once registered, anyone contacting the RPC
port and asking, in the appropriate format, for a particular function
provided by a particular program will be allowed to execute the
function. Any security checks are up to the contacted program, as all
the portmapper does is to make the necessary procedure call on behalf
of the client.

"WAIT JUST A MINUTE," you scream as your face turns red. "You mean ANY
program can ask ANY OTHER program on MY MACHINE to do something for it
WITHOUT MY KNOWLEDGE?" The sad truth is that, yes, this is true, and
yes, this has been a constant source of security flaws in UNIX systems
as such-and-such RPC service has this unchecked buffer or that
improper security check which allows any remote user with the proper
script to gain full control of the machine. Since no such flaws have
been found in the rpcss.exe portmapper proper -- probably because no
one's really looked -- the real threat comes from the programs that
utilize the portmapper. Unlike UNIX, however, very few Windows
programs use RPC hell, most Windows 9x programmers aren't even aware
that RPC exists, and RPC as a direct communications method is being
replaced by DCOM and COM+ (which can, but do not necessarily, use RPC)
in Windows 2000. Therefore, the likelihood of you even having a
portmapped program on Windows 9x is extremely low, and thus the risk
that RPC presents is also quite low.
===================================================================

- Franc Zabkar
--
Please remove one 'i' from my address when replying by email.

 

[MEB]

"PCR" <pcrrcp@netzero.net> wrote in message
news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl...
| PCR wrote:
| | Kerio Firewall has begun a series of messages such as these, coming
| | once a minute or so, every so often...!...
| |
| | Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port
| | 1027 owned by 'Distributed COM Services' on your computer.
| |
| | Someone from 24.64.8.158, port 32089 wants to send UDP datagram to
| | port 1027 owned by 'Distributed COM Services' on your computer
| |
| | Someone from 24.64.85.35, port 34996 wants to send UDP datagram to
| | port 1027 owned by 'Distributed COM Services' on your computer
| |
| | Someone from 24.64.210.84, port 28111 wants to send UDP datagram to
| | port 1027 owned by 'Distributed COM Services' on your computer
| |
| | Someone from 24.64.180.130, port 4241 wants to send UDP datagram to
| | port 1027 owned by 'Distributed COM Services' on your computer
| |
| | The port is owned by...
| | c:\windows\system\rpcss.exe
|
| OK, I see, by the word of...
| http://www.networksolutions.com/whois/index.jsp
|
| .........Quote..................................
| 24.64.9.177
| Record Type: IP Address
|
| OrgName: Shaw Communications Inc.
| OrgID: SHAWC
| Address: Suite 800
| Address: 630 - 3rd Ave. SW
| City: Calgary
| StateProv: AB
| PostalCode: T2P-4L4
| Country: CA
|
| ReferralServer: rwhois://rs1so.cg.shawcable.net:4321
|
| NetRange: 24.64.0.0 - 24.71.255.255
| CIDR: 24.64.0.0/13
| NetName: SHAW-COMM
| NetHandle: NET-24-64-0-0-1
| Parent: NET-24-0-0-0-0
| NetType: Direct Allocation
| NameServer: NS7.NO.CG.SHAWCABLE.NET
| NameServer: NS8.SO.CG.SHAWCABLE.NET
| Comment:
| RegDate: 1996-06-03
| Updated: 2006-02-08
|
| OrgAbuseHandle: SHAWA-ARIN
| OrgAbuseName: SHAW ABUSE
| OrgAbusePhone: +1-403-750-7420
| OrgAbuseEmail: internet.abuse@sjrb.ca
|
| OrgTechHandle: ZS178-ARIN
| OrgTechName: Shaw High-Speed Internet
| OrgTechPhone: +1-403-750-7428
| OrgTechEmail: ipadmin@sjrb.ca
| .........EOQ......................
|
| I see every one of those in in SHAW-COMM's NET range. I've been denying
| the access & will continue to do so. But what are they trying to do?
|
|

Just an HEADS UP, I also had that same Shaw attack a while ago, all those
addresses {which are slightly different than yours - though 24.64.*.* and
Shaw} are BLOCKED/DENIED in my PFW firewall.

 

[MEB]

Here, I just turned on logging and popup alerts and am connected to this
group...

19/Jul/2007 03:09:54 Shaw Comm block blocked In UDP
S010600e04c8a2715.rd.shawcable.net [24.64.43.218:2880]->localhost:1026
Owner: no owner
19/Jul/2007 03:11:20 Shaw Comm block blocked In UDP
S01060020ed1d11bc.lb.shawcable.net [24.64.180.89:20542]->localhost:1026
Owner: no owner
19/Jul/2007 03:14:50 Shaw Comm block blocked In UDP
S0106000ae694e9c1.cn.shawcable.net [24.64.50.56:20710]->localhost:1026
Owner: no owner
19/Jul/2007 03:21:32 Shaw Comm block blocked In UDP
24.64.230.110:24538->localhost:1026 Owner: no owner
19/Jul/2007 03:21:58 Shaw Comm block blocked In UDP
S0106001346b90d71.lb.shawcable.net [24.64.160.64:7051]->localhost:1026
Owner: no owner
19/Jul/2007 03:30:58 Shaw Comm block blocked In UDP
S01060004ac8b9494.lb.shawcable.net [24.64.191.235:9685]->localhost:1026
Owner: no owner

Comes via UDP as you noted, apparently when using IE or OE... so a router
WOULDN'T stop it... another lurker busted ....



