* [gentoo-user] Strange traffic says I am using windoze and have a bug.
@ 2005-12-26 5:10 Dale
2005-12-26 10:51 ` Holly Bostick
2005-12-27 5:42 ` Walter Dnes
0 siblings, 2 replies; 15+ messages in thread
From: Dale @ 2005-12-26 5:10 UTC (permalink / raw
To: gentoo-user
Hi guys, and Holly, :D
I'm on dial-up and try to watch my traffic and every once in a while I
see a little blip on gkrellm. I fired up ethreal and started to sniff
around. Parden the pun there. LOL This is what it says though which
is strange. It's really the last two lines that matter but I am putting
the whole thing here just in case. Sorry so long.
> No. Time Source Destination
> Protocol Info
> 1 0.000000 215.146.157.191 205.208.159.31
> Messenger NetrSendMessage request
>
> Frame 1 (710 bytes on wire, 710 bytes captured)
> Arrival Time: Dec 25, 2005 22:50:19.101533000
> Time delta from previous packet: 0.000000000 seconds
> Time since reference or first frame: 0.000000000 seconds
> Frame Number: 1
> Packet Length: 710 bytes
> Capture Length: 710 bytes
> Protocols in frame: sll:ip:udp:dcerpc
> Linux cooked capture
> Packet type: Unicast to us (0)
> Link-layer address type: 512
> Link-layer address length: 0
> Source: <MISSING>
> Protocol: IP (0x0800)
> Internet Protocol, Src: 215.146.157.191 (215.146.157.191), Dst:
> 205.208.159.31 (205.208.159.31)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
> .... ..0. = ECN-Capable Transport (ECT): 0
> .... ...0 = ECN-CE: 0
> Total Length: 694
> Identification: 0x7411 (29713)
> Flags: 0x00
> 0... = Reserved bit: Not set
> .0.. = Don't fragment: Not set
> ..0. = More fragments: Not set
> Fragment offset: 0
> Time to live: 53
> Protocol: UDP (0x11)
> Header checksum: 0x2ce4 [correct]
> Good: True
> Bad : False
> Source: 215.146.157.191 (215.146.157.191)
> Destination: 205.208.159.31 (205.208.159.31)
> User Datagram Protocol, Src Port: 44356 (44356), Dst Port: 1026 (1026)
> Source port: 44356 (44356)
> Destination port: 1026 (1026)
> Length: 674
> Checksum: 0x0000 (none)
> DCE RPC Request, Seq: 0, Serial: 0, Frag: 0, FragLen: 583
> Version: 4
> Packet type: Request (0)
> Flags1: 0x78 "Broadcast" "Idempotent" "Maybe" "No Fack"
> 0... .... = Reserved: Not set
> .1.. .... = Broadcast: Set
> ..1. .... = Idempotent: Set
> ...1 .... = Maybe: Set
> .... 1... = No Fack: Set
> .... .0.. = Fragment: Not set
> .... ..0. = Last Fragment: Not set
> .... ...0 = Reserved: Not set
> Flags2: 0x00
> 0... .... = Reserved: Not set
> .0.. .... = Reserved: Not set
> ..0. .... = Reserved: Not set
> ...0 .... = Reserved: Not set
> .... 0... = Reserved: Not set
> .... .0.. = Reserved: Not set
> .... ..0. = Cancel Pending: Not set
> .... ...0 = Reserved: Not set
> Data Representation: 100000 (Order: Little-endian, Char: ASCII,
> Float: IEEE)
> Byte order: Little-endian (1)
> Character: ASCII (0)
> Floating-point: IEEE (0)
> Serial High: 0x00
> Object UUID: 00000000-0000-0000-0000-000000000000
> Interface: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
> Activity: 00000000-0000-0000-0000-000000000000
> Server boot time: Unknown (0)
> Interface Ver: 1
> Sequence num: 0
> Opnum: 0
> Interface Hint: 0xffff
> Activity Hint: 0xffff
> Fragment len: 583
> Fragment num: 0
> Auth proto: None (0)
> Serial Low: 0x00
> Authentication verifier
> Microsoft Messenger Service, NetrSendMessage
> Operation: NetrSendMessage (0)
> Server
> Max Count: 10
> Offset: 0
> Actual Count: 10
> Server: Microsoft
> Client
> Max Count: 35
> Offset: 0
> Actual Count: 35
> Client: inform you about a virus detection
> Message
> Max Count: 497
> Offset: 0
> Actual Count: 497
> Message [truncated]: Windows has detected a virus on your
> system. In order to remove it please follow this steps:\n\n1. Start
> Microsoft Internet Explorer or your default web browser.\n2. Type into
> the navigation bar: http://www.cleanmyreg.
