[gentoo-user] Strange traffic says I am using windoze and have a bug.

[gentoo-user] Strange traffic says I am using windoze and have a bug.

[Dale]

Hi guys, and Holly,  :D

I'm on dial-up and try to watch my traffic and every once in a while I 
see a little blip on gkrellm.  I fired up ethreal and started to sniff 
around.  Parden the pun there.  LOL  This is what it says though which 
is strange.  It's really the last two lines that matter but I am putting 
the whole thing here just in case.  Sorry so long.

> No.     Time        Source                Destination           
> Protocol Info
>       1 0.000000    215.146.157.191       205.208.159.31        
> Messenger NetrSendMessage request
>
> Frame 1 (710 bytes on wire, 710 bytes captured)
>     Arrival Time: Dec 25, 2005 22:50:19.101533000
>     Time delta from previous packet: 0.000000000 seconds
>     Time since reference or first frame: 0.000000000 seconds
>     Frame Number: 1
>     Packet Length: 710 bytes
>     Capture Length: 710 bytes
>     Protocols in frame: sll:ip:udp:dcerpc
> Linux cooked capture
>     Packet type: Unicast to us (0)
>     Link-layer address type: 512
>     Link-layer address length: 0
>     Source: <MISSING>
>     Protocol: IP (0x0800)
> Internet Protocol, Src: 215.146.157.191 (215.146.157.191), Dst: 
> 205.208.159.31 (205.208.159.31)
>     Version: 4
>     Header length: 20 bytes
>     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
>         0000 00.. = Differentiated Services Codepoint: Default (0x00)
>         .... ..0. = ECN-Capable Transport (ECT): 0
>         .... ...0 = ECN-CE: 0
>     Total Length: 694
>     Identification: 0x7411 (29713)
>     Flags: 0x00
>         0... = Reserved bit: Not set
>         .0.. = Don't fragment: Not set
>         ..0. = More fragments: Not set
>     Fragment offset: 0
>     Time to live: 53
>     Protocol: UDP (0x11)
>     Header checksum: 0x2ce4 [correct]
>         Good: True
>         Bad : False
>     Source: 215.146.157.191 (215.146.157.191)
>     Destination: 205.208.159.31 (205.208.159.31)
> User Datagram Protocol, Src Port: 44356 (44356), Dst Port: 1026 (1026)
>     Source port: 44356 (44356)
>     Destination port: 1026 (1026)
>     Length: 674
>     Checksum: 0x0000 (none)
> DCE RPC Request, Seq: 0, Serial: 0, Frag: 0, FragLen: 583
>     Version: 4
>     Packet type: Request (0)
>     Flags1: 0x78 "Broadcast" "Idempotent" "Maybe" "No Fack"
>         0... .... = Reserved: Not set
>         .1.. .... = Broadcast: Set
>         ..1. .... = Idempotent: Set
>         ...1 .... = Maybe: Set
>         .... 1... = No Fack: Set
>         .... .0.. = Fragment: Not set
>         .... ..0. = Last Fragment: Not set
>         .... ...0 = Reserved: Not set
>     Flags2: 0x00
>         0... .... = Reserved: Not set
>         .0.. .... = Reserved: Not set
>         ..0. .... = Reserved: Not set
>         ...0 .... = Reserved: Not set
>         .... 0... = Reserved: Not set
>         .... .0.. = Reserved: Not set
>         .... ..0. = Cancel Pending: Not set
>         .... ...0 = Reserved: Not set
>     Data Representation: 100000 (Order: Little-endian, Char: ASCII, 
> Float: IEEE)
>         Byte order: Little-endian (1)
>         Character: ASCII (0)
>         Floating-point: IEEE (0)
>     Serial High: 0x00
>     Object UUID: 00000000-0000-0000-0000-000000000000
>     Interface: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
>     Activity: 00000000-0000-0000-0000-000000000000
>     Server boot time: Unknown (0)
>     Interface Ver: 1
>     Sequence num: 0
>     Opnum: 0
>     Interface Hint: 0xffff
>     Activity Hint: 0xffff
>     Fragment len: 583
>     Fragment num: 0
>     Auth proto: None (0)
>     Serial Low: 0x00
>     Authentication verifier
> Microsoft Messenger Service, NetrSendMessage
>     Operation: NetrSendMessage (0)
>     Server
>         Max Count: 10
>         Offset: 0
>         Actual Count: 10
>         Server: Microsoft
>     Client
>         Max Count: 35
>         Offset: 0
>         Actual Count: 35
>         Client: inform you about a virus detection
>     Message
>         Max Count: 497
>         Offset: 0
>         Actual Count: 497
>         Message [truncated]: Windows has detected a virus on your 
> system. In order to remove it please follow this steps:\n\n1. Start 
> Microsoft Internet Explorer or your default web browser.\n2. Type into 
> the navigation bar: http://www.cleanmyreg.


What is this?  Is this some spam and it pops up a window if I were using 
windoze?  I went to the site and it looks like they want to sell 
something, which I ain't buying by the way.  ;-)   How can I tell them 
to stop this?  Oh, only my main rig does this.  My three servers which 
have no GUI stuff or browsers installed do not get this, that I can see 
anyway.

Another thing a bit off topic.  I noticed earlier that there was a post 
in some foreign language, looked like Japaneese or Chinese and looked 
like spam to me.  Later I got one in my personal email.  Can someone get 
my email address from this list?  I have got a few emails from people, 
which is OK as long as it is not spam.  Just curious.  I like the list 
but I didn't know my private email would become public, if this is true.

Thanks for any light you can shed on this.

Dale
:-)

-- 
To err is human, I'm most certainly human.

I have four rigs:

1:  Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives.
2:  Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive.
3:  Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 128MBs of ram and a 2.5GB drive.
4:  Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive.

All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers.  

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.

[Holly Bostick]

Dale schreef:
> Hi guys, and Holly,  :D
> 
> I'm on dial-up and try to watch my traffic and every once in a while
>  I see a little blip on gkrellm.  I fired up ethreal and started to 
> sniff around.  Parden the pun there.  LOL  This is what it says 
> though which is strange.  It's really the last two lines that matter
>  but I am putting the whole thing here just in case.  Sorry so long.
> 
<snip>
>> Microsoft Messenger Service, NetrSendMessage Operation: 
>> NetrSendMessage (0) Server Max Count: 10 Offset: 0 Actual Count: 10
>>  Server: Microsoft Client Max Count: 35 Offset: 0 Actual Count: 35 
>> Client: inform you about a virus detection Message Max Count: 497 
>> Offset: 0 Actual Count: 497 Message [truncated]: Windows has 
>> detected a virus on your system. In order to remove it please 
>> follow this steps:\n\n1. Start Microsoft Internet Explorer or your
>>  default web browser.\n2. Type into the navigation bar: 
>> http://www.cleanmyreg.
> 
> 
> 
> What is this?  Is this some spam and it pops up a window if I were 
> using windoze?  I went to the site and it looks like they want to 
> sell something, which I ain't buying by the way.  ;-)

Yes-- not that I know anything about this, but it looks like a "trick"
popup.

The site does not seem to be checking your browser ID (which would say
Linux), but instead assumes that

1) you are a Windows user (after all, isn't everybody?)

2) you use IE (after all, doesn't everybody?)

3) you do not have a competent admin on your system -- the message uses
Microsoft Messenger Service, which is turned on by default under
Windows,  and enables these kind of popup messages across LAN and WAN,
sort of like a mini MSN-- which I believe it connects to as well-- and
is not only quite "useless" except to people like this, but also quite
insecure because it lets unknown people like this send you "messages"
without your  active consent.

Any Windows user I know with even a grain of competence turns it off
first thing after installation. But of course Joe and Jane Average User
don't know to do this because their OS is supposed to competently
administer their system for them. Oh, well keeps my bf in barter trade
goods for cleaning the PCs of Joe and Jane  out again every 3 months or so.

> How can I tell them to stop this?

1) Don't go to the site.

2) If you must go to the site, don't do so with IE (if you're using
Windows for whatever reason)

3) If you must go to the site using IE, for heaven's sake, don't click
that link (though that may not protect you; some sites will also
transfer their payload when you try to close the popup even if you don't
click the link)

4) If you must go to the site using Windows, then have a good a)
firewall, 2) ad-blocker, 3) spyware blocker/cleaner, and 4) antivirus
scanner present on the system.

You could also complain to 1) the site 2) the hosting admin 3) the
authorities, but it's clearly a "commercial deal" for somebody -- either
the host or the admin has coded/allowed this pass-through to be present
on their site, and /somebody/ has either been paid to do so or expects
to get paid for doing so in terms of click-through revenues or
advertising view revenues or, more unpleasantly, virus or trojan
proliferation, and imo, "regular users" are unlikely to stop the flow of
compensation except by not participating.

But you don't have Windows or the Microsoft Messenger Service on a
Gentoo box; this foolishness is not actively dangerous to you;
especially since you don't have a Registry either, so there's no reason
for you to follow the link to any supposed Registry-cleaning program.
GKrellm is just reporting that somebody tried to send you a message
through this non-existent service.

> Oh, only my main rig does this.  My three servers which have no GUI 
> stuff or browsers installed do not get this, that I can see anyway.
> 
> Another thing a bit off topic.  I noticed earlier that there was a 
> post in some foreign language, looked like Japaneese or Chinese and 
> looked like spam to me.  Later I got one in my personal email.  Can 
> someone get my email address from this list?  I have got a few emails
>  from people, which is OK as long as it is not spam.  Just curious. I
>  like the list but I didn't know my private email would become 
> public, if this is true.

I never understand about how people think their email address is
"private", when it's meant to allow communication between the public
network (the Internet) and you. You can take your number out of the
phone book too, which means that _most_ random people will be unlikely
to call you, but anyone can simply punch a series of numbers--even
accidentally-- and call you, because you are connected to the public
telephone network by your phone number. In the early days of
telemarkting, that used to happen a lot; even now, there are
computer-generated phone calls that call and when you pick up the phone,
you get a computer talking to you (often telling you to hold on for a
live person who's going to try to sell you something). Such setups don't
know your "private" telephone number; they're just guessing randomly,
but managed to reach you anyway.

Your phone number, address and email address are semi-public just by the
fact of their existence.

As for the list, I'm sure that the list's list of user addresses is not
made public, but the list is publically archived on gmane and is
available via newsgroups. It's certainly possible for a bot to troll the
archives and attempt to extract email addresses, just as it is possible
for a bot to put random strings in front of your ISP's domain name and
send out spam to all generated addresses (which would be unrelated to
your email address being visible on this list). And it has been known to
happen that somebody on this or any list gets infected by a virus (we
don't live in a pure Linux world after all, and some people run 1) Linux
on Windows via VMWare or Win4Lin, 2) run mailservers connected to
Windows machines that may become infected by a virus that propagates
through the network; 3) dual-boot and possibly share their PC with a
non-technical person who allowed the PC to become infected by a virus;
4) are connecting to the list from a Windows machine that is not under
their control (i.e., from a hotel or Internet cafe while travelling on
business), and said infected machine trolls the individual user's
address book for places to send their spam or proliferate the virus/trojan.

Having sent mail with this email address, it is no longer "private" (the
only way to keep a secret truly secret is to be the only one who knows
it, after all); anybody who reads your mail now knows your address, and
you have no way of knowing who is reading your mail-- who is "all the
members of this list"? How many people is that? Do you know all of our
email addresses, and have you signed a waiver saying "I want everybody
on this list <list of each and every one of our email addresses> to know
my email address"? No? Then you have already made your email address
"public" by using it to send mail to people that you don't specifically
know (the public, otherwise known as "us").

If you'd like an address to use for the list that would run some
interference between your personal email address and any possible
spammers, I (and probably 95% of everybody else on this list) can send
you a GMail invite which you can use as your "public" email address,
which would then "catch" such additional unwanted generated mail so it never
reaches your personal ISP email.

You might also consider re-evaluating your ISP-- I never saw the list
mail you're referring to, and I also never got the original PayPal crap
people talked about (though I got the replies, which was funny as I had
no idea what people were talking about)-- they didn't even get filtered
to my Trash. I really never got them, and I think that's because they
were caught by my ISP's spam filter. Does your ISP filter spam?

My boyfriend the Windows user, on the other hand, has a policy of
checking his mail via our ISP's Webmail before downloading it. He just
deletes what little spam gets through the filters off the servers before
opening Mozilla Mail and downloading the rest. Which to me seems like a
PITA, but it is an effective solution (in the usual Windows style of
more work on the user's part because you can't trust your OS to protect
you in any way whatsoever).

Again, if your ISP does not provide webmail, you can use GMail, Hotmail,
Yahoo!Mail or whatever web-based mail account to communicate with the
list, insulating your ISP account from any spam that participating in a
public list might cause to occur.

HTH,
Holly
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.

[Dale]

Holly Bostick wrote:

>>How can I tell them to stop this?
>>    
>>
>
>1) Don't go to the site.
>  
>
Well, I did go to the site but it was *after* I got the traffic.  How 
did they find me to begin with?  I assume it was just a random hit.  
Sort of like a shot in the dark.

>
>But you don't have Windows or the Microsoft Messenger Service on a
>Gentoo box; this foolishness is not actively dangerous to you;
>  
>
You're right.  I don't have windoze in the house.  It is banned.  You 
can bring a dog but not windoze. 

>Having sent mail with this email address, it is no longer "private" (the
>only way to keep a secret truly secret is to be the only one who knows
>it, after all); anybody who reads your mail now knows your address, and
>you have no way of knowing who is reading your mail-- who is "all the
>members of this list"? How many people is that? Do you know all of our
>email addresses, and have you signed a waiver saying "I want everybody
>on this list <list of each and every one of our email addresses> to know
>my email address"? No? Then you have already made your email address
>"public" by using it to send mail to people that you don't specifically
>know (the public, otherwise known as "us").
>  
>

Oh crap.  Well the cats out of the bag now I guess. 

>If you'd like an address to use for the list that would run some
>interference between your personal email address and any possible
>spammers, I (and probably 95% of everybody else on this list) can send
>you a GMail invite which you can use as your "public" email address,
>which would then "catch" such additional unwanted generated mail so it never
>reaches your personal ISP email.
>  
>

I have a Yahoo account.  I wish I could check it in Mozilla-mail 
though.  I rarely ever check the thing unless I'm waiting on something.  
I forget.  Hmm, I need to check it too.  It's been a while.

>You might also consider re-evaluating your ISP-- I never saw the list
>mail you're referring to, and I also never got the original PayPal crap
>people talked about (though I got the replies, which was funny as I had
>no idea what people were talking about)-- they didn't even get filtered
>to my Trash. I really never got them, and I think that's because they
>were caught by my ISP's spam filter. Does your ISP filter spam?
>  
>

My ISP can but since I use Linux and they charge extra, I'll take the 
crap.  It's not like I'm going to get a virus.  ;-)  I don't get a lot.  
I was getting less until they took bounce out of Kmail.  I used to 
bounce them and after a few times they didn't send any more.  It was a 
constant rotation though.  There are so many spammers.

>
>Again, if your ISP does not provide webmail, you can use GMail, Hotmail,
>Yahoo!Mail or whatever web-based mail account to communicate with the
>list, insulating your ISP account from any spam that participating in a
>public list might cause to occur.
>
>HTH,
>Holly
>  
>
It has webmail, I check it sometimes from my brothers, especially when 
our phone is out.  It sucks but it keeps me in touch with my ladies.  :-)

Thanks genius, Holly.  :D

Dale
:-)

-- 
To err is human, I'm most certainly human.

I have four rigs:

1:  Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives.  Named Smoker
2:  Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive.  Named Swifty
3:  Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB drive.  Named Pokey
4:  Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive.  Named Putput

All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers.  

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.

[Stroller]

On 26 Dec 2005, at 11:17, Dale wrote:
>
> Well, I did go to the site but it was *after* I got the traffic.   
> How did they find me to begin with?  I assume it was just a random  
> hit.  Sort of like a shot in the dark.

They just automate sending of these messenger service spams. Send  
them to every IP in a range, that sort of thing. It might be a wake- 
up call to take a look at your security setup in general, but don't  
worry about this particular aspect.

On 26 Dec 2005, at 10:51, Holly Bostick wrote:
>
> ... the message uses
> Microsoft Messenger Service, which is turned on by default under
> Windows,  and enables these kind of popup messages across LAN and WAN,
> sort of like a mini MSN-- which I believe it connects to as well-- and
> is not only quite "useless" except to people like this, but also quite
> insecure because it lets unknown people like this send you "messages"
> without your  active consent.