"MEB" <meb@not here@hotmail.com> wrote in message
news:eMN1HAdyHHA.4276@TK2MSFTNGP05.phx.gbl...
|
| "PCR" <pcrrcp@netzero.net> wrote in message
| news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl...
| | PCR wrote:
| | | Kerio Firewall has begun a series of messages such as these, coming
| | | once a minute or so, every so often...!...
| | |
| | | Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port
| | | 1027 owned by 'Distributed COM Services' on your computer.
| | |
| | | Someone from 24.64.8.158, port 32089 wants to send UDP datagram to
| | | port 1027 owned by 'Distributed COM Services' on your computer
| | |
| | | Someone from 24.64.85.35, port 34996 wants to send UDP datagram to
| | | port 1027 owned by 'Distributed COM Services' on your computer
| | |
| | | Someone from 24.64.210.84, port 28111 wants to send UDP datagram to
| | | port 1027 owned by 'Distributed COM Services' on your computer
| | |
| | | Someone from 24.64.180.130, port 4241 wants to send UDP datagram to
| | | port 1027 owned by 'Distributed COM Services' on your computer
| | |
| | | The port is owned by...
| | | c:\windows\system\rpcss.exe
| |
| | OK, I see, by the word of...
| | http://www.networksolutions.com/whois/index.jsp
| |
| | .........Quote..................................
| | 24.64.9.177
| | Record Type: IP Address
| |
| | OrgName: Shaw Communications Inc.
| | OrgID: SHAWC
| | Address: Suite 800
| | Address: 630 - 3rd Ave. SW
| | City: Calgary
| | StateProv: AB
| | PostalCode: T2P-4L4
| | Country: CA
| |
| | ReferralServer: rwhois://rs1so.cg.shawcable.net:4321
| |
| | NetRange: 24.64.0.0 - 24.71.255.255
| |
| |
|
| Just an HEADS UP, I also had that same Shaw attack a while ago, all those
| addresses {which are slightly different than yours - though 24.64.*.* and
| Shaw} are BLOCKED/DENIED in my PFW firewall.
|
|

 

[Curt Christianson]

You goof,

Those are the lottery numbers you've been expecting,that Augie promised to
get to you somehow. Firewall intrusions..haaruumphh!

--
HTH,
Curt

Windows Support Center
www.aumha.org
Practically Nerded,...
http://dundats.mvps.org/Index.htm

"PCR" <pcrrcp@netzero.net> wrote in message
news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl...
| PCR wrote:
|| Kerio Firewall has begun a series of messages such as these, coming
|| once a minute or so, every so often...!...
||
|| Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port
|| 1027 owned by 'Distributed COM Services' on your computer.
||
|| Someone from 24.64.8.158, port 32089 wants to send UDP datagram to
|| port 1027 owned by 'Distributed COM Services' on your computer
||
|| Someone from 24.64.85.35, port 34996 wants to send UDP datagram to
|| port 1027 owned by 'Distributed COM Services' on your computer
||
|| Someone from 24.64.210.84, port 28111 wants to send UDP datagram to
|| port 1027 owned by 'Distributed COM Services' on your computer
||
|| Someone from 24.64.180.130, port 4241 wants to send UDP datagram to
|| port 1027 owned by 'Distributed COM Services' on your computer
||
|| The port is owned by...
|| c:\windows\system\rpcss.exe
|
| OK, I see, by the word of...
| http://www.networksolutions.com/whois/index.jsp
|
| .........Quote..................................
| 24.64.9.177
| Record Type: IP Address
|
| OrgName: Shaw Communications Inc.
| OrgID: SHAWC
| Address: Suite 800
| Address: 630 - 3rd Ave. SW
| City: Calgary
| StateProv: AB
| PostalCode: T2P-4L4
| Country: CA
|
| ReferralServer: rwhois://rs1so.cg.shawcable.net:4321
|
| NetRange: 24.64.0.0 - 24.71.255.255
| CIDR: 24.64.0.0/13
| NetName: SHAW-COMM
| NetHandle: NET-24-64-0-0-1
| Parent: NET-24-0-0-0-0
| NetType: Direct Allocation
| NameServer: NS7.NO.CG.SHAWCABLE.NET
| NameServer: NS8.SO.CG.SHAWCABLE.NET
| Comment:
| RegDate: 1996-06-03
| Updated: 2006-02-08
|
| OrgAbuseHandle: SHAWA-ARIN
| OrgAbuseName: SHAW ABUSE
| OrgAbusePhone: +1-403-750-7420
| OrgAbuseEmail: internet.abuse@sjrb.ca
|
| OrgTechHandle: ZS178-ARIN
| OrgTechName: Shaw High-Speed Internet
| OrgTechPhone: +1-403-750-7428
| OrgTechEmail: ipadmin@sjrb.ca
| .........EOQ......................
|
| I see every one of those in in SHAW-COMM's NET range. I've been denying
| the access & will continue to do so. But what are they trying to do?
|
|

 

[MEB]

"Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message
news:Oa1IXSfyHHA.5204@TK2MSFTNGP03.phx.gbl...
| You goof,
|
| Those are the lottery numbers you've been expecting,that Augie promised to
| get to you somehow. Firewall intrusions..haaruumphh!
|
| --
| HTH,
| Curt
|
| Windows Support Center
| www.aumha.org
| Practically Nerded,...
| http://dundats.mvps.org/Index.htm


SO Curt, are you claiming these as yours? Or was this a little hahaha,, not
very funny when we ARE discussing systems intrusions or other attempts at
monitoring activities ...
I never consider any of these types of activities as laughable or
ignorable... Sorry Curt, but with the present activities the people are
being subjected to, without their knowledge or consent, I do take issue ....