What is this? Is this some spam and it pops up a window if I were using
windoze? I went to the site and it looks like they want to sell
something, which I ain't buying by the way. ;-) How can I tell them
to stop this? Oh, only my main rig does this. My three servers which
have no GUI stuff or browsers installed do not get this, that I can see
anyway.
Another thing a bit off topic. I noticed earlier that there was a post
in some foreign language, looked like Japaneese or Chinese and looked
like spam to me. Later I got one in my personal email. Can someone get
my email address from this list? I have got a few emails from people,
which is OK as long as it is not spam. Just curious. I like the list
but I didn't know my private email would become public, if this is true.
Thanks for any light you can shed on this.
Dale
:-)
--
To err is human, I'm most certainly human.
I have four rigs:
1: Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives.
2: Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive.
3: Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 128MBs of ram and a 2.5GB drive.
4: Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive.
All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers.
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Strange traffic says I am using windoze and have a bug. 2005-12-26 5:10 [gentoo-user] Strange traffic says I am using windoze and have a bug Dale @ 2005-12-26 10:51 ` Holly Bostick 2005-12-26 11:17 ` Dale 2005-12-27 5:42 ` Walter Dnes 1 sibling, 1 reply; 15+ messages in thread From: Holly Bostick @ 2005-12-26 10:51 UTC (permalink / raw To: gentoo-user Dale schreef: > Hi guys, and Holly, :D > > I'm on dial-up and try to watch my traffic and every once in a while > I see a little blip on gkrellm. I fired up ethreal and started to > sniff around. Parden the pun there. LOL This is what it says > though which is strange. It's really the last two lines that matter > but I am putting the whole thing here just in case. Sorry so long. > <snip> >> Microsoft Messenger Service, NetrSendMessage Operation: >> NetrSendMessage (0) Server Max Count: 10 Offset: 0 Actual Count: 10 >> Server: Microsoft Client Max Count: 35 Offset: 0 Actual Count: 35 >> Client: inform you about a virus detection Message Max Count: 497 >> Offset: 0 Actual Count: 497 Message [truncated]: Windows has >> detected a virus on your system. In order to remove it please >> follow this steps:\n\n1. Start Microsoft Internet Explorer or your >> default web browser.\n2. Type into the navigation bar: >> http://www.cleanmyreg. > > > > What is this? Is this some spam and it pops up a window if I were > using windoze? I went to the site and it looks like they want to > sell something, which I ain't buying by the way. ;-) Yes-- not that I know anything about this, but it looks like a "trick" popup. The site does not seem to be checking your browser ID (which would say Linux), but instead assumes that 1) you are a Windows user (after all, isn't everybody?) 2) you use IE (after all, doesn't everybody?) 3) you do not have a competent admin on your system -- the message uses Microsoft Messenger Service, which is turned on by default under Windows, and enables these kind of popup messages across LAN and WAN, sort of like a mini MSN-- which I believe it connects to as well-- and is not only quite "useless" except to people like this, but also quite insecure because it lets unknown people like this send you "messages" without your active consent. Any Windows user I know with even a grain of competence turns it off first thing after installation. But of course Joe and Jane Average User don't know to do this because their OS is supposed to competently administer their system for them. Oh, well keeps my bf in barter trade goods for cleaning the PCs of Joe and Jane out again every 3 months or so. > How can I tell them to stop this? 1) Don't go to the site. 2) If you must go to the site, don't do so with IE (if you're using Windows for whatever reason) 3) If you must go to the site using IE, for heaven's sake, don't click that link (though that may not protect you; some sites will also transfer their payload when you try to close the popup even if you don't click the link) 4) If you must go to the site using Windows, then have a good a) firewall, 2) ad-blocker, 3) spyware blocker/cleaner, and 4) antivirus scanner present on the system. You could also complain to 1) the site 2) the hosting admin 3) the authorities, but it's clearly a "commercial deal" for somebody -- either the host or the admin has coded/allowed this pass-through to be present on their site, and /somebody/ has either been paid to do so or expects to get paid for doing so in terms of click-through revenues or advertising view revenues or, more unpleasantly, virus or trojan proliferation, and imo, "regular users" are unlikely to stop the flow of compensation except by not participating. But you don't have Windows or the Microsoft Messenger Service on a Gentoo box; this foolishness is not actively dangerous to you; especially since you don't have a Registry either, so there's no reason for you to follow the link to any supposed Registry-cleaning program. GKrellm is just reporting that somebody tried to send you a message through this non-existent service. > Oh, only my main rig does this. My three servers which have no GUI > stuff or browsers installed do not get this, that I can see anyway. > > Another thing a bit off topic. I noticed earlier that there was a > post in some foreign language, looked like Japaneese or Chinese and > looked like spam to me. Later I got one in my personal email. Can > someone get my email address from this list? I have got a few emails > from people, which is OK as long as it is not spam. Just curious. I > like the list but I didn't know my private email would become > public, if this is true. I never understand about how people think their email address is "private", when it's meant to allow communication between the public network (the Internet) and you. You can take your number out of the phone book too, which means that _most_ random people will be unlikely to call you, but anyone can simply punch a series of numbers--even accidentally-- and call you, because you are connected to the public telephone network by your phone number. In the early days of telemarkting, that used to happen a lot; even now, there are computer-generated phone calls that call and when you pick up the phone, you get a computer talking to you (often telling you to hold on for a live person who's going to try to sell you something). Such setups don't know your "private" telephone number; they're just guessing randomly, but managed to reach you anyway. Your phone number, address and email address are semi-public just by the fact of their existence. As for the list, I'm sure that the list's list of user addresses is not made public, but the list is publically archived on gmane and is available via newsgroups. It's certainly possible for a bot to troll the archives and attempt to extract email addresses, just as it is possible for a bot to put random strings in front of your ISP's domain name and send out spam to all generated addresses (which would be unrelated to your email address being visible on this list). And it has been known to happen that somebody on this or any list gets infected by a virus (we don't live in a pure Linux world after all, and some people run 1) Linux on Windows via VMWare or Win4Lin, 2) run mailservers connected to Windows machines that may become infected by a virus that propagates through the network; 3) dual-boot and possibly share their PC with a non-technical person who allowed the PC to become infected by a virus; 4) are connecting to the list from a Windows machine that is not under their control (i.e., from a hotel or Internet cafe while travelling on business), and said infected machine trolls the individual user's address book for places to send their spam or proliferate the virus/trojan. Having sent mail with this email address, it is no longer "private" (the only way to keep a secret truly secret is to be the only one who knows it, after all); anybody who reads your mail now knows your address, and you have no way of knowing who is reading your mail-- who is "all the members of this list"? How many people is that? Do you know all of our email addresses, and have you signed a waiver saying "I want everybody on this list <list of each and every one of our email addresses> to know my email address"? No? Then you have already made your email address "public" by using it to send mail to people that you don't specifically know (the public, otherwise known as "us"). If you'd like an address to use for the list that would run some interference between your personal email address and any possible spammers, I (and probably 95% of everybody else on this list) can send you a GMail invite which you can use as your "public" email address, which would then "catch" such additional unwanted generated mail so it never reaches your personal ISP email. You might also consider re-evaluating your ISP-- I never saw the list mail you're referring to, and I also never got the original PayPal crap people talked about (though I got the replies, which was funny as I had no idea what people were talking about)-- they didn't even get filtered to my Trash. I really never got them, and I think that's because they were caught by my ISP's spam filter. Does your ISP filter spam? My boyfriend the Windows user, on the other hand, has a policy of checking his mail via our ISP's Webmail before downloading it. He just deletes what little spam gets through the filters off the servers before opening Mozilla Mail and downloading the rest. Which to me seems like a PITA, but it is an effective solution (in the usual Windows style of more work on the user's part because you can't trust your OS to protect you in any way whatsoever). Again, if your ISP does not provide webmail, you can use GMail, Hotmail, Yahoo!Mail or whatever web-based mail account to communicate with the list, insulating your ISP account from any spam that participating in a public list might cause to occur. HTH, Holly -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Strange