dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
7018
share rss forum feed


Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS

Microsoft IP trying to hack me?

[INFO] Sat Mar 09 17:39:33 2013 Blocked incoming UDP packet from 157.56.149.60:3544 to XXXXXXXX:58515
[INFO] Sat Mar 09 17:39:31 2013 Blocked incoming UDP packet from 31.200.179.95:1048 to XXXXXXXX:58515
[INFO] Sat Mar 09 17:39:31 2013 Blocked incoming UDP packet from 157.56.149.60:3544 to XXXXXXXX:58515
[INFO] Sat Mar 09 17:39:22 2013 Above message repeated 3 times
[INFO] Sat Mar 09 17:39:20 2013 Blocked incoming UDP packet from 31.200.179.95:1048 to XXXXXXXX:58515
[INFO] Sat Mar 09 17:39:20 2013 Blocked incoming UDP packet from 157.56.149.60:3544 to XXXXXXXX:58515
[INFO] Sat Mar 09 17:38:01 2013 Above message repeated 1 times
[INFO] Sat Mar 09 17:37:59 2013 Blocked incoming UDP packet from 31.200.179.95:1048 to XXXXXXXX:58515
[INFO] Sat Mar 09 17:37:59 2013 Blocked incoming UDP packet from 157.56.149.60:3544 to XXXXXXXX:58515
[INFO] Sat Mar 09 17:37:50 2013 Above message repeated 3 times
[INFO] Sat Mar 09 17:37:48 2013 Blocked incoming UDP packet from 31.200.179.95:1048 to XXXXXXXX:58515
[INFO] Sat Mar 09 17:37:48 2013 Blocked incoming UDP packet from 157.56.149.60:3544 to XXXXXXXX:58515

»www.ip-tracker.org/lookup/whois-···6.149.60

OrgName: Microsoft Corp
OrgId: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
RegDate: 1998-07-10
Updated: 2011-04-26



Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2

Windows Update prog?



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to Cartel

UDP is typically used for streaming video or audio. Do you have something running?

»High Recevied Numbers in Ethernet status area
--
Don't feed trolls--it only makes them grow!



FFH
Premium
join:2002-03-03
Tavistock NJ
kudos:5
reply to Cartel

said by Cartel:

[INFO] Sat Mar 09 17:39:33 2013 Blocked incoming UDP packet from 157.56.149.60:3544 to XXXXXXXX:58515
[INFO] Sat Mar 09 17:39:31 2013 Blocked incoming UDP packet from 31.200.179.95:1048 to XXXXXXXX:58515
[INFO] Sat Mar 09 17:39:31 2013 Blocked incoming UDP packet from 157.56.149.60:3544 to XXXXXXXX:58515
[INFO] Sat Mar 09 17:39:22 2013 Above message repeated 3 times
[INFO] Sat Mar 09 17:39:20 2013 Blocked incoming UDP packet from 31.200.179.95:1048 to XXXXXXXX:58515
[INFO] Sat Mar 09 17:39:20 2013 Blocked incoming UDP packet from 157.56.149.60:3544 to XXXXXXXX:58515
[INFO] Sat Mar 09 17:38:01 2013 Above message repeated 1 times
[INFO] Sat Mar 09 17:37:59 2013 Blocked incoming UDP packet from 31.200.179.95:1048 to XXXXXXXX:58515
[INFO] Sat Mar 09 17:37:59 2013 Blocked incoming UDP packet from 157.56.149.60:3544 to XXXXXXXX:58515
[INFO] Sat Mar 09 17:37:50 2013 Above message repeated 3 times
[INFO] Sat Mar 09 17:37:48 2013 Blocked incoming UDP packet from 31.200.179.95:1048 to XXXXXXXX:58515
[INFO] Sat Mar 09 17:37:48 2013 Blocked incoming UDP packet from 157.56.149.60:3544 to XXXXXXXX:58515

»www.ip-tracker.org/lookup/whois-···6.149.60

OrgName: Microsoft Corp
OrgId: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
RegDate: 1998-07-10
Updated: 2011-04-26

When a UDP session is unexpectedly terminated, the MS end continues sending, but the client end starts rejecting all the packets. Eventually the MS end will realize the session was terminated and the errors will stop.
--
Senate - get off your butts and actually create a budget that has spending cuts 3x the amount of tax increases like you promised.

BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3

With most firewalls configured for "stealth" these days it breaks tcp/ip protocol, and prevents the sending of the closed response, so it won't just stop immediately. That just appears to be a stream a program was receiving on the computer, and a program was no longer listening for.

When working with others on rule based firewalls I continually had to tell people that not every blocked packet was an attack....
--
I distrust those people who know so well what god wants them to do because I notice it always coincides with their own desires- Susan B. Anthony
Yesterday we obeyed kings, and bent our necks before emperors. But today we kneel only to the truth- Kahlil G.



Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS

1 edit

updates are disabled, nothing streaming.

Blocked incoming UDP packet from 157.56.149.60:3544 to XXXXXXXX:1024

Blocked incoming UDP packet from 65.55.158.118:3544 to XXXXXXXX:1024

The Teredo uses UDP port 3544 and I have IPV6 completely disabled and teredo


BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3

2 recommendations

I don't care where you're getting your logs from, stop assuming every packet blocked is an attack, and it's people like you who get paranoid about every little packet that make everyone else ignore actual attacks. I hope you realize that because you are stealth it will generate quite a bit of blocked traffic like this.

1024 is part of a very large range of ports used for various applications also, but for that you would have to monitor what programs were using what ports on the actual computer(s) on the network.
--
I distrust those people who know so well what god wants them to do because I notice it always coincides with their own desires- Susan B. Anthony
Yesterday we obeyed kings, and bent our necks before emperors. But today we kneel only to the truth- Kahlil G.



La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3
reply to Cartel

Microsoft IP trying to hack me?

Now why would MS do that?


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Cartel

Second BlitzenZeus See Profile 's comments.

a) what kind of equipment is generating these logs / blocks

b) do you have some sort of IDS / IPS running?

c) do you know what's actually in these packets themselves beyond that whatever device generated these logs
blocked the packet?

d) have you checked your own network for any traffic initiating something to said destination?

I mean it's always interesting seeing people's logs and trying to see what's up with the traffic,
but I find it's always a trick seperating the issue from the noise.

Regards



Raphion

join:2000-10-14
Samsara
reply to Cartel

Looks like Skype to me.


Oedipus

join:2005-05-09
kudos:1
reply to La Luna

said by La Luna:

Microsoft IP trying to hack me?

Now why would MS do that?

Delusions of self-importance.


Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS

[INFO] Sun Mar 10 02:22:35 2013 Blocked incoming UDP packet from 157.56.106.184:3544 to XXXXXXXXX:60016
[INFO] Sun Mar 10 02:22:31 2013 Above message repeated 2 times
[INFO] Sun Mar 10 02:22:31 2013 Blocked incoming UDP packet from 2.37.157.138:1027 to XXXXXXXXX:60016
[INFO] Sun Mar 10 02:22:26 2013 Blocked incoming UDP packet from 157.56.106.184:3544 to XXXXXXXXX:60016
[INFO] Sun Mar 10 02:22:16 2013 Above message repeated 5 times
[INFO] Sun Mar 10 02:22:16 2013 Blocked incoming UDP packet from 2.37.157.138:1027 to XXXXXXXXX:60016
[INFO] Sun Mar 10 02:22:11 2013 Blocked incoming UDP packet from 157.56.149.60:3544 to XXXXXXXXX:58515
[INFO] Sun Mar 10 02:22:09 2013 Blocked incoming UDP packet from 2.37.157.138:1027 to XXXXXXXXX:58515
[INFO] Sun Mar 10 02:22:09 2013 Blocked incoming UDP packet from 157.56.149.60:3544 to XXXXXXXXX:58515
[INFO] Sun Mar 10 02:22:00 2013 Above message repeated 3 times
[INFO] Sun Mar 10 02:22:00 2013 Blocked incoming UDP packet from 72.55.148.202:5542 to XXXXXXXXX:5060
[INFO] Sun Mar 10 02:21:58 2013 Blocked incoming UDP packet from 2.37.157.138:1027 to XXXXXXXXX:58515
[INFO] Sun Mar 10 02:21:58 2013 Blocked incoming UDP packet from 157.56.149.60:3544 to XXXXXXXXX:58515
[INFO] Sun Mar 10 02:20:13 2013 Blocked incoming TCP connection request from 142.217.11.107:42722 to XXXXXXXXX:47498
[INFO] Sun Mar 10 02:20:10 2013 Above message repeated 1 times
[INFO] Sun Mar 10 02:17:54 2013 Blocked incoming UDP packet from 157.56.106.184:3544 to XXXXXXXXX:60016
[INFO] Sun Mar 10 02:17:53 2013 Blocked incoming TCP connection request from 79.87.246.14:33334 to XXXXXXXXX:47498
[INFO] Sun Mar 10 02:17:52 2013 Blocked incoming UDP packet from 157.56.106.184:3544 to XXXXXXXXX:60016
[INFO] Sun Mar 10 02:17:52 2013 Blocked incoming UDP packet from 2.37.157.138:1027 to XXXXXXXXX:60016
[INFO] Sun Mar 10 02:17:50 2013 Blocked incoming UDP packet from 157.56.106.184:3544 to XXXXXXXXX:60016
[INFO] Sun Mar 10 02:17:50 2013 Blocked incoming TCP connection request from 79.87.246.14:33334 to XXXXXXXXX:47498
[INFO] Sun Mar 10 02:17:48 2013 Blocked incoming UDP packet from 79.87.246.14:6881 to XXXXXXXXX:47498
[INFO] Sun Mar 10 02:17:45 2013 Blocked incoming UDP packet from 157.56.106.184:3544 to XXXXXXXXX:60016
[INFO] Sun Mar 10 02:17:45 2013 Blocked incoming UDP packet from 79.87.246.14:6881 to XXXXXXXXX:47498
[INFO] Sun Mar 10 02:17:44 2013 Blocked incoming UDP packet from 157.56.149.60:3544 to XXXXXXXXX:58515
[INFO] Sun Mar 10 02:17:43 2013 Blocked incoming UDP packet from 157.56.106.184:3544 to XXXXXXXXX:60016
[INFO] Sun Mar 10 02:17:42 2013 Blocked incoming UDP packet from 2.37.157.138:1027 to XXXXXXXXX:58515
[INFO] Sun Mar 10 02:17:42 2013 Blocked incoming UDP packet from 157.56.149.60:3544 to XXXXXXXXX:58515
[INFO] Sun Mar 10 02:17:41 2013 Blocked incoming UDP packet from 157.56.106.184:3544 to XXXXXXXXX:60016
[INFO] Sun Mar 10 02:17:41 2013 Blocked incoming UDP packet from 2.37.157.138:1027 to XXXXXXXXX:60016
[INFO] Sun Mar 10 02:17:40 2013 Blocked incoming UDP packet from 157.56.149.60:3544 to XXXXXXXXX:58515
[INFO] Sun Mar 10 02:17:33 2013 Above message repeated 2 times


SCADAGeo

join:2012-11-08
N California
kudos:2
reply to Cartel

said by Cartel:

updates are disabled, nothing streaming.

Blocked incoming UDP packet from 157.56.149.60:3544 to XXXXXXXX:1024

Blocked incoming UDP packet from 65.55.158.118:3544 to XXXXXXXX:1024

The Teredo uses UDP port 3544 and I have IPV6 completely disabled and teredo

Are you sure you have IPv6 completely disabled?

What did you do to disable it?

How did you verify it?