--
MEB
http://peoplescounsel.orgfree.com
________



|
| "PCR" <pcrrcp@netzero.net> wrote in message
| news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl...
| | PCR wrote:
| || Kerio Firewall has begun a series of messages such as these, coming
| || once a minute or so, every so often...!...
| ||
| || Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port
| || 1027 owned by 'Distributed COM Services' on your computer.
| ||
| || Someone from 24.64.8.158, port 32089 wants to send UDP datagram to
| || port 1027 owned by 'Distributed COM Services' on your computer
| ||
| || Someone from 24.64.85.35, port 34996 wants to send UDP datagram to
| || port 1027 owned by 'Distributed COM Services' on your computer
| ||
| || Someone from 24.64.210.84, port 28111 wants to send UDP datagram to
| || port 1027 owned by 'Distributed COM Services' on your computer
| ||
| || Someone from 24.64.180.130, port 4241 wants to send UDP datagram to
| || port 1027 owned by 'Distributed COM Services' on your computer
| ||
| || The port is owned by...
| || c:\windows\system\rpcss.exe
| |
| | OK, I see, by the word of...
| | http://www.networksolutions.com/whois/index.jsp
| |
| | .........Quote..................................
| | 24.64.9.177
| | Record Type: IP Address
| |
| | OrgName: Shaw Communications Inc.
| | OrgID: SHAWC
| | Address: Suite 800
| | Address: 630 - 3rd Ave. SW
| | City: Calgary
| | StateProv: AB
| | PostalCode: T2P-4L4
| | Country: CA
| |
| | ReferralServer: rwhois://rs1so.cg.shawcable.net:4321
| |
| | NetRange: 24.64.0.0 - 24.71.255.255
| | CIDR: 24.64.0.0/13
| | NetName: SHAW-COMM
| | NetHandle: NET-24-64-0-0-1
| | Parent: NET-24-0-0-0-0
| | NetType: Direct Allocation
| | NameServer: NS7.NO.CG.SHAWCABLE.NET
| | NameServer: NS8.SO.CG.SHAWCABLE.NET
| | Comment:
| | RegDate: 1996-06-03
| | Updated: 2006-02-08
| |
| | OrgAbuseHandle: SHAWA-ARIN
| | OrgAbuseName: SHAW ABUSE
| | OrgAbusePhone: +1-403-750-7420
| | OrgAbuseEmail: internet.abuse@sjrb.ca
| |
| | OrgTechHandle: ZS178-ARIN
| | OrgTechName: Shaw High-Speed Internet
| | OrgTechPhone: +1-403-750-7428
| | OrgTechEmail: ipadmin@sjrb.ca
| | .........EOQ......................
| |
| | I see every one of those in in SHAW-COMM's NET range. I've been denying
| | the access & will continue to do so. But what are they trying to do?
| |
| |
|
|

 

[Curt Christianson]

MEB,

You made a very legitimate point, and is was a rather feeble attempt at
being facetious. While we aren't "good buds" PCR and I go back a long way,
and I'm reasonably sure he may have found it funny.

To all the others perusing this NG, it prolly *didn't* strike them as funny.

As you mentioned, Internet security is certainly nothing to be scoffed
at--especially at someone's else misfortune and expense.

My heartiest apologies to all!

Keep up the great work here.

--
HTH,
Curt

Windows Support Center
www.aumha.org
Practically Nerded,...
http://dundats.mvps.org/Index.htm

"MEB" <meb@not here@hotmail.com> wrote in message
news:%23SIVJEhyHHA.1576@TK2MSFTNGP03.phx.gbl...
|
| "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message
| news:Oa1IXSfyHHA.5204@TK2MSFTNGP03.phx.gbl...
|| You goof,
||
|| Those are the lottery numbers you've been expecting,that Augie promised
to
|| get to you somehow. Firewall intrusions..haaruumphh!
||
|| --
|| HTH,
|| Curt
||
|| Windows Support Center
|| www.aumha.org
|| Practically Nerded,...
|| http://dundats.mvps.org/Index.htm
|
|
| SO Curt, are you claiming these as yours? Or was this a little hahaha,,
not
| very funny when we ARE discussing systems intrusions or other attempts at
| monitoring activities ...
| I never consider any of these types of activities as laughable or
| ignorable... Sorry Curt, but with the present activities the people are
| being subjected to, without their knowledge or consent, I do take issue
.....
|
| --
| MEB
| http://peoplescounsel.orgfree.com
| ________
|
|
|
||
|| "PCR" <pcrrcp@netzero.net> wrote in message
|| news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl...
|| | PCR wrote:
|| || Kerio Firewall has begun a series of messages such as these, coming
|| || once a minute or so, every so often...!...
|| ||
|| || Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port
|| || 1027 owned by 'Distributed COM Services' on your computer.
|| ||
|| || Someone from 24.64.8.158, port 32089 wants to send UDP datagram to
|| || port 1027 owned by 'Distributed COM Services' on your computer
|| ||
|| || Someone from 24.64.85.35, port 34996 wants to send UDP datagram to
|| || port 1027 owned by 'Distributed COM Services' on your computer
|| ||
|| || Someone from 24.64.210.84, port 28111 wants to send UDP datagram to
|| || port 1027 owned by 'Distributed COM Services' on your computer
|| ||
|| || Someone from 24.64.180.130, port 4241 wants to send UDP datagram to
|| || port 1027 owned by 'Distributed COM Services' on your computer
|| ||
|| || The port is owned by...
|| || c:\windows\system\rpcss.exe
|| |
|| | OK, I see, by the word of...
|| | http://www.networksolutions.com/whois/index.jsp
|| |
|| | .........Quote..................................
|| | 24.64.9.177
|| | Record Type: IP Address
|| |
|| | OrgName: Shaw Communications Inc.
|| | OrgID: SHAWC
|| | Address: Suite 800
|| | Address: 630 - 3rd Ave. SW
|| | City: Calgary
|| | StateProv: AB
|| | PostalCode: T2P-4L4
|| | Country: CA
|| |
|| | ReferralServer: rwhois://rs1so.cg.shawcable.net:4321
|| |
|| | NetRange: 24.64.0.0 - 24.71.255.255
|| | CIDR: 24.64.0.0/13
|| | NetName: SHAW-COMM
|| | NetHandle: NET-24-64-0-0-1
|| | Parent: NET-24-0-0-0-0
|| | NetType: Direct Allocation
|| | NameServer: NS7.NO.CG.SHAWCABLE.NET
|| | NameServer: NS8.SO.CG.SHAWCABLE.NET
|| | Comment:
|| | RegDate: 1996-06-03
|| | Updated: 2006-02-08
|| |
|| | OrgAbuseHandle: SHAWA-ARIN
|| | OrgAbuseName: SHAW ABUSE
|| | OrgAbusePhone: +1-403-750-7420
|| | OrgAbuseEmail: internet.abuse@sjrb.ca
|| |
|| | OrgTechHandle: ZS178-ARIN
|| | OrgTechName: Shaw High-Speed Internet
|| | OrgTechPhone: +1-403-750-7428
|| | OrgTechEmail: ipadmin@sjrb.ca
|| | .........EOQ......................
|| |
|| | I see every one of those in in SHAW-COMM's NET range. I've been denying
|| | the access & will continue to do so. But what are they trying to do?
|| |
|| |
||
||
|
|

 

[glee]

It's alright, Curt....I get the joke, and I suspect PCR got a chuckle out of
it.
--
Glen Ventura, MS MVP Shell/User, A+

"Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message
news:%23qizDKhyHHA.1208@TK2MSFTNGP03.phx.gbl...
> MEB,
>
> You made a very legitimate point, and is was a rather feeble attempt at
> being facetious. While we aren't "good buds" PCR and I go back a long
way,
> and I'm reasonably sure he may have found it funny.
>
> To all the others perusing this NG, it prolly *didn't* strike them as
funny.
>
> As you mentioned, Internet security is certainly nothing to be scoffed
> at--especially at someone's else misfortune and expense.
>
> My heartiest apologies to all!
>
> Keep up the great work here.
>
> --
> HTH,
> Curt
>
> Windows Support Center
> www.aumha.org
> Practically Nerded,...
> http://dundats.mvps.org/Index.htm
>
> "MEB" <meb@not here@hotmail.com> wrote in message
> news:%23SIVJEhyHHA.1576@TK2MSFTNGP03.phx.gbl...
> |
> | "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message
> | news:Oa1IXSfyHHA.5204@TK2MSFTNGP03.phx.gbl...
> || You goof,
> ||
> || Those are the lottery numbers you've been expecting,that Augie promised
> to
> || get to you somehow. Firewall intrusions..haaruumphh!
> ||
> || --
> || HTH,
> || Curt
> ||
> || Windows Support Center
> || www.aumha.org
> || Practically Nerded,...
> || http://dundats.mvps.org/Index.htm
> |
> |
> | SO Curt, are you claiming these as yours? Or was this a little hahaha,,
> not
> | very funny when we ARE discussing systems intrusions or other attempts
at
> | monitoring activities ...
> | I never consider any of these types of activities as laughable or
> | ignorable... Sorry Curt, but with the present activities the people are
> | being subjected to, without their knowledge or consent, I do take issue
> ....
> |
> | --
> | MEB
> | http://peoplescounsel.orgfree.com
> | ________
> |
> |
> |
> ||
> || "PCR" <pcrrcp@netzero.net> wrote in message
> || news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl...
> || | PCR wrote:
> || || Kerio Firewall has begun a series of messages such as these, coming
> || || once a minute or so, every so often...!...
> || ||
> || || Someone from 24.64.9.177, port 3222 wants to send UDP datagram to
port
> || || 1027 owned by 'Distributed COM Services' on your computer.
> || ||
> || || Someone from 24.64.8.158, port 32089 wants to send UDP datagram to
> || || port 1027 owned by 'Distributed COM Services' on your computer
> || ||
> || || Someone from 24.64.85.35, port 34996 wants to send UDP datagram to
> || || port 1027 owned by 'Distributed COM Services' on your computer
> || ||
> || || Someone from 24.64.210.84, port 28111 wants to send UDP datagram to
> || || port 1027 owned by 'Distributed COM Services' on your computer
> || ||
> || || Someone from 24.64.180.130, port 4241 wants to send UDP datagram to
> || || port 1027 owned by 'Distributed COM Services' on your computer
> || ||
> || || The port is owned by...
> || || c:\windows\system\rpcss.exe
> || |
> || | OK, I see, by the word of...
> || | http://www.networksolutions.com/whois/index.jsp
> || |
> || | .........Quote..................................
> || | 24.64.9.177
> || | Record Type: IP Address
> || |
> || | OrgName: Shaw Communications Inc.
> || | OrgID: SHAWC
> || | Address: Suite 800
> || | Address: 630 - 3rd Ave. SW
> || | City: Calgary
> || | StateProv: AB
> || | PostalCode: T2P-4L4
> || | Country: CA
> || |
> || | ReferralServer: rwhois://rs1so.cg.shawcable.net:4321
> || |
> || | NetRange: 24.64.0.0 - 24.71.255.255
> || | CIDR: 24.64.0.0/13
> || | NetName: SHAW-COMM
> || | NetHandle: NET-24-64-0-0-1
> || | Parent: NET-24-0-0-0-0
> || | NetType: Direct Allocation
> || | NameServer: NS7.NO.CG.SHAWCABLE.NET
> || | NameServer: NS8.SO.CG.SHAWCABLE.NET
> || | Comment:
> || | RegDate: 1996-06-03
> || | Updated: 2006-02-08
> || |
> || | OrgAbuseHandle: SHAWA-ARIN
> || | OrgAbuseName: SHAW ABUSE
> || | OrgAbusePhone: +1-403-750-7420
> || | OrgAbuseEmail: internet.abuse@sjrb.ca
> || |
> || | OrgTechHandle: ZS178-ARIN
> || | OrgTechName: Shaw High-Speed Internet
> || | OrgTechPhone: +1-403-750-7428
> || | OrgTechEmail: ipadmin@sjrb.ca
> || | .........EOQ......................
> || |
> || | I see every one of those in in SHAW-COMM's NET range. I've been
denying
> || | the access & will continue to do so. But what are they trying to do?
> || |
> || |
> ||
> ||
> |
> |
>
>

 

[MEB]

"Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message
news:%23qizDKhyHHA.1208@TK2MSFTNGP03.phx.gbl...
| MEB,
|
| You made a very legitimate point, and is was a rather feeble attempt at
| being facetious. While we aren't "good buds" PCR and I go back a long
way,
| and I'm reasonably sure he may have found it funny.
|
| To all the others perusing this NG, it prolly *didn't* strike them as
funny.
|
| As you mentioned, Internet security is certainly nothing to be scoffed
| at--especially at someone's else misfortune and expense.
|
| My heartiest apologies to all!
|
| Keep up the great work here.
|
| --
| HTH,
| Curt
|
| Windows Support Center
| www.aumha.org
| Practically Nerded,...
| http://dundats.mvps.org/Index.htm
|
| "MEB" <meb@not here@hotmail.com> wrote in message
| news:%23SIVJEhyHHA.1576@TK2MSFTNGP03.phx.gbl...
| |
| | "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message
| | news:Oa1IXSfyHHA.5204@TK2MSFTNGP03.phx.gbl...
| || You goof,
| ||
| || Those are the lottery numbers you've been expecting,that Augie promised
| to
| || get to you somehow. Firewall intrusions..haaruumphh!
| ||
| || --
| || HTH,
| || Curt
| ||
| || Windows Support Center
| || www.aumha.org
| || Practically Nerded,...
| || http://dundats.mvps.org/Index.htm
| |
| |
| | SO Curt, are you claiming these as yours? Or was this a little hahaha,,
| not
| | very funny when we ARE discussing systems intrusions or other attempts
at
| | monitoring activities ...
| | I never consider any of these types of activities as laughable or
| | ignorable... Sorry Curt, but with the present activities the people are
| | being subjected to, without their knowledge or consent, I do take issue
| ....
| |
| | --
| | MEB
| | ________
| |

Well, to admit it, I also thought it was funny, at first, but when it
carried your sig I thought it best to take the hardline,,, sorry,,

So I guess its now appropriate to post these:

Related material per this discussion:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA07-199A


Mozilla Updates for Multiple Vulnerabilities

Original release date: July 18, 2007
Last revised: --
Source: US-CERT


Systems Affected

* Mozilla Firefox
* Mozilla Thunderbird

Other products based on Mozilla components may also be affected.


Overview

The Mozilla web browser and derived products contain several
vulnerabilities, the most severe of which could allow a remote
attacker to execute arbitrary code on an affected system.


I. Description

Mozilla has released new versions of Firefox and Thunderbird to
address several vulnerabilities. Further details about these
vulnerabilities are available from Mozilla and the Vulnerability Notes
Database. An attacker could exploit these vulnerabilities by
convincing a user to view a specially-crafted HTML document, such as a
web page or an HTML email message.


II. Impact

While the impacts of the individual vulnerabilities vary, the most
severe could allow a remote, unauthenticated attacker to execute
arbitrary code on a vulnerable system. An attacker may also be able to
cause a denial of service or obtain private information.


III. Solution


Upgrade

These vulnerabilities are addressed in Mozilla Firefox 2.0.0.5 and
Thunderbird 2.0.0.5.


Disable JavaScript

Some of these vulnerabilities can be mitigated by disabling JavaScript
or using the NoScript extension. For more information about
configuring Firefox, please see the Securing Your Web Browser
document. Thunderbird disables JavaScript and Java by default.


IV. References

* US-CERT Vulnerability Notes -
<http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_20070717>

* Securing Your Web Browser -

<http://www.us-cert.gov/reading_room/securing_browser/browser_security.html#
Mozilla_Firefox>

* Mozilla Foundation Security Advisories -
<http://www.mozilla.org/security/announce/>

* Known Vulnerabilities in Mozilla Products -
<http://www.mozilla.org/projects/security/known-vulnerabilities.html>

* Mozilla Hall of Fame - <http://www.mozilla.org/university/HOF.html>

* NoScript Firefox Extension - <http://noscript.net/>


_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA07-199A.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA07-199A Feedback VU#143297" in the
subject.
_________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>
_________________________________________________________________

Produced 2007 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
_________________________________________________________________

Produced 2007 by US-CERT, a government organization. Terms of use

Revision History

July 18, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRp53HfRFkHkM87XOAQLeRwf/QqMX0I06N0r/bctdkce0RqUa9ZwpLSsM
42Ihq6NSQDOGM1cfqa8TxtYbITjV2cOQAmAYsi7HGdMF6zbZbkAZ5e/Lo06Be3mW
Rw9s+ci5mLOiFHQ1mBAYn5/1+iK9WJPrbL3tvE9ejAjdIzSieWz4wwYE/A4gIJxh
XnlwZT+EXafixy8qu/uLUjhwlfs+HiOtjaSP4q+N+LLfeSk+UeAXbT6nPt6d+B7Z
hd7RKOJR2eesWpc9L7/oq0tmJdXSkW9Qel3L9KssOiir/ZKqpyVISkBxTbce9Pq8
hqXne3HWJXBT19YBmRMSDD693J6siCPXuLSLJbTFN4d/NKM5MF7kTQ==
=jDnr
-----END PGP SIGNATURE-----




To the below I would add the types of activities discussed under this
heading AND occurring in this news group and elsewhere upon the Internet:



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System
Cyber Security Tip ST04-014

Avoiding Social Engineering and Phishing Attacks

Do not give sensitive information to anyone unless you are sure that
they are indeed who they claim to be and that they should have access
to the information.

What is a social engineering attack?

To launch a social engineering attack, an attacker uses human
interaction (social skills) to obtain or compromise information about
an organization or its computer systems. An attacker may seem
unassuming and respectable, possibly claiming to be a new employee,
repair person, or researcher and even offering credentials to support
that identity. However, by asking questions, he or she may be able to
piece together enough information to infiltrate an organization's
network. If an attacker is not able to gather enough information from
one source, he or she may contact another source within the same
organization and rely on the information from the first source to add
to his or her credibility.

What is a phishing attack?

Phishing is a form of social engineering. Phishing attacks use email
or malicious web sites to solicit personal, often financial,
information. Attackers may send email seemingly from a reputable
credit card company or financial institution that requests account
information, often suggesting that there is a problem. When users
respond with the requested information, attackers can use it to gain
access to the accounts.

How do you avoid being a victim?

* Be suspicious of unsolicited phone calls, visits, or email
messages from individuals asking about employees or other internal
information. If an unknown individual claims to be from a
legitimate organization, try to verify his or her identity
directly with the company.
* Do not provide personal information or information about your
organization, including its structure or networks, unless you are
certain of a person's authority to have the information.
* Do not reveal personal or financial information in email, and do
not respond to email solicitations for this information. This
includes following links sent in email.
* Don't send sensitive information over the Internet before checking
a web site's security policy or looking for evidence that the
information is being encrypted (see Protecting Your Privacy and
Understanding Web Site Certificates for more information).
* Pay attention to the URL of a web site. Malicious web sites may
look identical to a legitimate site, but the URL may use a
variation in spelling or a different domain (e.g., .com vs. .net).
* If you are unsure whether an email request is legitimate, try to
verify it by contacting the company directly. Do not use contact
information provided on a web site connected to the request
instead, check previous statements for contact information.
Information about known phishing attacks is also available online
from groups such as the Anti-Phishing Working Group
(http://www.antiphishing.org/phishing_archive.html).
* Install and maintain anti-virus software, firewalls, and email
filters to reduce some of this traffic (see Understanding
Firewalls, Understanding Anti-Virus Software, and Reducing Spam
for more information).

What do you do if you think you are a victim?