traffic says I am using windoze and have a bug. 2005-12-26 10:51 ` Holly Bostick @ 2005-12-26 11:17 ` Dale 2005-12-26 12:43 ` Stroller 2005-12-26 16:51 ` Antoine 0 siblings, 2 replies; 15+ messages in thread From: Dale @ 2005-12-26 11:17 UTC (permalink / raw To: gentoo-user Holly Bostick wrote: >>How can I tell them to stop this? >> >> > >1) Don't go to the site. > > Well, I did go to the site but it was *after* I got the traffic. How did they find me to begin with? I assume it was just a random hit. Sort of like a shot in the dark. > >But you don't have Windows or the Microsoft Messenger Service on a >Gentoo box; this foolishness is not actively dangerous to you; > > You're right. I don't have windoze in the house. It is banned. You can bring a dog but not windoze. >Having sent mail with this email address, it is no longer "private" (the >only way to keep a secret truly secret is to be the only one who knows >it, after all); anybody who reads your mail now knows your address, and >you have no way of knowing who is reading your mail-- who is "all the >members of this list"? How many people is that? Do you know all of our >email addresses, and have you signed a waiver saying "I want everybody >on this list <list of each and every one of our email addresses> to know >my email address"? No? Then you have already made your email address >"public" by using it to send mail to people that you don't specifically >know (the public, otherwise known as "us"). > > Oh crap. Well the cats out of the bag now I guess. >If you'd like an address to use for the list that would run some >interference between your personal email address and any possible >spammers, I (and probably 95% of everybody else on this list) can send >you a GMail invite which you can use as your "public" email address, >which would then "catch" such additional unwanted generated mail so it never >reaches your personal ISP email. > > I have a Yahoo account. I wish I could check it in Mozilla-mail though. I rarely ever check the thing unless I'm waiting on something. I forget. Hmm, I need to check it too. It's been a while. >You might also consider re-evaluating your ISP-- I never saw the list >mail you're referring to, and I also never got the original PayPal crap >people talked about (though I got the replies, which was funny as I had >no idea what people were talking about)-- they didn't even get filtered >to my Trash. I really never got them, and I think that's because they >were caught by my ISP's spam filter. Does your ISP filter spam? > > My ISP can but since I use Linux and they charge extra, I'll take the crap. It's not like I'm going to get a virus. ;-) I don't get a lot. I was getting less until they took bounce out of Kmail. I used to bounce them and after a few times they didn't send any more. It was a constant rotation though. There are so many spammers. > >Again, if your ISP does not provide webmail, you can use GMail, Hotmail, >Yahoo!Mail or whatever web-based mail account to communicate with the >list, insulating your ISP account from any spam that participating in a >public list might cause to occur. > >HTH, >Holly > > It has webmail, I check it sometimes from my brothers, especially when our phone is out. It sucks but it keeps me in touch with my ladies. :-) Thanks genius, Holly. :D Dale :-) -- To err is human, I'm most certainly human. I have four rigs: 1: Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives. Named Smoker 2: Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive. Named Swifty 3: Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB drive. Named Pokey 4: Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive. Named Putput All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Strange traffic says I am using windoze and have a bug. 2005-12-26 11:17 ` Dale @ 2005-12-26 12:43 ` Stroller 2005-12-26 13:11 ` W.Kenworthy 2005-12-26 16:51 ` Antoine 1 sibling, 1 reply; 15+ messages in thread From: Stroller @ 2005-12-26 12:43 UTC (permalink / raw To: gentoo-user On 26 Dec 2005, at 11:17, Dale wrote: > > Well, I did go to the site but it was *after* I got the traffic. > How did they find me to begin with? I assume it was just a random > hit. Sort of like a shot in the dark. They just automate sending of these messenger service spams. Send them to every IP in a range, that sort of thing. It might be a wake- up call to take a look at your security setup in general, but don't worry about this particular aspect. On 26 Dec 2005, at 10:51, Holly Bostick wrote: > > ... the message uses > Microsoft Messenger Service, which is turned on by default under > Windows, and enables these kind of popup messages across LAN and WAN, > sort of like a mini MSN-- which I believe it connects to as well-- and > is not only quite "useless" except to people like this, but also quite > insecure because it lets unknown people like this send you "messages" > without your active consent. The Messenger Service is different from Windows Messenger - it's all a bit of a confusing hodgepodge of names. XP comes supplied with an MSN Messenger program which