The Messenger Service is different from Windows Messenger - it's all  
a bit of a confusing hodgepodge of names.

XP comes supplied with an MSN Messenger program which isn't called  
"MSN Messenger" but instead "Windows Messenger", I think; apart from  
the name it's identical to old versions of MSN messenger in that you  
add buddies by email address.

The Messenger Service is something else completely - you're right  
that it allows people to send you little pop-up windows without your  
consent, but it's kinda a bigger story than that. Unlike buddy  
messengers, there's no reply box or any buttons other than "OK" and  
to send one of these messages you have to use the Windows File &  
Printer Sharing command line `net /send <computer name> text of your  
message`. Back in the days of Windows 3.1 or 95 this undoubtedly  
seemed like a great idea, as no-one using Windows networks had heard  
of the Internet, this was essentially a "free" service with Windows  
File & Printer Sharing and the only abuse it was really open to was  
employees kidding about with each other.

I suspect the reason Messenger Service is enabled by default because  
third-party developers use it. I've seen it used by the likes of  
cheap database apps to say "Blimey! You're out of stock! Order some  
more." For those who think that Microsoft writes bad software, you  
really should see some of the sewage written by small independent  
developers for the Windows platform; some meeting this description  
are undoubtedly doing a great job, but I've seen some horrors from  
those aiming at small business & niche markets. These guys seem to  
have no incentive to consider quality or security - basically anyone  
with a programmer & a salesman can set up in these markets and as  
long as the product meets a need and appears to work then it goes out  
the door.

I'd guess that Messenger Service could safely be disabled out the box  
these days, but I wouldn't be surprised that there were many  
applications that would have suffered from that at the time XP was  
released.

Stroller.

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.

[W.Kenworthy]

The majority of *crap* hitting my firewall (in Oz) comes from China.
Use geoip && iptables to block China for a more peaceful life. Its not
as though there's any valuable sites there unless you have relatives or
a reason to access something there!  Taiwan and Hong Kong have also been
suggested as sources, but so far they are not even close to the biggie.
As a side effect, as well as messenger spam, it blocks large numbers of
other malicious scans/probes/*crap* - enough do this and it might
convince the relevant authorities to clean up their own backyard ...

BillK


On Mon, 2005-12-26 at 12:43 +0000, Stroller wrote:
> On 26 Dec 2005, at 11:17, Dale wrote:
> >
> > Well, I did go to the site but it was *after* I got the traffic.   
> > How did they find me to begin with?  I assume it was just a random  
> > hit.  Sort of like a shot in the dark.

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.

[Dale]

W.Kenworthy wrote:

>The majority of *crap* hitting my firewall (in Oz) comes from China.
>Use geoip && iptables to block China for a more peaceful life. Its not
>as though there's any valuable sites there unless you have relatives or
>a reason to access something there!  Taiwan and Hong Kong have also been
>suggested as sources, but so far they are not even close to the biggie.
>As a side effect, as well as messenger spam, it blocks large numbers of
>other malicious scans/probes/*crap* - enough do this and it might
>convince the relevant authorities to clean up their own backyard ...
>
>BillK
>
>
>On Mon, 2005-12-26 at 12:43 +0000, Stroller wrote:
>  
>
>>On 26 Dec 2005, at 11:17, Dale wrote:
>>    
>>
>>>Well, I did go to the site but it was *after* I got the traffic.   
>>>How did they find me to begin with?  I assume it was just a random  
>>>hit.  Sort of like a shot in the dark.
>>>      
>>>
>
>  
>
Well, I did a whois for the link that was provided in the traffic.  It 
is hosted by godaddy so I sent them a email at abuse-godaddy.  They seem 
to be a reputable company so maybe they will look into it.  The rest of 
the sites it links to are somewhere else, inside the US though.  I do 
know our local district attorney though,  He knows some of the feds so 
if I keep getting them, I may bug him a bit.  Sometimes it hits every 
minute or two one right after the other.   I thought it was ntp at first 
but it was not real consistant like ntp is.