* If you believe you might have revealed sensitive information about
your organization, report it to the appropriate people within the
organization, including network administrators. They can be alert
for any suspicious or unusual activity.
* If you believe your financial accounts may be compromised, contact
your financial institution immediately and close any accounts that
may have been compromised. Watch for any unexplainable charges to
your account (see Preventing and Responding to Identity Theft for
more information).
* Consider reporting the attack to the police, and file a report
with the Federal Trade Commission (http://www.ftc.gov/).
_________________________________________________________________

Author: Mindi McDowell
_________________________________________________________________

Produced 2007 by US-CERT, a government organization.

Note: This tip was previously published and is being re-distributed
to increase awareness.

Terms of use

<http://www.us-cert.gov/legal.html>

This document can also be found at

<http://www.us-cert.gov/cas/tips/ST04-014.html>


For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRp9k5vRFkHkM87XOAQL4bAf/QrdRKgj6nbUXJKf0PSH2L2MHruDeD8++
gVMVDGB2zvCiR5OrNbJ/I4AlfbSCIpigoL3jyoID15aPtZfeRzozc+MvOJsh6LW9
jH2TUCZjct2Md7EeGLPTemzydzYTUlzWj+YHs7T1qtQThq82jSiegFwCO8gnGzkH
ItDwogX7B/hu15R8kLcM+j4fLYXvpaPIe8CsAW5xa7oA48FNy++Y3+SLm3H1M129
GSNHpRPzpg6/Z0GCdp0187gie17pWBGy0aYL+qxHFMpVFnZWZKXetAYYmTpcPprj
fbbzMu5bfxeBmFKcDs/UEZzvsBEGENcG9C5E/UVNVI4UYYgBfit7kw==
=7EFh
-----END PGP SIGNATURE-----


One may also contact and supply information [such as any related logs -
firwall, system, etc.] to the various government agencies dealing with cyber
terrorism, electronic communications, and other like activities for
potential prosecution under (as example in the USA), The Anti-Terrorism
Acts, The Patriot Act, The Homeland Security Act, The Electronic
Communications Privacy Act, and several others.
Check with your respective {international} governments related to and/or
having jurisdiction over such activities.

--
MEB
http://peoplescounsel.orgfree.com
________

 

[PCR]

glee wrote:
| It's alright, Curt....I get the joke, and I suspect PCR got a chuckle
| out of it.

Ah, ha, ha-- yea, it was funny. But what am I supposed to do with all
these lottery tickets now?

| --
| Glen Ventura, MS MVP Shell/User, A+
|
| "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message
| news:%23qizDKhyHHA.1208@TK2MSFTNGP03.phx.gbl...
|> MEB,
|>
|> You made a very legitimate point, and is was a rather feeble attempt
|> at being facetious. While we aren't "good buds" PCR and I go back a
|> long way, and I'm reasonably sure he may have found it funny.
|>
|> To all the others perusing this NG, it prolly *didn't* strike them
|> as funny.
|>
|> As you mentioned, Internet security is certainly nothing to be
|> scoffed at--especially at someone's else misfortune and expense.
|>
|> My heartiest apologies to all!
|>
|> Keep up the great work here.
|>
|> --
|> HTH,
|> Curt
|>
|> Windows Support Center
|> www.aumha.org
|> Practically Nerded,...
|> http://dundats.mvps.org/Index.htm
|>
|> "MEB" <meb@not here@hotmail.com> wrote in message
|> news:%23SIVJEhyHHA.1576@TK2MSFTNGP03.phx.gbl...
|> |
|> | "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in
|> | message news:Oa1IXSfyHHA.5204@TK2MSFTNGP03.phx.gbl...
|> || You goof,
|> ||
|> || Those are the lottery numbers you've been expecting,that Augie
|> || promised to get to you somehow. Firewall intrusions..haaruumphh!
|> ||
|> || --
|> || HTH,
|> || Curt
|> ||
|> || Windows Support Center
|> || www.aumha.org
|> || Practically Nerded,...
|> || http://dundats.mvps.org/Index.htm
|> |
|> |
|> | SO Curt, are you claiming these as yours? Or was this a little
|> | hahaha,, not very funny when we ARE discussing systems intrusions
|> | or other attempts at monitoring activities ...
|> | I never consider any of these types of activities as laughable or
|> | ignorable... Sorry Curt, but with the present activities the
|> | people are being subjected to, without their knowledge or consent,
|> | I do take issue ....
|> |
|> | --
|> | MEB
|> | http://peoplescounsel.orgfree.com
|> | ________

....snip
--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net

 

[PCR]

Franc Zabkar wrote:
| On Wed, 18 Jul 2007 20:20:29 -0400, "PCR" <pcrrcp@netzero.net> put
| finger to keyboard and composed:
|
|>Kerio Firewall has begun a series of messages such as these, coming
|>once a minute or so, every so often...!...
|>
|>Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port
|>1027 owned by 'Distributed COM Services' on your computer.
|
| <snip>
|
|>The port is owned by...
|>c:\windows\system\rpcss.exe
|
| What is RPCSS.EXE?
| http://cexx.org/rpc.htm
|
| ===================================================================
| In any event, what rpcss.exe does is to handle a number of API calls
| that relate to RPC. In general (and this is somewhat of a
| simplification to prevent techie talk overload), a program can
| register certain entry points (the "procedures" in remote procedure
| call) that can be accessed by external applications. This is known as
| the "portmapper" function. Once registered, anyone contacting the RPC
| port and asking, in the appropriate format, for a particular function
| provided by a particular program will be allowed to execute the
| function. Any security checks are up to the contacted program, as all
| the portmapper does is to make the necessary procedure call on behalf
| of the client.
|
| "WAIT JUST A MINUTE," you scream as your face turns red. "You mean ANY
| program can ask ANY OTHER program on MY MACHINE to do something for it
| WITHOUT MY KNOWLEDGE?" The sad truth is that, yes, this is true, and
| yes, this has been a constant source of security flaws in UNIX systems
| as such-and-such RPC service has this unchecked buffer or that
| improper security check which allows any remote user with the proper
| script to gain full control of the machine. Since no such flaws have
| been found in the rpcss.exe portmapper proper -- probably because no
| one's really looked -- the real threat comes from the programs that
| utilize the portmapper. Unlike UNIX, however, very few Windows
| programs use RPC hell, most Windows 9x programmers aren't even aware
| that RPC exists, and RPC as a direct communications method is being
| replaced by DCOM and COM+ (which can, but do not necessarily, use RPC)
| in Windows 2000. Therefore, the likelihood of you even having a
| portmapped program on Windows 9x is extremely low, and thus the risk
| that RPC presents is also quite low.
| ===================================================================

I see. Thanks, Zabcar. Glee also posted that URL, I believe. From what I
can make of it, I shouldn't disable rpcss.exe altogether. Suppose I were
to set Kerio to block all traffic to & from it, though-- does that
constitute disabling it altogether?