isn't called "MSN Messenger" but instead "Windows Messenger", I think; apart from the name it's identical to old versions of MSN messenger in that you add buddies by email address. The Messenger Service is something else completely - you're right that it allows people to send you little pop-up windows without your consent, but it's kinda a bigger story than that. Unlike buddy messengers, there's no reply box or any buttons other than "OK" and to send one of these messages you have to use the Windows File & Printer Sharing command line `net /send <computer name> text of your message`. Back in the days of Windows 3.1 or 95 this undoubtedly seemed like a great idea, as no-one using Windows networks had heard of the Internet, this was essentially a "free" service with Windows File & Printer Sharing and the only abuse it was really open to was employees kidding about with each other. I suspect the reason Messenger Service is enabled by default because third-party developers use it. I've seen it used by the likes of cheap database apps to say "Blimey! You're out of stock! Order some more." For those who think that Microsoft writes bad software, you really should see some of the sewage written by small independent developers for the Windows platform; some meeting this description are undoubtedly doing a great job, but I've seen some horrors from those aiming at small business & niche markets. These guys seem to have no incentive to consider quality or security - basically anyone with a programmer & a salesman can set up in these markets and as long as the product meets a need and appears to work then it goes out the door. I'd guess that Messenger Service could safely be disabled out the box these days, but I wouldn't be surprised that there were many applications that would have suffered from that at the time XP was released. Stroller. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Strange traffic says I am using windoze and have a bug. 2005-12-26 12:43 ` Stroller @ 2005-12-26 13:11 ` W.Kenworthy 2005-12-26 18:46 ` Dale 0 siblings, 1 reply; 15+ messages in thread From: W.Kenworthy @ 2005-12-26 13:11 UTC (permalink / raw To: gentoo-user The majority of *crap* hitting my firewall (in Oz) comes from China. Use geoip && iptables to block China for a more peaceful life. Its not as though there's any valuable sites there unless you have relatives or a reason to access something there! Taiwan and Hong Kong have also been suggested as sources, but so far they are not even close to the biggie. As a side effect, as well as messenger spam, it blocks large numbers of other malicious scans/probes/*crap* - enough do this and it might convince the relevant authorities to clean up their own backyard ... BillK On Mon, 2005-12-26 at 12:43 +0000, Stroller wrote: > On 26 Dec 2005, at 11:17, Dale wrote: > > > > Well, I did go to the site but it was *after* I got the traffic. > > How did they find me to begin with? I assume it was just a random > > hit. Sort of like a shot in the dark. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Strange traffic says I am using windoze and have a bug. 2005-12-26 13:11 ` W.Kenworthy @ 2005-12-26 18:46 ` Dale 0 siblings, 0 replies; 15+ messages in thread From: Dale @ 2005-12-26 18:46 UTC (permalink / raw To: gentoo-user W.Kenworthy wrote: >The majority of *crap* hitting my firewall (in Oz) comes from China. >Use geoip && iptables to block China for a more peaceful life. Its not >as though there's any valuable sites there unless you have relatives or >a reason to access something there! Taiwan and Hong Kong have also been >suggested as sources, but so far they are not even close to the biggie. >As a side effect, as well as messenger spam, it blocks large numbers of >other malicious scans/probes/*crap* - enough do this and it might >convince the relevant authorities to clean up their own backyard ... > >BillK > > >On Mon, 2005-12-26 at 12:43 +0000, Stroller wrote: > > >>On 26 Dec 2005, at 11:17, Dale wrote: >> >> >>>Well, I did go to the site but it was *after* I got the traffic. >>>How did they find me to begin with? I assume it was just a random >>>hit. Sort of like a shot in the dark. >>> >>> > > > Well, I did a whois for the link that was provided in the traffic. It is hosted by godaddy so I sent them a email at abuse-godaddy. They seem to be a reputable company so maybe they will look into it. The rest of the sites it links to are somewhere else, inside the US though. I do know our local district attorney though, He knows some of the feds so if I keep getting them, I may bug him a bit. Sometimes it hits every minute or two one right after the other. I thought it was ntp at first but it was not real consistant like ntp is. I went to a site once and I think everything is set to stealth. I can't remember where it was though. This is a new install so I guess I need to find that site that tests it and see what it says. I run iptables to share my internet with the 3 servers connected here but I have no clue how it is set up. I don't understand iptables really. Anyway, the ball is rolling now. Let's see who gets hit. Dale :-) -- To err is human, I'm most certainly human. I have four rigs: 1: Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives. Named Smoker 2: Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive. Named Swifty 3: Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB drive. Named Pokey 4: Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive. Named Putput All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Strange traffic says I am using windoze and have a bug. 2005-12-26 11:17 ` Dale 2005-12-26 12:43 ` Stroller @ 2005-12-26 16:51 ` Antoine 2005-12-26 17:31 ` Steven Susbauer 2005-12-26 19:47 ` Stroller 1 sibling, 2 replies; 15+ messages in thread From: Antoine @ 2005-12-26 16:51 UTC (permalink / raw To: gentoo-user > > I have a Yahoo account. I wish I could check it in Mozilla-mail > though. Why not? I get about one spam from them per month but that means they let me access via pop. You can certainly activate pop in yahoo. Maybe you can't access via pop with hotmail but yahoo, gmail and probably most others will let you... Cheers Antoine ps. unless you refuse if you don't have imap that is... -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Strange traffic says I am using windoze and have a bug. 2005-12-26 16:51 ` Antoine @ 2005-12-26 17:31 ` Steven Susbauer 2005-12-26 18:52 ` Dale 2005-12-26 19:47 ` Stroller 1 sibling, 1 reply; 15+ messages in thread From: Steven Susbauer @ 2005-12-26 17:31 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 659 bytes --] FYI, the messenger service is disabled by default as of Windows XP SP2.... On 12/26/05, Antoine <melser.anton@gmail.com> wrote: > > > > > > I have a Yahoo account. I wish I could check it in Mozilla-mail > > though. > > Why not? I get about one spam from them per month but that means they > let me access via pop. You can certainly activate pop in yahoo. Maybe > you can't access via pop with hotmail but yahoo, gmail and probably most > others will let you... > Cheers > Antoine > ps. unless you refuse if you don't have imap that is... > -- > gentoo-user@gentoo.org mailing list > > -- ------------------------ Steven Susbauer [-- Attachment #2: Type: text/html, Size: 1022 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Strange traffic says I am using windoze and have a bug. 2005-12-26 17:31 ` Steven Susbauer @ 2005-12-26 18:52 ` Dale 2005-12-26 20:14 ` darren kirby 0 siblings, 1 reply; 15+ messages in thread From: Dale @ 2005-12-26 18:52 UTC (permalink / raw To: gentoo-user Steven Susbauer wrote: > FYI, the messenger service is disabled by default as of Windows XP SP2.... > > On 12/26/05, *Antoine* <melser.anton@gmail.com > <mailto:melser.anton@gmail.com>> wrote: > > > > > > I have a Yahoo account. I wish I could check it in Mozilla-mail > > though. > > Why not? I get about one spam from them per month but that means they > let me access via pop. You can certainly activate pop in yahoo. Maybe > you can't access via pop with hotmail but yahoo, gmail and > probably most > others will let you... > Cheers > Antoine > ps. unless you refuse if you don't have imap that is... > -- > gentoo-user@gentoo.org <mailto:gentoo-user@gentoo.org> mailing list > > > > > -- > ------------------------ > Steven Susbauer I had to disable it in my brothers windoze. It is SP2 by now but it was not then. I don't know who to blame for that one. Windoze for having it or the spammers for using it for something other than what it was intended for. I wonder if those people would like a visit from the feds though. o_O It wouldn't suprise me if they are also sending out spam email. I did download the file listed on their site but it is a .exe file. I have no idea what it does though. It's not like I can install it. LOL Where's my rope again?? I have a lot of trees. ;-) Dale :-) -- To err is human, I'm most certainly human. I have four rigs: 1: Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives. Named Smoker 2: Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive. Named Swifty 3: Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB drive. Named Pokey 4: Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive. Named Putput All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Strange traffic says I am using windoze and have a bug. 2005-12-26 18:52 ` Dale @ 2005-12-26 20:14 ` darren kirby 2005-12-27 1:20 ` Dale 0 siblings, 1 reply; 15+ messages in thread From: darren kirby @ 2005-12-26 20:14 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 1131 bytes --] quoth the Dale: > > I did download the file listed on their site but it is a .exe file. I > have no idea what it does though. It's not like I can install it. LOL You can run "strings" on it, or have a peek in a hex editor... > Where's my rope again?? I have a lot of trees. ;-) > > Dale > > :-) -d > -- > To err is human, I'm most certainly human. > > I have four rigs: > > 1: Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now > two 80GB hard drives. Named Smoker 2: Home built; Iwill KK266-R w/ AMD > 1GHz CPU, 256MBs of ram and a 4GB drive. Named Swifty 3: Home built; > Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB drive. Named > Pokey 4: Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram > and a 4.3GB SCSI drive. Named Putput > > All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are > set up as servers. -- darren kirby :: Part of the problem since 1976 :: http://badcomputer.org "...the number of UNIX installations has grown to 10, with more expected..." - Dennis Ritchie and Ken Thompson, June 1972 [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Strange traffic says I am using windoze and have a bug. 2005-12-26 20:14 ` darren kirby @ 2005-12-27 1:20 ` Dale 2005-12-27 2:16 ` Eric Bliss 0 siblings, 1 reply; 15+ messages in thread From: Dale @ 2005-12-27 1:20 UTC (permalink / raw To: gentoo-user darren kirby wrote: >You can run "strings" on it, or have a peek in a hex editor... > > > How I do that? What would I learn from it? hex editor? I think I saw that somewhere. O_O I thought KDE used to have something that I could view it with but since the upgrade I can't find it. Maybe lde-meta missed something??? Anyway, I just would like someone to find out if they are trying to do something they shouldn't and if they are, put a lock on their doors. They can send them to me though. I can go to the local hardware store and get some rope. I have a very large tree about 10 feet from me, good strong limbs too. If this happens enough people would get greed off their mind. I'm disabled and life is not fun but no amount of money would put me on the end of a rope danglin from a tree. :-( Anyway, I haven't heard from godaddy yet. It may be a while since they may be asleep at the wheel, with the holidays and all. Note: I upgraded one of my rigs memory the other day. #3 went from 128MBs to a grand total of 224MBs. Cool huh??? Dale :-) -- To err is human, I'm most certainly human. I have four rigs: 1: Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives. Named Smoker 2: Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive. Named Swifty 3: Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB drive. Named Pokey 4: Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive. Named Putput All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Strange traffic says I am using windoze and have a bug. 2005-12-27 1:20 ` Dale @ 2005-12-27 2:16 ` Eric Bliss 2005-12-27 4:40 ` Dale 0 siblings, 1 reply; 15+ messages in thread From: Eric Bliss @ 2005-12-27 2:16 UTC (permalink / raw To: gentoo-user On Monday 26 December 2005 05:20 pm, Dale wrote: > >You can run "strings" on it, or have a peek in a hex editor... > > How I do that? What would I learn from it? hex editor? I think I saw > that somewhere. O_O I thought KDE used to have something that I could > view it with but since the upgrade I can't find it. Maybe lde-meta > missed something??? > I think "KDE Menu Button -> Utilities -> More Applications -> Binary Editor (KHexEdit)" is what you're looking for. Ironically enough, I was just using it. -- Eric Bliss systems design and integration, CreativeCow.Net -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Strange traffic says I am using windoze and have a bug. 2005-12-27 2:16 ` Eric Bliss @ 2005-12-27 4:40 ` Dale 0 siblings, 0 replies; 15+ messages in thread From: Dale @ 2005-12-27 4:40 UTC (permalink / raw To: gentoo-user Eric Bliss wrote: >On Monday 26 December 2005 05:20 pm, Dale wrote: > > >>>You can run "strings" on it, or have a peek in a hex editor... >>> >>> >>How I do that? What would I learn from it? hex editor? I think I saw >>that somewhere. O_O I thought KDE used to have something that I could >>view it with but since the upgrade I can't find it. Maybe lde-meta >>missed something??? >> >> >> > >I think "KDE Menu Button -> Utilities -> More Applications -> Binary Editor >(KHexEdit)" is what you're looking for. Ironically enough, I was just using >it. > > > Mine was under File instead of More Apps. Now I have to go download the thing again. I hate windoze and I don't even like storing windoze stuff on my rig. Wonder why? My brother got a digital camera for Christmas. You have to plug in the USB camera then reboot winders for it to work. Is that some crap or what? I updated the drivers for USB too. It wouldn't work at all before I did that. It would see the camera then come up with a hardware error. Stupid windoze. It took me 20 minutes to get it to work in Linux and I spent all day screwing with windoze. Just in the spirit of things, reboot to make it work. That sucks. He's happy that it works at all but I'm not. I may put Linux on that thing yet. If I knew I wouldn't be moving soon, I would. I'd put a bigger heatsink on the CPU and compile away. He has seen my Linux and thinks it is cool. I would have to do the admin stuff though. Ssh comes to mind here. OK. I vented a bit. One more thing to vent though, I HATE WINDOZE!!! < makes mad face complete with clenched teeth > Thanks Dale :-) -- To err is human, I'm most certainly human. I have four rigs: 1: Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives. Named Smoker 2: Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive. Named Swifty 3: Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB drive. Named Pokey 4: Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive. Named Putput All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Strange traffic says I am using windoze and have a bug. 2005-12-26 16:51 ` Antoine 2005-12-26 17:31 ` Steven Susbauer @ 2005-12-26 19:47 ` Stroller 1 sibling, 0 replies; 15+ messages in thread From: Stroller @ 2005-12-26 19:47 UTC (permalink / raw To: gentoo-user On 26 Dec 2005, at 4:51, Antoine wrote: > >> I have a Yahoo account. I wish I could check it in Mozilla-mail >> though. > > Why not? I get about one spam from them per month but that means > they let me access via pop. You can certainly activate pop in > yahoo. Maybe you can't access via pop with hotmail but yahoo, gmail > and probably most others will let you... Yahoo make this a premium (paying) service in some of their domains. If you register for Yahoo with a UK physical address you get an address@yahoo.co.uk & POP3 access is free; if you register with a US physical address you get a yahooID@yahoo.com but you have to pay $20 or so for POP3 access. At least that has been my experience. Strangely, although I registered for my yahoo.com ID with my *cough* US address, when I check under options it seems to recognise that I'm connecting via a UK IP address or to their UK data centre, or something. The upgrade price is listed as £11.99 UK Pounds Sterling. Like I say, I access my yahoo.co.uk mail via POP3 all the time. Stroller. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-user] Strange traffic says I am using windoze and have a bug. 2005-12-26 5:10 [gentoo-user] Strange traffic says I am using windoze and have a bug Dale 2005-12-26 10:51 ` Holly Bostick @ 2005-12-27 5:42 ` Walter Dnes 1 sibling, 0 replies; 15+ messages in thread From: Walter Dnes @ 2005-12-27 5:42 UTC (permalink / raw To: gentoo-user On Sun, Dec 25, 2005 at 11:10:15PM -0600, Dale wrote > > Source: 215.146.157.191 (215.146.157.191) > > Destination: 205.208.159.31 (205.208.159.31) > >User Datagram Protocol, Src Port: 44356 (44356), Dst Port: 1026 (1026) > > Source port: 44356 (44356) > > Destination port: 1026 (1026) [...deletia...] > What is this? Is this some spam and it pops up a window if I were using > windoze? I went to the site and it looks like they want to sell > something, which I ain't buying by the way. ;-) How can I tell them > to stop this? Oh, only my main rig does this. My three servers which > have no GUI stuff or browsers installed do not get this, that I can see > anyway. A few notes... 1) It's UDP (User Datagram Protocol). 2) UDP is a connectionless protocol, i.e. no 3-way handshake like TCP. That means that the sending software can put any garbage they want in the source-port and source IP address. *DO NOT* complain to the ISP responsible for 215.146.157.191. UDP forgery is trivial. 3) This garbage is spewed out by zombie bots to port 1026 to pop up messages on your screen if you'r running the Windows Messnger Service. It'll probably show up if you have Samba configured right/wrong (Ain't Windows emulation wonderful?). Everybody gets hit with it, just like port 135 and 1433 and 1434 scans. Here's an hour's worth from my router's log. The router is set to reject unsolicited traffic... Dec 26 18:04:26 221.1.204.251:33054 to UDP port 1026 Dec 26 18:05:46 66.52.125.177:23460 to UDP port 1026 Dec 26 18:06:55 66.188.58.207:4099 to UDP port 1026 Dec 26 18:11:16 221.203.145.54:32939 to UDP port 1026 Dec 26 18:15:55 66.170.205.192:23797 to UDP port 1026 Dec 26 18:17:04 211.172.244.182:9285 to UDP port 1026 Dec 26 18:20:59 218.27.103.206:36380 to UDP port 1026 Dec 26 18:27:02 202.96.87.41:34462 to UDP port 1026 Dec 26 18:27:46 221.1.204.251:33054 to UDP port 1026 Dec 26 18:38:14 202.111.173.85:39549 to UDP port 1026 Dec 26 18:38:17 202.111.173.83:55698 to UDP port 1026 Dec 26 18:38:34 203.39.211.73:7731 to UDP port 1026 Dec 26 18:40:14 218.27.103.206:45829 to UDP port 1026 Dec 26 18:41:07 66.223.176.136:24121 to UDP port 1026 Dec 26 18:42:48 66.138.198.3:7578 to UDP port 1026 Dec 26 18:42:58 66.178.233.47:11540 to UDP port 1026 Dec 26 18:50:08 202.111.173.83:59789 to UDP port 1026 Dec 26 18:55:10 66.35.104.238:27387 to UDP port 1026 Dec 26 18:56:30 202.111.173.85:45304 to UDP port 1026 Dec 26 18:59:42 218.27.103.206:55370 to UDP port 1026 -- Walter Dnes <waltdnes@waltdnes.org> In linux /sbin/init is Job #1 My musings on technology and security at http://tech_sec.blog.ca -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2005-12-27 5:46 UTC | newest] Thread overview: 15+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2005-12-26 5:10 [gentoo-user] Strange traffic says I am using windoze and have a bug Dale 2005-12-26 10:51 ` Holly Bostick 2005-12-26 11:17 ` Dale 2005-12-26 12:43 ` Stroller 2005-12-26 13:11 ` W.Kenworthy 2005-12-26 18:46 ` Dale 2005-12-26 16:51 ` Antoine 2005-12-26 17:31 ` Steven Susbauer 2005-12-26 18:52 ` Dale 2005-12-26 20:14 ` darren kirby 2005-12-27 1:20 ` Dale 2005-12-27 2:16 ` Eric Bliss 2005-12-27 4:40 ` Dale 2005-12-26 19:47 ` Stroller 2005-12-27 5:42 ` Walter Dnes
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox