1026 gone wild!
Results 1 to 3 of 3

Thread: 1026 gone wild!

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786

    1026 gone wild!

    This one has me kinda stumped. Port 1026 scanns are nothing new but this dude/dudette really has a passion for it. Here's a trimmed (to fit)portion on Tiny's log from around 9 last night (GMT -5) until 10:30 this morning. the rules are either named for IP ranges or ports i want to watch...i have no life.


    20:57:19] Rule '210_213Block': Blocked: In UDP, 210.5.22.11:31334->localhost:1026
    21:00:27] Rule '210_213Block': Blocked: In UDP, 210.5.22.23:29119->localhost:1026
    21:02:49] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
    21:05:04] Rule '210_213Block': Blocked: In UDP, 210.5.22.18:30657->localhost:1026
    21:06:51] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
    22:22:31] Rule '210_213Block': Blocked: In UDP, 210.5.22.17:30109->localhost:1026
    22:24:47] Rule '218_222Block': Blocked: In TCP, 218.98.72.126:4233->localhost:80
    22:24:50] Rule '218_222Block': Blocked: In TCP, 218.98.72.126:4233->localhost:80
    22:24:56] Rule '218_222Block': Blocked: In TCP, 218.98.72.126:4233->localhost:80
    22:25:23] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
    22:27:59] Rule '210_213Block': Blocked: In UDP, 210.5.22.10:29336->localhost:1026
    22:30:21] Rule '210_213Block': Blocked: In UDP, 210.5.22.23:29119->localhost:1026
    22:32:09] Rule '210_213Block': Blocked: In UDP, 210.5.22.11:31334->localhost:1026
    22:34:14] Rule '210_213Block': Blocked: In UDP, 210.5.22.17:30109->localhost:1026
    22:54:14] Rule '17300': Permitted: In TCP, 172.150.165.186:4951->localhost:17300
    23:23:28] Rule '17300': Permitted: In TCP, 68.116.204.164:1167->localhost:17300
    23:31:51] Rule 'UUnet1 Not US': Blocked: In TCP, 61.85.191.46:4880->localhost:17300
    23:45:53] Rule '17300': Permitted: In TCP, 172.174.57.247:3222->localhost:17300
    23:45:55] Rule '17300': Permitted: In TCP, 172.174.57.247:3222->localhost:17300
    00:26:40] Rule '17300': Permitted: In TCP, 172.175.26.23:3140->localhost:17300
    01:22:18] Rule '210_213Block': Blocked: In UDP, 210.5.22.17:30109->localhost:1026
    01:25:08] Rule '210_213Block': Blocked: In UDP, 210.5.22.18:30657->localhost:1026
    01:27:44] Rule '210_213Block': Blocked: In UDP, 210.5.22.19:31115->localhost:1026
    01:30:07] Rule '210_213Block': Blocked: In UDP, 210.5.22.20:28986->localhost:1026
    01:31:56] Rule '210_213Block': Blocked: In UDP, 210.5.22.10:29336->localhost:1026
    01:34:01] Rule '210_213Block': Blocked: In UDP, 210.5.22.18:30657->localhost:1026
    01:38:07] Rule '17300': Permitted: In TCP, 172.200.219.4:4596->localhost:17300
    01:38:08] Rule '17300': Permitted: In TCP, 172.200.219.4:4596->localhost:17300
    01:41:36] Rule '218_222Block': Blocked: In TCP, 219.9.2.31:3806->localhost:17300
    01:59:40] Rule '17300': Blocked: In TCP, 68.59.116.167:1547->localhost:17300
    03:19:18] Rule '200_203Block': Blocked: In TCP, 200.176.78.106:3839->localhost:80
    03:19:21] Rule '200_203Block': Blocked: In TCP, 200.176.78.106:3839->localhost:80
    03:19:28] Rule '200_203Block': Blocked: In TCP, 200.176.78.106:3839->localhost:80
    03:30:38] Rule '17300': Blocked: In TCP, 66.138.229.189:1221->localhost:17300
    04:11:04] Rule '210_213Block': Blocked: In TCP, 211.49.112.12:3182->localhost:17300
    04:22:04] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
    04:24:56] Rule '210_213Block': Blocked: In UDP, 210.5.22.23:29119->localhost:1026
    04:27:33] Rule '210_213Block': Blocked: In UDP, 210.5.22.19:31115->localhost:1026
    04:29:55] Rule '210_213Block': Blocked: In UDP, 210.5.22.23:29119->localhost:1026
    04:31:45] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
    04:33:49] Rule '210_213Block': Blocked: In UDP, 210.5.22.20:28986->localhost:1026
    04:47:38] Rule 'UUnet2 Not US': Blocked: In UDP, 62.147.243.224:28432->localhost:28431
    05:02:24] Rule 'UUnet1 Not US': Blocked: In TCP, 61.174.144.173:40492->localhost:80
    05:02:28] Rule 'UUnet1 Not US': Blocked: In TCP, 61.174.144.173:40492->localhost:80
    05:58:14] Rule '17300': Blocked: In TCP, 66.136.147.176:1225->localhost:17300
    06:44:11] Rule '17300': Blocked: In TCP, 68.37.86.102:3939->localhost:17300
    06:44:14] Rule '17300': Blocked: In TCP, 68.37.86.102:3939]->localhost:17300
    07:10:07] Rule 'UUnet1 Not US': Blocked: In TCP, 61.153.227.211:8569->localhost:80
    07:10:10] Rule 'UUnet1 Not US': Blocked: In TCP, 61.153.227.211:8569->localhost:80
    07:10:16] Rule 'UUnet1 Not US': Blocked: In TCP, 61.153.227.211:8569->localhost:80
    07:21:57] Rule '210_213Block': Blocked: In UDP, 210.5.22.20:28986->localhost:1026
    07:24:49] Rule '210_213Block': Blocked: In UDP, 210.5.22.22:31354->localhost:1026
    07:27:25] Rule '210_213Block': Blocked: In UDP, 210.5.22.11:31334->localhost:1026
    07:29:47] Rule '210_213Block': Blocked: In UDP, 210.5.22.18:30657->localhost:1026
    07:31:38] Rule '210_213Block': Blocked: In UDP, 210.5.22.23:29119->localhost:1026
    07:33:42] Rule '210_213Block': Blocked: In UDP, 210.5.22.22:31354->localhost:1026
    09:56:38] Rule '17300': Blocked: In TCP, 69.14.109.97:2265->localhost:17300
    10:21:41] Rule '210_213Block': Blocked: In UDP, 210.5.22.18:30657->localhost:1026
    10:24:34] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
    10:27:10] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
    10:29:32] Rule '210_213Block': Blocked: In UDP, 210.5.22.17:30109->localhost:1026
    10:31:22] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
    10:33:26] Rule '210_213Block': Blocked: In UDP, 210.5.22.18:30657->localhost:1026



    Notice 210.5.22.(plus one of these: 10, 11, 17, 18, 19, 20, 21, 22 , 23)

    probes in groups of 5 or 6:

    Start Used
    20:57 (11, 23, 21, 18, 21, 17)
    22:25 (21, 10, 23, 11, 17) <--only 5
    01:22 (17, 18, 19, 20, 10, 18)
    04:22 (22, 23, 19, 23, 21, 20)
    07:21 (20, 22, 11, 18, 23, 22)
    10:21 (18, 21, 21, 17, 21, 18)

    Not one appears in all scans.

    As im typing this a blocked 'time exceeded' (IGMP [11]) came in from 210.5.22.234

    What's going on. Any guesses?
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    I am guessing you're running an application which is sending UDP packets out to those machines from local port 1026.

    The 6 or so IP addresses are load-balanced and being used in a round-robin fashion?

    Are you running any games, P2P or other such like? If so, quit for a few hours and see if the packets continue.

    What is the contents of the datagrams? Have you looked?

    Are any local applications bound to UDP port 1026 at the time of the incoming packets?

    My guess is, this is not a scan. If it were a scan, it would try different ports.

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    although i haven't checked the packets for content im running no P2P and occasionally play freecell. there is nothing shown listening on 1026. I check when the warning pops up (Tiny)1025 mstask which is blocked and 1038 Iexplore are the only devices even close.

    just got one:

    Active Connections

    Proto Local Address Foreign Address State
    TCP mymach:2119 mymach:44334 TIME_WAIT
    TCP mymach:2120 mymach:44334 ESTABLISHED
    TCP mymach:44334 mymach:2120 ESTABLISHED
    TCP mymach:1963 cache02.ns.uu.net:domain CLOSE_WAIT
    TCP mymach:2118 pop.wlv.untd.com:pop3 TIME_WAIT

    C:\>fport
    FPort v1.33 - TCP/IP Process to Port Mapper
    Copyright 2000 by Foundstone, Inc.
    http://www.foundstone.com

    Pid Process Port Proto Path
    392 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
    8 System -> 139 TCP
    8 System -> 445 TCP
    612 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe
    8 System -> 1028 TCP
    1084 IEXPLORE -> 1828 TCP C:\Program Files\Internet Explorer\IEXPLORE
    .EXE
    448 spade -> 1963 TCP C:\Program Files\Blighty Design\spade.exe
    524 PFWADMIN -> 2120 TCP C:\Program Files\Tiny Personal Firewall\PFW
    ADMIN.EXE
    764 WinVNC -> 5800 TCP C:\Program Files\RealVNC\WinVNC\WinVNC.exe
    764 WinVNC -> 5900 TCP C:\Program Files\RealVNC\WinVNC\WinVNC.exe
    576 persfw -> 44334 TCP C:\Program Files\Tiny Personal Firewall\per
    sfw.exe

    8 System -> 137 UDP
    8 System -> 138 UDP
    8 System -> 445 UDP
    216 lsass -> 500 UDP C:\WINNT\system32\lsass.exe
    1084 IEXPLORE -> 1038 UDP C:\Program Files\Internet Explorer\IEXPLORE
    .EXE
    1076 MsgSys -> 38037 UDP C:\WINNT\System32\MsgSys.EXE
    576 persfw -> 44334 UDP C:\Program Files\Tiny Personal Firewall\per
    sfw.exe
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides