Results 1 to 5 of 5

Thread: Constant UDP Port Attack? Help please.

  1. #1
    atomicexplosion Guest

    Default Constant UDP Port Attack? Help please.

    Okay, I downloaded BitTorrent and I was downloading something and it was at about 80% when I kept getting alert after alert after alert about UDP Ports, At first I thought it was a mass attack on my computer or something but than I realize I just got Bit Torrent and I heard it **bleep**s around with firewalls, so anyway, Every 3 seconds or so I get a attempt with ports and stuff, I couldn't find much about it on the internet

    "The firewall has blocked Internet acess to your computer (UDP Port *****) from 82.212.56.66 {UDP Port 38891}."

    Port and IP changes every time, Thats just one of the ones since I restarted my computer, I uninstalled Bit Torrent and restarted, Why don't they stop?

    Help please.

    Operating System:Windows XP Home Edition
    Software Version:7.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Constant UDP Port Attack? Help please.

    Sometimes it is hard to decipher the IP into a url and get some idea what is that. How to find a URL using the command prompt:

    Trick One:

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\SkyRider>nslookup 82.212.56.66
    Server: resolver1.opendns.com
    Address: 208.67.222.222

    Name: HSI-KBW-082-212-056-066.hsi.kabelbw.de
    Address: 82.212.56.66


    C:\Documents and Settings\SkyRider>

    Trick Two:

    C:\Documents and Settings\SkyRider>ping -a 82.212.56.66

    Pinging HSI-KBW-082-212-056-066.hsi.kabelbw.de [82.212.56.66] with 32 bytes of d
    ata:

    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 82.212.56.66:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    C:\Documents and Settings\SkyRider>

    Okay. The "hsi" is high speed internet. The kabelbw is an internet provider. The "de" is deutschlande. The four packets sent is just an ICMP ping. "0" recieved means it never replied.

    To see what is running on the PC and where it is going is also easy to do with the command prompt. The command prompt can make a running log of all internet conections on your PC and the state of the connection.

    Open the command prompt.
    Type in netstat -b 5 > activity.txt and enter.
    Wait for the desired time period such as five minutes or so.
    Then press CTRL+C. then type in activity.txt and enter.
    This will open the log in the notepad.
    Now have a look at what is going on with the networking.
    This log of course can be saved for references.
    If there is a rogue application running to the internet, it will be seen by windows and where it is going to.
    The netstat -ano in the command gives an instant view of running applications (by the PID) and the remote IPs.
    Just look the application at the task manager or with Process Explorer using the cross reference by the PIDs.

    This helps any?

    Oldsod
    Best regards.
    oldsod

  3. #3
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Constant UDP Port Attack? Help please.

    In my first reply I covered some details about the IP.
    This post we will take a look at the UDP Port 38891.

    According to the IANA Port listing, this port is considered "unassigned" (but my IANA list is getting old, so it maybe out of date!).
    So going to the Seifried port database lookup charts I found this information under port 38891:

    Port number: 38891

    Common name(s): client-port on Red Hat Linux 9.0, Fedora Core 1, Red Hat Enterprise 3

    Common service(s): client

    Service description(s): Outgoing client connections from systems.

    Common server(s): RPC based services, Windows Messaging Service.

    Common client(s): All client software (SSH, Web clients, etc.)

    Common problem(s): Insecure client software

    Encrypted options: Not applicable

    Secure options: Not applicable

    Firewalling recommendations: Block inbound connections to client ports, allow outgoing connections and returning packets (keep state)

    Attack detection: As a general rule data coming in to client ports that is not part of an established connection is likely an attack. Exceptions exist of course, such as FTP, various instant messenger protocols, file sharing protocols, IRC's DCC, and so on.

    Related ports: 32768 and other client ports

    Related URL(s): http://seifried.org/security/os/linu...-behavior.html

    Other notes: Port 32768 is the first port used by the operating system for outbound connections, thus it is likely you will see outbound connections from port 32768 and up. If you run netstat on Red Hat Linux or UNIX you will see something like:
    [root@funky web]# netstat -vatn
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
    tcp 0 0 10.2.3.4:32768 10.3.4.5:22 ESTABLISHED
    tcp 0 0 10.2.3.4:32769 10.9.3.4:80 ESTABLOSHED

    Port 32768 reveals this:

    Port number: 32768

    Common name(s): first os port used by Red Hat Linux

    Common service(s): outgoing client connections

    Service description(s): Linux uses a range of ports for outgoing client connections, defineable in the network startup script or /proc/sys/net/ipv4/ip_local_port_ranges, by default Red Hat now uses ports starting at 32768 (former default was 1024).

    Common server(s): N/A

    Common client(s): Outgoing client connections

    Common problem(s): N/A

    Encrypted options: N/A

    Secure options: N/A

    Firewalling recommendations: Use a stateful firewall to filter incoming connections but allow outgoing connections.

    Attack detection: N/A

    Related ports: 32769 32770

    Related URL(s): N/A/

    Other notes: N/A





    IANA ports lists information:

    Port Number: 32768
    Protocol: tcp
    Name: filenet-tms
    Description: Filenet TMS

    IANA ports lists information:

    Port Number: 32768
    Protocol: udp
    Name: filenet-tms
    Description: Filenet TMS



    I would assume this attack is harmless. Your P2P client originally established a connection and it is very possible the internet server is still attempting to continue the initiated connection, The server may stop the connections attempts after a period of time. If not, the ZA firewall will continue to protect your PC from the considered "intrusion".

    I would examine the ZA firewall logs and see what the original connections that were made by the P2P client and if this was a legitimately established previous connection.

    Guru Hoov site has some details about interepting the zalog.txt.

    This helps you?

    Oldsod
    Best regards.
    oldsod

  4. #4
    atomicexplosion Guest

    Default Re: Constant UDP Port Attack? Help please.

    I have to say thanks very very much, To put your time into writing those two long post just because someone asked for some help really shows some character.

    but yeah, They did all stop shortly after I made this post, It was something with Bit Torrent for sure. Thanks for your help.

  5. #5
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Constant UDP Port Attack? Help please.

    It is OK to make assumptions, but details do often give a clearer idea or give some direction to follow. At the least it increased our understandings and that leads the way for high levels of knowledge.
    Oldsod

    Message Edited by Oldsod on 10-01-2007 06:09 PM
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •