China keeps trying to hack me!ports UDP 1026 and 1027
Results 1 to 9 of 9

Thread: China keeps trying to hack me!ports UDP 1026 and 1027

  1. #1
    Member
    Join Date
    May 2005
    Posts
    39

    China keeps trying to hack me!ports UDP 1026 and 1027

    Below is a common thing for my firwall everytime a log on a trace this UNSOLICETED ATTACK/REQUEST back to china/bejing area, i have been getting this unsoliceted request for about 3 weeks, it is only on this machine ,when I get online, I have scanned and rescanned, I have posted HJT logs and everything I could think of, yet everyone claims my machine is clean?

    My concern is "why does this happen"? it almost as if there is some malware in here trying to "call home" you know?

    2005/05/13 09:35:58 222.77.185.242:60840 216.203.252.150:1027 Port 1027 (UDP)

    2005/05/13 09:35:58 222.77.185.242:60840 216.203.252.150:1027 Port 1027 (UDP)

    2005/05/13 09:35:58 222.77.185.242:60840 216.203.252.150:1026 Port 1026 (UDP)

    2005/05/13 09:39:35 61.172.249.200:32831 216.203.252.150:1026 Port 1026 (UDP)


    2005/05/13 09:39:43 61.129.34.19:1195 216.203.252.150:1434 Microsoft-SQL-Monitor


    2005/05/13 09:46:11 61.129.94.146:0 216.203.252.150:0 ICMP Ping



    If you look this has all happening in the time it took me to post this, I am really worried?

    It always traced back to the Bejing area in China...

    This is not just a normal scanning of ports, (tell me so if I am wrong) I dont know that much about this so I am turning to your folks who know a lot more than me about this issue anyone tell what this means?










    2005/05/13 09:19:00

    64.102.120.188:23044


    216.203.252.150:1026 Port 1026 (UDP)

  2. #2
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    I get scanned from Bejing all the time, they are a nosey bunch . Your firewall is doing its job, go grab a beer and relax.

    Cheers:
    DjM

  3. #3
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    In all reality the chances os someone in bejing targeting your machine specifically are slim to none. Its more than likely a zombie that is just randomly scanning ip ranges. It happens all the time. As DjM said, if you are not noticing an actual break in, then you are in the clear.

    It is annoying though ain't it!
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  4. #4
    Member
    Join Date
    May 2005
    Posts
    30

    spam

    As I understand it, these are likely MS Messenger spam messages. My firewall logs show them too, almost constantly, and most trace back to China.

  5. #5
    Member
    Join Date
    May 2005
    Posts
    39
    Originally posted here by DjM
    I get scanned from Bejing all the time, they are a nosey bunch :D . Your firewall is doing its job, go grab a beer and relax. ;)

    Cheers:
    Yeaah!, sure are a nosey bunch alright!, It sure seems like a "BOT" the way it keeps scanning the range of address' over and over and over and ,...did I say over and over?... and over, ......over and out. "Roger that over & out 10-4"


    I have emailed the admin(maybe a foolish mistake on my part but i fear not)
    what do you folks think? Will it do any good? I do have a return recipt from the Railroad sever there in China, in fact do you member the news about a week ago the Japanese train wreck I think it was "hacked servers that caused it, in fact I think it was these servers in the China railroad.

    MAINT-CHINATELECOM-HE
    Wu Xiao Li
    address: Room 805,61 North Si Chuan Road,Shanghai,200085,PRC
    country: CN
    phone: +86-21-63630562
    fax-no: +86-21-63630566
    e-mail: ip-admin@mail.online.sh.cn
    nic-hdl: XI5-AP
    mnt-by: MAINT-CHINANET-SH
    changed: ip-admin@mail.online.sh.cn 20010510
    source: APNIC

    I wish they would go away all my space for banned IP's is getting full ha ha,
    as far as the what was it MSN Messenger comment , NO, I odnt even us that service and have totally deleted it ALL,not sure what you were talking about on that one, but I am aware of the anoying pop-ups they have.




    Going to the frig
    later







    .

  6. #6
    Member
    Join Date
    May 2005
    Posts
    30
    Originally posted here by dogman


    I wish they would go away all my space for banned IP's is getting full ha ha,
    as far as the what was it MSN Messenger comment , NO, I odnt even us that service and have totally deleted it ALL,not sure what you were talking about on that one, but I am aware of the anoying pop-ups they have.

    I disabled the service long ago, too, but that doesn't mean people can't try to send you messages on the ports Windows Messenger would listen to (UDP ports 1026-1027).

    Check this out:
    http://www.linklogger.com/UDP1026.htm

    I think it's pretty likely the spam is coming from zombies, but you never know. Could be a thriving business model

    UPDATE:
    I just thought I'd add that these messages could easily contain spoofed "from" IP addresses. It's very likely the "sender" isn't really the sender. That's supposedly pretty easy to do in UDP packets.

    Your firewall is junking them already, so I'd say just ignore it.

  7. #7
    Senior Member treanglin's Avatar
    Join Date
    Dec 2003
    Posts
    111
    I'm not sure....but could it be possible that someone is using the machine in china as a proxy or something? (i'm not sure how udp and proxy's work).

  8. #8
    Member
    Join Date
    May 2005
    Posts
    39

    Thanks for UDP link and info but..

    It is annoying ,that is for sure,why dont we block all there traffic to my ISP? Do you think my ISp would go along with this>?
    Anyway, checked out the links on the port spamming, going to try to be oblivious to all this "China Hacks" this is what I call them, China Hacks,I wish someone could,.... or knew more about this operation and internet prtocol they are doing aand what for, and yes it could be someone right here in the usa out of sandiago,ca, because occasionally it pings back to there and back to Bejing area,so maybe if anyone knew MORE?, we could find out what this is all about, maybe readers can monitors the ip address i posted , anyway,... is it a superspammer from the USA?
    Or the communist' trying to crack the top secrets in my little machine?
    hah!
    back to the frig



    thanks for the info........

  9. #9
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Why not just create a rule to block udp 1026-1027 and NOT log it.

    I was constantly having my logs filled with alerts from ports TCP 135 137 139 etc. I just created a rule to block those and NOT log on my external interface. But, to log them on my internal interface. If they make it to the internal interface and into my logs... I know something is wrong with the rules on my external interface.

    I'm using a cisco router and have ACLs applied to my external interface incoming.
    I also have ACLs applied to my internal interface both incoming and outgoing.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •