garciamd
join:2001-03-24
Whippany, NJ |  Port 1025-1027
My ZoneAlarm(free) has been getting many hits on ports 1025, 1026, and 1027 in the last two days. Is anyone else seeing this; and should I be worried? |
|
CrazyM
Premium
join:2001-05-16
BC Canada | If those are destination ports, it would help to know the corresponding source ports. This would help in determining what may be going on.
CrazyM |
|
rakerman
join:2002-09-28
Ottawa, ON
| reply to garciamd
Since the ports 1024 and just above are typically the starting ephemeral ports on most systems, it is almost as if you are opening connections and then closing them before they are finished - that would reproduce this behavior.
In fact I'm surprised the IANA assigned any reserved ports between 1024 and 1029. That will just serve to confuse things 
Keyword Decimal Description References
------- ------- ----------- ----------
1024/tcp Reserved
1024/udp Reserved
# IANA
blackjack 1025/tcp network blackjack
blackjack 1025/udp network blackjack
# Unknown contact
cap 1026/tcp Calender Access Protocol
cap 1026/udp Calender Access Protocol
# Doug Royer June 2002
# 1027-1029 Unassigned
--
-- Richard Akermanhttp://www.akerman.ca/trojan-port-table.html(covers trojan ports as well as general broadband security) |
|
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to garciamd
IANA port assignments are only directory, not mandatory; generally, a windows system will attach those ports for things like RPC, scheduler service, etc.; you should normally see those kinds of things making loopbacks (remote address 127.0.0.1), and that's entirely normal and even necessary for certain windows functions, but to see those sorts of services connecting to the internet would be unusual and probably bad news, under most circumstances... best/only way to tell what your system has attached (if anything) there is to do a netstat and see what returns... 
--
If we took the bones out it wouldn't be crunchy,would it? |
|
dja
The 'd' is silent ... unlike the member.
Premium
join:2002-03-25
Niagara
| reply to garciamd
Please see the other threads
dealing with this occurrence
and NetBIOS in general:
»Port 137 probes-anyone else?
»Curiosities of port 137 - For Newbies
»udp/137 activity may be tied to scrsvr.exe malware
»Netbios-ns/137??
I've had over 1200 hits since it began.
--
Click HERE for the newsletter COGECO may, or may not, let you read! |
|
garciamd
join:2001-03-24
Whippany, NJ | Thanks for the help!!!
As I speak 13 more hits at zonealarm...I did a PC Flank test and there are no security holes(phew!) At least its getting interesting, now its trying port 1041. I'll keep you up to speed if I dig up something. |
|
SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
 ·Comcast Formerly ..
Host:
Networking
Virtual Private Ne..
Netgear
ZyXEL
| You still haven't told us the source ports 
Where are they coming from (source IPs!)? TCP or UDP? etc.
--
Where in the world is LA/OC ? |
|
dja
The 'd' is silent ... unlike the member.
Premium
join:2002-03-25
Niagara | reply to garciamd
My guess is that 1025-1027
ARE the remote source ports,
and that the protocol is UDP.
I believe that what the member
is seeing is the NetBIOS Name
request flood that is occurring. |
|
garciamd
join:2001-03-24
Whippany, NJ | Agree with dja; UDP flood most likely, seems to be coming from random sites. Zonealarm list them as port 137(under info). Thanks dja, I learned a little more tonight from the links offered. Will keep reading... |
|
Anon |  reply to garciamd
Port 1025 has been known to run 3 different remote control Trojan Horses. |
|
dja
The 'd' is silent ... unlike the member.
Premium
join:2002-03-25
Niagara
| said by :
Port 1025 has been known to run 3 different remote control Trojan Horses.
Welcome sunshinerall.
One of those trojans being RemoteStorm,
of which a google-search just turned up more
than a dozen sites from which to download
your very own, to do with as you wish, but only
two sites regarding removal, and those had no
instructions beyond purchasing their removal tool.
Welcome to security on the Internet,
where ISPs block e-mail, but allow
spoofed packets, and malicious warez.
Are you getting hit by UDP?