There, it's done-- UDP/TCP both directions is blocked for RPCSS.EXE--
any address, any port!

That may be a bit impulsive, but I know I can recover from a major
crash. Also, I fully intend to continue to research the matter until I
3/4 understand what I've done!

(I'm still working on responses to the replies, but thanks to all.)

|
| - Franc Zabkar
| --
| Please remove one 'i' from my address when replying by email.

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net

 

[PCR]

Curt Christianson wrote:
| You goof,
|
| Those are the lottery numbers you've been expecting,that Augie
| promised to get to you somehow. Firewall intrusions..haaruumphh!

Ah, ha, ha! That's rich!

| --
| HTH,
| Curt
|
| Windows Support Center
| www.aumha.org
| Practically Nerded,...
| http://dundats.mvps.org/Index.htm
|
| "PCR" <pcrrcp@netzero.net> wrote in message
| news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl...
|| PCR wrote:
||| Kerio Firewall has begun a series of messages such as these, coming
||| once a minute or so, every so often...!...
|||
||| Someone from 24.64.9.177, port 3222 wants to send UDP datagram to
||| port 1027 owned by 'Distributed COM Services' on your computer.
|||
||| Someone from 24.64.8.158, port 32089 wants to send UDP datagram to
||| port 1027 owned by 'Distributed COM Services' on your computer
|||
||| Someone from 24.64.85.35, port 34996 wants to send UDP datagram to
||| port 1027 owned by 'Distributed COM Services' on your computer
|||
||| Someone from 24.64.210.84, port 28111 wants to send UDP datagram to
||| port 1027 owned by 'Distributed COM Services' on your computer
|||
||| Someone from 24.64.180.130, port 4241 wants to send UDP datagram to
||| port 1027 owned by 'Distributed COM Services' on your computer
|||
||| The port is owned by...
||| c:\windows\system\rpcss.exe
||
|| OK, I see, by the word of...
|| http://www.networksolutions.com/whois/index.jsp
||
|| .........Quote..................................
|| 24.64.9.177
|| Record Type: IP Address
||
|| OrgName: Shaw Communications Inc.
|| OrgID: SHAWC
|| Address: Suite 800
|| Address: 630 - 3rd Ave. SW
|| City: Calgary
|| StateProv: AB
|| PostalCode: T2P-4L4
|| Country: CA
||
|| ReferralServer: rwhois://rs1so.cg.shawcable.net:4321
||
|| NetRange: 24.64.0.0 - 24.71.255.255
|| CIDR: 24.64.0.0/13
|| NetName: SHAW-COMM
|| NetHandle: NET-24-64-0-0-1
|| Parent: NET-24-0-0-0-0
|| NetType: Direct Allocation
|| NameServer: NS7.NO.CG.SHAWCABLE.NET
|| NameServer: NS8.SO.CG.SHAWCABLE.NET
|| Comment:
|| RegDate: 1996-06-03
|| Updated: 2006-02-08
||
|| OrgAbuseHandle: SHAWA-ARIN
|| OrgAbuseName: SHAW ABUSE
|| OrgAbusePhone: +1-403-750-7420
|| OrgAbuseEmail: internet.abuse@sjrb.ca
||
|| OrgTechHandle: ZS178-ARIN
|| OrgTechName: Shaw High-Speed Internet
|| OrgTechPhone: +1-403-750-7428
|| OrgTechEmail: ipadmin@sjrb.ca
|| .........EOQ......................
||
|| I see every one of those in in SHAW-COMM's NET range. I've been
|| denying the access & will continue to do so. But what are they
|| trying to do?

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net

 

[PCR]

glee wrote:
| It is most likely a Windows Messenger spam attempt:
| http://www.linklogger.com/messenger_spam.htm

I don't have "NET SEND", although I do have "NET"...

C:\>net send
The command SEND is unknown. For a list of valid commands, type NET HELP
at
the command prompt.
For help, type NET /? at the command prompt.

Can I suppose I don't need to allow RPCSS.EXE to use UDP/TCP at all?

| http://www.linklogger.com/UDP1026.htm

..........Quote that URL..........
Inbound Scan

Typically inbound traffic to this port is Messenger Spam which is more
annoying then anything else, and hence not really worthy of a Link
Logger alert, but still there is enough of this traffic that an
explanation is helpful.

Outbound Scan

Outbound scans, if occurring in volume should be considered an
indication of a possible worm infection on the source computer and
should be investigated.
..........EOQ..............................

The ones I get are all inbound. So, probably I am safe yet, so long as I
don't accept any.

| http://isc.sans.org/port.html?port=1027

I divine that is one possibility of what is trying to come in.

There's no chance I will accept one now. As I posted elsewhere, I've
blocked UDP/TCP both directions for RPCSS.EXE-- any address, any port!
I'll just keep it that way, until I suffer a crash or other suspicious
symptom-- or unless someone can definitively say I should not. I am on
Dial-Up & use no networking other than normal Internet surfing. Let me
see whether those FTP sites still work...
ftp://ftp.microsoft.com/
Yea, that one still works. However (not that it's any different), I do
have to permit...

Someone from 207.46.236.102, port 20 wants to connect to port 1341 owned
by 'Internet Explorer' on your computer

....for every folder I click. But that's normal!

Thanks, glee & all others who responded-- with the possible exception of
Christianson! [Just joking. .]

