Port 1026
This is a discussion on Port 1026 within the Linux Security forums, part of the System Security and Security Related category; Anyone know what this is. I have been getting this from 12.148.162.131 for about a week now. ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-16-2004
|
|||
|
|||
Port 1026
Anyone know what this is. I have been getting this from 12.148.162.131
for about a week now. I am using Linux Mandrake 8.1 with kernel 2.4.8 with iptables. iplog2|grep UDP Jun 14 20:12:14 -0700 SRC=12.148.162.131 DST=63.184.1.105 PROTO=UDP SPT=9092 DPT=1026 
|
|
06-16-2004
|
|||
|
|||
|
Re: Port 1026
Felix Tilley wrote:
> Anyone know what this is. I have been getting this from 12.148.162.131 > for about a week now. I am using Linux Mandrake 8.1 with kernel 2.4.8 > with iptables. > > > iplog2|grep UDP > Jun 14 20:12:14 -0700 SRC=12.148.162.131 DST=63.184.1.105 PROTO=UDP SPT=9092 DPT=1026 This link has several descriptions as to different possibilities that could be the cause. A couple of them may be Microsoft problems such as, "MS Blaster", and "Windows Messenger Popup Spam". http://isc.incidents.org/port_details.php?port=1026 -- Confucius: He who play in root, eventually kill tree. Registered with The Linux Counter. http://counter.li.org/ Slackware 9.1.0 Kernel 2.4.26 SMP i686 (GCC) 3.3.4 Uptime:1 day, 12:12, 2 users, load average: 1.28, 1.77, 1.77
|
|
06-16-2004
|
|||
|
|||
|
Re: Port 1026
> Anyone know what this is. I have been getting this from 12.148.162.131
> for about a week now. I am using Linux Mandrake 8.1 with kernel 2.4.8 > with iptables. > > > iplog2|grep UDP > Jun 14 20:12:14 -0700 SRC=12.148.162.131 DST=63.184.1.105 PROTO=UDP > SPT=9092 DPT=1026 According to nmaps ports_nmap.txt file: nterm 1026/tcp # nterm, remote_login_network_terminal Shadow_7
|
|
06-18-2004
|
|||
|
|||
|
Re: Port 1026
hacker trying to break in .. or maybe a script kiddie finding for a soft
spot . block that port , kill the offending program (if there is one opening that port) from nmap.services. cap 1026/tcp LSA-or-nterm nterm # calender access protocol, nterm remote_login network_terminal, remote_login network_terminal Andrew "Shadow_7" <wwwshadow7@yaNOhoo.comNULL> wrote in message news:pan.2004.06.16.12.08.19.120503@yaNOhoo.comNUL L... > > Anyone know what this is. I have been getting this from 12.148.162.131 > > for about a week now. I am using Linux Mandrake 8.1 with kernel 2.4.8 > > with iptables. > > > > > > iplog2|grep UDP > > Jun 14 20:12:14 -0700 SRC=12.148.162.131 DST=63.184.1.105 PROTO=UDP > > SPT=9092 DPT=1026 > > According to nmaps ports_nmap.txt file: > > nterm 1026/tcp # nterm, remote_login_network_terminal > > Shadow_7
|
|
06-19-2004
|
|||
|
|||
|
Re: Port 1026
In article <10cvifuackm4185@news.supernews.com>, Tue, 15 Jun 2004 21:18:05
-0700, "Felix Tilley" <ftilley@localhost.localdomain> wrote: > Anyone know what this is. I have been getting this from 12.148.162.131 > for about a week now. I am using Linux Mandrake 8.1 with kernel 2.4.8 > with iptables. > > > iplog2|grep UDP > Jun 14 20:12:14 -0700 SRC=12.148.162.131 DST=63.184.1.105 PROTO=UDP > SPT=9092 DPT=1026 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-18 19:59 MST Interesting ports on Bahamas.offshore-islands.com (12.148.162.131): (The 1644 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 23/tcp filtered telnet 25/tcp filtered smtp 80/tcp open http 110/tcp open pop3 111/tcp filtered rpcbind 143/tcp filtered imap 443/tcp open https 510/tcp filtered fcp 515/tcp filtered printer 587/tcp open submission 873/tcp open rsync 1080/tcp open socks 1110/tcp open nfsd-status 2049/tcp filtered nfs Nmap run completed -- 1 IP address (1 host up) scanned in 43.252 seconds -- Felix Tilley Rank: Capt Fanatic Lartvocate FL# 555-LART
|
|
06-19-2004
|
|||
|
|||
|
Re: Port 1026
On Tue, 15 Jun 2004 21:18:05 -0700, Felix Tilley wrote:
> Anyone know what this is. I have been getting this from 12.148.162.131 > for about a week now. I am using Linux Mandrake 8.1 with kernel 2.4.8 > with iptables. > > > iplog2|grep UDP > Jun 14 20:12:14 -0700 SRC=12.148.162.131 DST=63.184.1.105 PROTO=UDP SPT=9092 DPT=1026 Maybe this will help. http://www.dshield.org//port_report.php?port=1026
|
|
06-19-2004
|
|||
|
|||
|
Re: Port 1026
Felix Tilley wrote: > In article <10cvifuackm4185@news.supernews.com>, Tue, 15 Jun 2004 21:18:05 > -0700, "Felix Tilley" <ftilley@localhost.localdomain> wrote: > > >>Anyone know what this is. I have been getting this from 12.148.162.131 >>for about a week now. I am using Linux Mandrake 8.1 with kernel 2.4.8 >>with iptables. >> >> >>iplog2|grep UDP >>Jun 14 20:12:14 -0700 SRC=12.148.162.131 DST=63.184.1.105 PROTO=UDP >>SPT=9092 DPT=1026 > > > > > Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-18 19:59 MST > Interesting ports on Bahamas.offshore-islands.com (12.148.162.131): > (The 1644 ports scanned but not shown below are in state: closed) > PORT STATE SERVICE > 21/tcp open ftp > 23/tcp filtered telnet > 25/tcp filtered smtp > 80/tcp open http > 110/tcp open pop3 > 111/tcp filtered rpcbind > 143/tcp filtered imap > 443/tcp open https > 510/tcp filtered fcp > 515/tcp filtered printer > 587/tcp open submission > 873/tcp open rsync > 1080/tcp open socks > 1110/tcp open nfsd-status > 2049/tcp filtered nfs > > Nmap run completed -- 1 IP address (1 host up) scanned in 43.252 seconds > Why did you post this?
|
|
07-21-2004
|
|||
|
|||
|
Re: Port 1026
Felix Tilley wrote:
> Anyone know what this is. I have been getting this from 12.148.162.131 > for about a week now. I am using Linux Mandrake 8.1 with kernel 2.4.8 > with iptables. > > > iplog2|grep UDP > Jun 14 20:12:14 -0700 SRC=12.148.162.131 DST=63.184.1.105 PROTO=UDP SPT=9092 DPT=1026 Name: cap Purpose: Calender Access Protocol Description: Microsoft operating systems tend to allocate one or more unsuspected, publicly exposed services (probably DCOM, but who knows) among the first handful of ports immediately above the end of the service port range (1024+). Related Ports: 1024, 1025, 1027, 1028, 1029, 1030 Background and Additional Information: The most distressing aspect of this, is that these service ports are wide open to the external Internet. If Microsoft wants to allow DCOM services and clients operating within a single machine to inter-operate, that's fine. But in that case the DCOM service ports should be "locally bound" so that they are not wide open and flapping in the Internet breeze. This is trivial to do, but Microsoft doesn't bother. Or, if there might be some reason to have DCOM used within a local area network, DCOM traffic could be generated with packets having their TTL (time to live) set down to one or two. This would allow DCOM packets complete local freedom, but they would expire immediately after crossing one or two router hops. The point is, there are many things Microsoft could easily do if they had any true concern for, or understanding of, Internet security. Who knows what known or unknown, discovered or yet to be discovered vulnerabilities already exist those exposed servers and services? This is PRECISELY the situation which hit end users who didn't realize they were running a personal version of Microsoft's IIS web server when the Code Red and Nimda worms hit them and installed backdoor Trojans in their systems. And it's IDENTICAL to the situation when the SQL Slammer worm ripped across the Internet and tens of thousands of innocent end users discovered, to their total surprise, that some other software (Here's an off-site link to SQL-installing applications.) had silently installed Microsoft's insecure and now exploited SQL server into their machines, and that server had silently opened their ports 1433 and 1434 to the entire Internet. If you are reading this page because our port analysis has revealed that you have open ports lying between 1024 and 1030, it would certainly be in your best interests to configure your personal firewall to block incoming connection requests (TCP SYN packets) to those low-numbered ports. Unfortunately, since Windows initially initiates outgoing connections from this same low-numbered port range (as the first ports it uses immediately after booting), you may need to be careful with the configuration of your firewall rules. Otherwise you may find that the first several outbound connection attempts made by Windows will fail because returning traffic has been blocked at your firewall. However, any good stateful personal firewall, such as Zone Alarm and probably others, ought to block these low-numbered ports automatically. And, of course, placing any network behind a NAT router provides extremely good hardware firewall protection for your system(s).
|
|
07-21-2004
|
|||
|
|||
|
Re: Port 1026
On Wed, 21 Jul 2004 10:40:52 +0000 (UTC), Stephen wrote:
> Felix Tilley wrote: >> Anyone know what this is. I have been getting this from 12.148.162.131 >> for about a week now. I am using Linux Mandrake 8.1 with kernel 2.4.8 You need to update to 10.0 to get all the security fixes you are missing. > -0700 SRC=12.148.162.131 DST=63.184.1.105 PROTO=UDP SPT=9092 DPT=1026 http://www.dshield.org//port_report.php?port=1026
|
|
07-21-2004
|
|||
|
|||
|
Re: Port 1026
Felix Tilley wrote:
> Anyone know what this is. I have been getting this from 12.148.162.131 > for about a week now. I am using Linux Mandrake 8.1 with kernel 2.4.8 > with iptables. > > > iplog2|grep UDP > Jun 14 20:12:14 -0700 SRC=12.148.162.131 DST=63.184.1.105 PROTO=UDP SPT=9092 DPT=1026 http://www.iana.org/assignments/port-numbers -- --- http://www.alf.at.tc Austrian Linux Forum
|
Linear Mode