I went to a site once and I think everything is set to stealth.  I can't 
remember where it was though.  This is a new install so I guess I need 
to find that site that tests it and see what it says.  I run iptables to 
share my internet with the 3 servers connected here but I have no clue 
how it is set up.  I don't understand iptables really.

Anyway, the ball is rolling now.  Let's see who gets hit.

Dale
:-)

-- 
To err is human, I'm most certainly human.

I have four rigs:

1:  Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives.  Named Smoker
2:  Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive.  Named Swifty
3:  Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB drive.  Named Pokey
4:  Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive.  Named Putput

All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers.  

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.

[Antoine]

> 
> I have a Yahoo account.  I wish I could check it in Mozilla-mail 
> though.  

Why not? I get about one spam from them per month but that means they 
let me access via pop. You can certainly activate pop in yahoo. Maybe 
you can't access via pop with hotmail but yahoo, gmail and probably most 
others will let you...
Cheers
Antoine
ps. unless you refuse if you don't have imap that is...
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.

[Steven Susbauer]

[-- Attachment #1: Type: text/plain, Size: 659 bytes --]

FYI, the messenger service is disabled by default as of Windows XP SP2....

On 12/26/05, Antoine <melser.anton@gmail.com> wrote:
>
>
> >
> > I have a Yahoo account.  I wish I could check it in Mozilla-mail
> > though.
>
> Why not? I get about one spam from them per month but that means they
> let me access via pop. You can certainly activate pop in yahoo. Maybe
> you can't access via pop with hotmail but yahoo, gmail and probably most
> others will let you...
> Cheers
> Antoine
> ps. unless you refuse if you don't have imap that is...
> --
> gentoo-user@gentoo.org mailing list
>
>


--
------------------------
Steven Susbauer

[-- Attachment #2: Type: text/html, Size: 1022 bytes --]

Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.

[Dale]

Steven Susbauer wrote:

> FYI, the messenger service is disabled by default as of Windows XP SP2....
>
> On 12/26/05, *Antoine* <melser.anton@gmail.com 
> <mailto:melser.anton@gmail.com>> wrote:
>
>
>     >
>     > I have a Yahoo account.  I wish I could check it in Mozilla-mail
>     > though.
>
>     Why not? I get about one spam from them per month but that means they
>     let me access via pop. You can certainly activate pop in yahoo. Maybe
>     you can't access via pop with hotmail but yahoo, gmail and
>     probably most
>     others will let you...
>     Cheers
>     Antoine
>     ps. unless you refuse if you don't have imap that is...
>     --
>     gentoo-user@gentoo.org <mailto:gentoo-user@gentoo.org> mailing list
>
>
>
>
> -- 
> ------------------------
> Steven Susbauer 

I had to disable it in my brothers windoze.  It is SP2 by now but it was 
not then.  I don't know who to blame for that one.  Windoze for having 
it or the spammers for using it for something other than what it was 
intended for.

I wonder if those people would like a visit from the feds though.  o_O  
It wouldn't suprise me if they are also sending out spam email. 

I did download the file listed on their site but it is a .exe file.  I 
have no idea what it does though.  It's not like I can install it.  LOL

Where's my rope again??  I have a lot of trees.  ;-)

Dale
:-)

-- 
To err is human, I'm most certainly human.

I have four rigs:

1:  Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives.  Named Smoker
2:  Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive.  Named Swifty
3:  Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB drive.  Named Pokey
4:  Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive.  Named Putput

All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers.  

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.

[darren kirby]

[-- Attachment #1: Type: text/plain, Size: 1131 bytes --]

quoth the Dale:

>
> I did download the file listed on their site but it is a .exe file.  I
> have no idea what it does though.  It's not like I can install it.  LOL

You can run "strings" on it, or have a peek in a hex editor...

> Where's my rope again??  I have a lot of trees.  ;-)
>
> Dale
>
> :-)

-d

> --
> To err is human, I'm most certainly human.
>
> I have four rigs:
>
> 1:  Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now
> two 80GB hard drives.  Named Smoker 2:  Home built; Iwill KK266-R w/ AMD
> 1GHz CPU, 256MBs of ram and a 4GB drive.  Named Swifty 3:  Home built;
> Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB drive.  Named
> Pokey 4:  Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram
> and a 4.3GB SCSI drive.  Named Putput
>
> All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are
> set up as servers.

-- 
darren kirby :: Part of the problem since 1976 :: http://badcomputer.org
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.

[Dale]

darren kirby wrote:

>You can run "strings" on it, or have a peek in a hex editor...
>
>  
>


How I do that?  What would I learn from it?  hex editor?  I think I saw 
that somewhere.  O_O  I thought KDE used to have something that I could 
view it with but since the upgrade I can't find it.  Maybe lde-meta 
missed something???

Anyway, I just would like someone to find out if they are trying to do 
something they shouldn't and if they are, put a lock on their doors.  
They can send them to me though.  I can go to the local hardware store 
and get some rope.  I have a very large tree about 10 feet from me, good 
strong limbs too.  If this happens enough people would get greed off 
their mind.  I'm disabled and life is not fun but no amount of money 
would put me on the end of a rope danglin from a tree.  :-(

Anyway, I haven't heard from godaddy yet.  It may be a while since they 
may be asleep at the wheel, with the holidays and all.

Note:  I upgraded one of my rigs memory the other day.  #3 went from 
128MBs to a grand total of 224MBs.  Cool huh???

Dale
:-)

-- 
To err is human, I'm most certainly human.

I have four rigs:

1:  Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives.  Named Smoker
2:  Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive.  Named Swifty
3:  Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB drive.  Named Pokey
4:  Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive.  Named Putput

All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers.  

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.

[Eric Bliss]

On Monday 26 December 2005 05:20 pm, Dale wrote:
> >You can run "strings" on it, or have a peek in a hex editor...
> 
> How I do that?  What would I learn from it?  hex editor?  I think I saw 
> that somewhere.  O_O  I thought KDE used to have something that I could 
> view it with but since the upgrade I can't find it.  Maybe lde-meta 
> missed something???
> 

I think "KDE Menu Button -> Utilities -> More Applications -> Binary Editor 
(KHexEdit)" is what you're looking for.  Ironically enough, I was just using 
it.

-- 
Eric Bliss
systems design and integration,
CreativeCow.Net
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.

[Dale]

Eric Bliss wrote:

>On Monday 26 December 2005 05:20 pm, Dale wrote:
>  
>
>>>You can run "strings" on it, or have a peek in a hex editor...
>>>      
>>>
>>How I do that?  What would I learn from it?  hex editor?  I think I saw 
>>that somewhere.  O_O  I thought KDE used to have something that I could 
>>view it with but since the upgrade I can't find it.  Maybe lde-meta 
>>missed something???
>>
>>    
>>
>
>I think "KDE Menu Button -> Utilities -> More Applications -> Binary Editor 
>(KHexEdit)" is what you're looking for.  Ironically enough, I was just using 
>it.
>
>  
>
Mine was under File instead of More Apps.  Now I have to go download the 
thing again.  I hate windoze and I don't even like storing windoze stuff 
on my rig.  Wonder why? 

My brother got a digital camera for Christmas.  You have to plug in the 
USB camera then reboot winders for it to work.  Is that some crap or 
what?  I updated the drivers for USB too.  It  wouldn't work at all 
before I did that.  It would see the camera then come up with a hardware 
error.  Stupid windoze.  It took me 20 minutes to get it to work in 
Linux and I spent all day screwing with windoze.  Just in the spirit of 
things, reboot to make it work.  That sucks.  He's happy that it works 
at all but I'm not.  I may put Linux on that thing yet.  If I knew I 
wouldn't be moving soon, I would.  I'd put a bigger heatsink on the CPU 
and compile away.  He has seen my Linux and thinks it is cool.  I would 
have to do the admin stuff though.  Ssh comes to mind here.

OK.  I vented a bit.  One more thing to vent though, I HATE WINDOZE!!!  
< makes mad face complete with clenched teeth >

Thanks

Dale
:-)

-- 
To err is human, I'm most certainly human.

I have four rigs:

1:  Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives.  Named Smoker
2:  Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive.  Named Swifty
3:  Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB drive.  Named Pokey
4:  Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive.  Named Putput

All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers.  

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.

[Stroller]

On 26 Dec 2005, at 4:51, Antoine wrote:

>
>> I have a Yahoo account.  I wish I could check it in Mozilla-mail  
>> though.
>
> Why not? I get about one spam from them per month but that means  
> they let me access via pop. You can certainly activate pop in  
> yahoo. Maybe you can't access via pop with hotmail but yahoo, gmail  
> and probably most others will let you...


Yahoo make this a premium (paying) service in some of their domains.

If you register for Yahoo with a UK physical address you get an  
address@yahoo.co.uk & POP3 access is free; if you register with a US  
physical address you get a yahooID@yahoo.com but you have to pay $20  
or so for POP3 access. At least that has been my experience.

Strangely, although I registered for my yahoo.com ID with my *cough*  
US address, when I check under options it seems to recognise that I'm  
connecting via a UK IP address or to their UK data centre, or  
something. The upgrade price is listed as £11.99 UK Pounds Sterling.  
Like I say, I access my yahoo.co.uk mail via POP3 all the time.

Stroller. 
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.

[Walter Dnes]

On Sun, Dec 25, 2005 at 11:10:15PM -0600, Dale wrote

> >    Source: 215.146.157.191 (215.146.157.191)
> >    Destination: 205.208.159.31 (205.208.159.31)
> >User Datagram Protocol, Src Port: 44356 (44356), Dst Port: 1026 (1026)
> >    Source port: 44356 (44356)
> >    Destination port: 1026 (1026)

  [...deletia...]

> What is this?  Is this some spam and it pops up a window if I were using 
> windoze?  I went to the site and it looks like they want to sell 
> something, which I ain't buying by the way.  ;-)   How can I tell them 
> to stop this?  Oh, only my main rig does this.  My three servers which 
> have no GUI stuff or browsers installed do not get this, that I can see 
> anyway.

  A few notes...

  1) It's UDP (User Datagram Protocol).

  2) UDP is a connectionless protocol, i.e. no 3-way handshake like TCP.
     That means that the sending software can put any garbage they want
     in the source-port and source IP address.  *DO NOT* complain to the
     ISP responsible for 215.146.157.191.  UDP forgery is trivial.

  3) This garbage is spewed out by zombie bots to port 1026 to pop up
messages on your screen if you'r running the Windows Messnger Service.
It'll probably show up if you have Samba configured right/wrong (Ain't
Windows emulation wonderful?).  Everybody gets hit with it, just like
port 135 and 1433 and 1434 scans.  Here's an hour's worth from my
router's log.  The router is set to reject unsolicited traffic...

Dec 26 18:04:26 221.1.204.251:33054 to UDP port 1026
Dec 26 18:05:46 66.52.125.177:23460 to UDP port 1026
Dec 26 18:06:55 66.188.58.207:4099 to UDP port 1026
Dec 26 18:11:16 221.203.145.54:32939 to UDP port 1026
Dec 26 18:15:55 66.170.205.192:23797 to UDP port 1026
Dec 26 18:17:04 211.172.244.182:9285 to UDP port 1026
Dec 26 18:20:59 218.27.103.206:36380 to UDP port 1026
Dec 26 18:27:02 202.96.87.41:34462 to UDP port 1026
Dec 26 18:27:46 221.1.204.251:33054 to UDP port 1026
Dec 26 18:38:14 202.111.173.85:39549 to UDP port 1026
Dec 26 18:38:17 202.111.173.83:55698 to UDP port 1026
Dec 26 18:38:34 203.39.211.73:7731 to UDP port 1026
Dec 26 18:40:14 218.27.103.206:45829 to UDP port 1026
Dec 26 18:41:07 66.223.176.136:24121 to UDP port 1026
Dec 26 18:42:48 66.138.198.3:7578 to UDP port 1026
Dec 26 18:42:58 66.178.233.47:11540 to UDP port 1026
Dec 26 18:50:08 202.111.173.83:59789 to UDP port 1026
Dec 26 18:55:10 66.35.104.238:27387 to UDP port 1026
Dec 26 18:56:30 202.111.173.85:45304 to UDP port 1026
Dec 26 18:59:42 218.27.103.206:55370 to UDP port 1026

-- 
Walter Dnes <waltdnes@waltdnes.org> In linux /sbin/init is Job #1
My musings on technology and security at http://tech_sec.blog.ca
-- 
gentoo-user@gentoo.org mailing list