--
Click HERE for the newsletter COGECO may, or may not, let you read! |
|
garciamd
join:2001-03-24
Whippany, NJ | Yes, attacks are occuring to UDP 1025-1029. I'm extremely careful where I go(no porn or gambling sites!) and have the latest anti-virus definitions for Norton AV. At least Zonealarm is blocking the attempt. |
|
JackCam614
Premium
join:2000-08-24
New Hyde Park, NY
| Hi Garciamd,
If I may politely point out, the attacks are not "to UDP 1025-1029", they are "From" (source) those ports, directed to your port 137.
Glad you are 'security conscious' with Anti Virus and firewall setups. If everyone protected their machines (as much as can be reasonably expected), I/we wouldn't be getting 60 Port 137 attacks per hour.
" 'Spread the Word' not the Virus"
Jack |
|
garciamd
join:2001-03-24
Whippany, NJ
·Optimum Online
| Thanks, I'm always willing to learn! As you mentioned correctly they are directed to port 137. There are a few threads in the security forum on this current anomaly. Let's hope it serves its purpose and get more users to be security conscious.
[text was edited by author 2002-10-01 13:59:05] |
|
larrypt
join:2000-10-24
Simi Valley, CA | I thought port 1025 tcp was a normal port that winxp uses as part of it's services. am i wrong about this? |
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| reply to garciamd
*flame-on*
For cryin' out loud...if you expect people to take their time to help you the least you can do is open up your zalog.txt file in a text editor, copy and paste your darn log entry.
*flame-off*
I'm specifically seeing some incidents where the *source* port is 1025...e.g.:
»www.mynetwatchman.com/LID.asp?IID=8087099
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
dja
The 'd' is silent ... unlike the member.
Premium
join:2002-03-25
Niagara
| reply to JackCam614
said by JackCam614  :
" 'Spread the Word' not the Virus"
Jack
Should be the Security Forum Motto!
About 1025 services.
Protocol tcp
Name blackjack
Description network blackjack
Protocol udp
Name blackjack
Description network blackjack
Protocol tcp
Name listen
Description listener RFS remote_file_sharing
Protocol tcp
Name shoppro
Description ShopPro accounting software
Protocol tcp
Name FraggleRock
Description [TROJAN] Fraggle Rock
Protocol tcp
Name md5Backdoor
Description [TROJAN] md5 Backdoor
Protocol tcp
Name NetSpy
Description [TROJAN] NetSpy
Protocol tcp
Name RemoteStorm
Description [TROJAN] Remote Storm
Protocol udp
Name RemoteStorm
Description [TROJAN] Remote Storm
--
Click HERE for the newsletter COGECO may, or may not, let you read! |
|
garciamd
join:2001-03-24
Whippany, NJ
·Optimum Online
| I usually don't bother acknowledging flaming episodes, but in netwatchman case I'll make an exception. Given the fact that in another thread he states " I don't get it..." I'm assuming there's little medial of his auricles (look it up!)
Had he taken the time to read the original question he would have notice the comment was about anyone experiencing any recent port activity out of the ordinary. Had he also been more cognizant(look it up!) of the other threads in this forum he may actually learn something. But alas, that would be like trying to teach him how to read and I don't think anyone would like to waste their time in such a superficial way.
Thanks to all others who are courteous and who have showed some class.
[text was edited by author 2002-10-01 23:01:44] |
|
Occasu$
join:2001-07-20
North Vancouver, BC
| reply to dja
said by dja :
said by JackCam614 :
" 'Spread the Word' not the Virus"
Jack
Should be the Security Forum Motto!
Agreed, very catchy |
|
SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
·Comcast Formerly ..
Host:
Networking
Virtual Private Ne..
Netgear
ZyXEL
| reply to garciamd
Sorry, but mynetwatchman did not start a flaming episode, and he is absolutely correct (and used the word flaming rhetorically). He was one of the few who saw the complete uselessness of the ongoing discussion.
If you would like us to interpret logs, we need:
1. Destination port
2. source port
3. protocol (UDP, TCP, etc)
4. packet direction (incoming, outgoing)
5. Any discernible pattern (every 5 minutes, i sets of 3, etc).
Your original question (and the title of this thread!) was about ports 1025-1027. Typically "getting hits on xx" means xx is the destination port. It took you 14 posts deep into this thread to enlighten us that the destination port was actually 137. Up to that point basically wasting everybody's time with irrelevant information (and in this case, source ports are pretty irrelevant!).
So, please recognize sincere help as such.
--
Where in the world is LA/OC ? |
|