I do have another firewall question or two, but will post it in new
thread(s).

| --
| Glen Ventura, MS MVP Shell/User, A+
| http://dts-l.org/
| http://dts-l.org/goodpost.htm
|
|
| "PCR" <pcrrcp@netzero.net> wrote in message
| news:%23A5dQ5ZyHHA.4652@TK2MSFTNGP05.phx.gbl...
|> PCR wrote:
|> | Kerio Firewall has begun a series of messages such as these, coming
|> | once a minute or so, every so often...!...
|> |
|> | Someone from 24.64.9.177, port 3222 wants to send UDP datagram to
|> | port 1027 owned by 'Distributed COM Services' on your computer.
|> |
|> | Someone from 24.64.8.158, port 32089 wants to send UDP datagram to
|> | port 1027 owned by 'Distributed COM Services' on your computer
|> |
|> | Someone from 24.64.85.35, port 34996 wants to send UDP datagram to
|> | port 1027 owned by 'Distributed COM Services' on your computer
|> |
|> | Someone from 24.64.210.84, port 28111 wants to send UDP datagram to
|> | port 1027 owned by 'Distributed COM Services' on your computer
|> |
|> | Someone from 24.64.180.130, port 4241 wants to send UDP datagram to
|> | port 1027 owned by 'Distributed COM Services' on your computer
|> |
|> | The port is owned by...
|> | c:\windows\system\rpcss.exe
|>
|> OK, I see, by the word of...
|> http://www.networksolutions.com/whois/index.jsp
|>
|> .........Quote..................................
|> 24.64.9.177
|> Record Type: IP Address
|>
|> OrgName: Shaw Communications Inc.
|> OrgID: SHAWC
|> Address: Suite 800
|> Address: 630 - 3rd Ave. SW
|> City: Calgary
|> StateProv: AB
|> PostalCode: T2P-4L4
|> Country: CA
|>
|> ReferralServer: rwhois://rs1so.cg.shawcable.net:4321
|>
|> NetRange: 24.64.0.0 - 24.71.255.255
|> CIDR: 24.64.0.0/13
|> NetName: SHAW-COMM
|> NetHandle: NET-24-64-0-0-1
|> Parent: NET-24-0-0-0-0
|> NetType: Direct Allocation
|> NameServer: NS7.NO.CG.SHAWCABLE.NET
|> NameServer: NS8.SO.CG.SHAWCABLE.NET
|> Comment:
|> RegDate: 1996-06-03
|> Updated: 2006-02-08
|>
|> OrgAbuseHandle: SHAWA-ARIN
|> OrgAbuseName: SHAW ABUSE
|> OrgAbusePhone: +1-403-750-7420
|> OrgAbuseEmail: internet.abuse@sjrb.ca
|>
|> OrgTechHandle: ZS178-ARIN
|> OrgTechName: Shaw High-Speed Internet
|> OrgTechPhone: +1-403-750-7428
|> OrgTechEmail: ipadmin@sjrb.ca
|> .........EOQ......................
|>
|> I see every one of those in in SHAW-COMM's NET range. I've been
|> denying the access & will continue to do so. But what are they
|> trying to do?

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net

 

[PCR]

98 Guy wrote:
| Ok, what's going on is this:
|
| Your modem recently obtained a new IP address (maybe it does this once
| a day, once an hour, once a month, I don't know).

I'm on dial-up, & I believe I get a new one each connection.

| In any case, the IP address you have now once belonged to someone that
| was part of a P2P network. They were part of a file-sharing network.
| Their IP address is known to the network (for the time being).
|
| Other computers are trying to access some file that they think is
| located on your computer.

I guess that is a possibility. But, whether innocent or guilty-- I don't
want them to have it!

| So either those attempts will fade away with time, or you can re-boot
| your modem and obtain a new IP address.
|
| Looks like there are lots of downloaders in Alberta...

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net

 

[PCR]

98 Guy wrote:
| PCR wrote:
|
|> Kerio Firewall has begun a series of messages such as these
|
| Why don't you have a NAT router?

Thanks, 98 Guy. I don't have a Network connection (other than what the
Internet is), & I am on dial-up.

|> Someone from 24.64.9.177
|
| All those IP's belong to Shaw Cable internet, Calgary Alberta.

That's right, I later found an URL that said...
http://www.networksolutions.com/whois/index.jsp
..........Quote.............
NetRange: 24.64.0.0 - 24.71.255.255
....snip
NetName: SHAW-COMM
..........EOQ................

|> port 3222 wants to send UDP datagram
|
| No malware (as far as I can tell) is known to use port 3222. Recent
| port usage:
|
| http://isc.sans.org/port.html?port=3222

I can't click that, I've been thrown offline by NetZero. But, as I
understand it, that port is on SHAW-COMM's computer. Why should I trust
it wouldn't be used for an ill purpose?

|> to port 1027 owned by 'Distributed COM Services' on your computer.
|
| I don't think that DCOM is normally installed on windows-98 systems.

Yea, it is-- at least, Compaq installed it in this 7470!

| The Shaw Cable computer is either trying to exploit a DCOM
| vulnerability on your computer, or is attempting to connect to a
| trojan that it thinks might be running on your computer and listening
| on port 1027.

There certainly is something listening on "localhost:1027". That is
RPCSS.exe. It also is listening on "all:135"-- which was my Junior High
School! And that evokes particularly horrid memories!

|> The port is owned by...
|> c:\windows\system\rpcss.exe
|
| Unless I'm mistaken, your computer is running win-2k or XP, not
| win-98.

You are mistaken, but it could be something Compaq did. Well, wait a
minute,...

Cabinet WIN98_46.CAB
04-23-1999 10:22:00p A--- 20,480 rpcss.exe

.... it's in my 98SE .cab's!

| A home computer located somewhere in Alberta is performing a port-scan
| on your computer, attempting to either install some malware on your
| system via a DCOM exploit, or is attempting to contact a trojan
| running on your computer and give it instructions to do something (to
| obtain some new software, to send spam to someone, etc).

That's what I was afraid of! Oh, my God!

| The fact that they are coming from different addresses every few
| minutes is strange - it would indicate that it's coming from different
| machines - as in some sort of coordinated scan directly on to
| machine. Not sure what would be the reason for that.

I GUESS, because I kept disallowing it, it was tried from different IPs,
thinking I was just blocking a specific one. But now I've blocked all
UDP/TCP, both directions, all ports for rpcss.exe. Let's see what
happens with that!

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net