On Fri, 29 Dec 2006, in the Usenet newsgroup comp.os.linux.networking, in
>I have a befsr41 router with snmp :-) So I can log traffic going into
>my little network using wallwatcher and opmanager.
It gives you something to watch, I suppose. You'd actually learn a lot
more by using a packet sniffer, as most of this traffic is in plain ASCII
and quite readable.
Quote:>I have one XP machine I leave on a lot.
but you never looked at the traffic from a newly installed but isolated
windoze box. They chatter a lot, even before they get infected.
Quote:>I notice that it is sending UDP outbound from L-port 137 to R-port 137.
netbios-ns 137/tcp NETBIOS Name Service
netbios-ns 137/udp NETBIOS Name Service
Quote:>Then in a relatively short amount of time I see an inbound request from
>a different IP to ports 1026 ,1027, and 1028 from a different IP that
>the 137 was sent from.
That's why the packet sniffer would be useful. You'd see that the packets
contain faked windoze warning messages - telling you that your XP box has
discovered $RANDOM_NUMBER of problems with the registry, or some bunch of
bull droppings, and that you need to go to some spam site to get your
registry repaired. It's some spammer sending messenger spam. Blindingly
obvious clue: the web site has nothing to do with microsoft (who could
possibly care less if your windoze box gets 0wn3d). It's all part of
the benefits you get as a result of incompetent programming by the klowns
in Redmond.
Quote:>I have norton's running, and ad aware and spybot don't show anything.
Yes, the anti-malware stuff assumes you already know you've got windoze
installed. Why else would you be using their stuff?
Quote:>The addresses seem to come from anywhere China, hong kong, even the US
>and Canada.
Most of them are faked - UDP doesn't need a two way conversation to
deliver the windoze spam. Again, a packet sniffer would show more
interesting details in the headers of those packets. The supposed
source addresses are random numbers, which shows up as occasional
addresses that haven't even been allocated by IANA, much less one of
the five Regional Internet Registries (AFRINIC, APNIC, ARIN, LACNIC or
RIPE).
Block _ALL_ UDP coming in that is not responses from your ISP's name
servers (source port 53 to some high port that had just sent out a
request a second or so before). If you are getting DHCP service from
your ISP, you need UDP ports 68 OUTbound to 67, and the replies from
port 67 back to your 68. If you use a *nix version of traceroute (but
not the b0rken windoze imitation), then you need ports 33434 to about
33480 open. Otherwise you _probably_ don't need any UDP, and can just
drop it into the bit.bucket at your perimeter.
As for your port 137 traffic, it's only windoze trying to be helpful
and share everything with anyone. Microsoft figured you (or at least
somebody) might find it useful.
Old guy
by