Results 1 to 7 of 7

Thread: Getting UDP Messages to port 17582

  1. #1
    jameelch Guest

    Default Getting UDP Messages to port 17582

    I have a Linksys WRT54GS router and Zonealarm firewall on my PC. Zonealarm has suddenly started to
    block incomming UDP requests to port 17582. I get about 1 such alert every 2-3 minutes. I checked in the router log and sure enough there is a stream of these incomming requests.
    I am trying to figure out how to analyze this:
    1)
    Am I
    am right in assuming that for such a request to get past the Linksys - there must have been an original request that originated from my PC?2) If so, then I have some worm or trojan or something that is calling home?3) TCPVIEW on my PC shows nothing fishy i.e. as an established connection.4) Norton scan shows up nothing in terms of virus or malware.
    I am looking for some guidance on next steps to figure out what is causing this and how to track down/lock done the system.
    Thanks,
    Jester.

    Operating System:Windows XP Home Edition
    Software Version:
    Product Name:ZoneAlarm (Free)

  2. #2
    watcher Guest

    Default Re: Getting UDP Messages to port 17582

    Dear jameelch:

    In answer to your questions, I will do so using the numbers for the questions you asked:

    1)Yes, it's called Stateful Packet Inspection(SPI), a feature of most routers. It compares the destination IP address for the request you sent to the source IP address of the response. If the 2 don't match, the traffic is dropped. Also, any unsolicited inbound traffic is dropped because there was no request sent outbound.

    2)Most firmware-based routers don't protect against trojans resident on your PC. ZAfree, however, should alert you because it monitors both inbound and outbound traffic.
    Trojans, in order to function, must communicate outbound from the victim PC to transmit the info they have collected. A software firewall, such as ZAfree, won't allow this unless you specifically allow it.

    3)As you stated, your router logs these blocked connection attempts so they are being dropped prior to reaching your PC. If something does, ZAfree should block it and log it.

    4)Regular scanning(every week-minimum) with antivirus and antispyware utilities should keep your PC clean of any malware.

    Your router logs, or ZAfree's, should show you the IP addresses of the attackers. Remember, though, that IP addresses can be forged and botnets are composed of hijacked PCs so the person/company the IP is associated with may be completely innocent and unaware their PC is being used to attack other PCs on the Internet. If, however, the origin of the attacks is from China, Iran, North Korea, or Iraq, you can certainly assume they are malicious.

    You have no control over hacker activity on the Internet. Sometimes, my ZAPRO logs have few entries because hacker activity is low. On the other extreme, my IP address(and probably others) were targeted by a botnet and I had several hundred entries from many different source IPs but I recognized it as all these IP addresses were trying to connect to a specific port on my computer.

    To harden your operating system against attack, you want to disable unnecessary services running on your PC, uninstall unnecessary 3rd-party software, uninstall Windows Components you don't use, and use Registry tweaks which serve to protect your PC against attack. TCPView will show both listening and open ports on your PC. After hardening your PC, you should have only a few ports showing up here.

    Hope this helps.

    WATCHER

  3. #3
    jameelch Guest

    Default Re: Getting UDP Messages to port 17582

    Hi Watcher,
    Many thanks for taking the time to write me a very detailed response.
    I have now done a more thorough analysis as follows:
    1) Exact symptom description (some repetition!)I have a Linksys WRT54GS firewall/router. My PC has ZAfree. I started to get ZA security alerts as follows:"The firewall has blocked internet access to your computer (UDP Port 17582) from xx.xx.xx.xx (UDP port XX)"
    The thing to note is that my computer UDP Port always = 17582. From IP and From Port change all the time.
    First Issue: So my router/FW is NOT dropping this supposedly unsolicited UDP - it is making it to my PC and ZA is blocking it.Question: How can an unsolicited UDP get to my PC - router SPI is ON.
    2) If my PC is sending the original 'ping' out, then ZA is not alerting that. In particular if I just run TCPView and stare at that for a while, I do not see any connections being established (TCP or UDP). The UDP Ports 137, 138, 445 show *.* in remote address.
    3) What I just triedI noticed that uPnP was enabled in my Linksys router. I disabled that. The ZA security alerts stopped!
    4) What I am worried about nowIf I understand it right, uPnP opens ports dynamically for programs. I am not sure what this means exactly - is this for out going communication? If so, it implies that some program was communicating outbound but now cannot. But that (bad) program is still on my system. Also, how come ZA did not
    block that outbound communication OR why TCPView did not show it.

    Thanks,
    Jester.

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Getting UDP Messages to port 17582

    UPnP uses multicast and unicast. I suppose then the IPs in question were fiound in the 223.0.0.0 to the 255.255.255.254 range and possiblely in the 192.168.x.255 or 10.x.x.255 ranges.

    Those ports previously mentioned will not appear or be inquestion. The application involved will be the svchost.exe and the initial broadcast for the UPnP will occur at the windows startup, at the very same time when it does the broadcast for the DHCP server. The ZA saw it and allowed it, since the svchost.exe is a trusted application with server rights for the trusted zone (this includes not just the localhost, but also the router and the dns servers).

    UPnP over UDP is not authenticated traffic. Some what of a security risk and vulnerability.

    UPnP is needed for certain Internet Messengers and of course for network devices connected to the LAN for sharing/access (networked drives and printers/scanners and certain media/games consoles).

    You could also disable the UpnP service in the PC; then the initial broadcasts from your PC will stop and not cause the router to return a reply. The router was replying from the PC requests and the ZA blocked off these replies.

    Cheers, Oldsod

    Message Edited by Oldsod on 01-21-2008 08:51 PM
    Best regards.
    oldsod

  5. #5
    watcher Guest

    Default Re: Getting UDP Messages to port 17582

    Dear jameelch:

    The trouble with PCs with the WinXP operating system is that it has a lot of services automatically starting which you don't need. For the uPnP problem, disable the Universal Plug and Play Device Host. Click Start, Run, type services.msc, then click OK. In the Services window, scroll down to the above service and double click it. Click Stop button first if the service is started, then click the down arrow by Startup type and click Disabled. Click OK and exit Services window. Most users do not need this service operational and it presents a big security hole when running.

    As for UDP port 17582, I don't know why it would not be blocked by your router, UNLESS that is the port your router is using to communicate with your PC or your router has been compromised. Check your router logs to see where the traffic originated from. Also, check your router manual. Remember, SPI doesn't stop any inbound response traffic for which an outbound request was made.

    To see what ports are open or listening on your PC, click Start, Run, type CMD, then click OK. In the DOS window that opens, type: netstat -abno, then hit Enter. Also, look at your firewall logs to see if any spurious communications are being made outbound from your PC by applications you have installed. To counter this, click the Firewall panel, Main tab, and click the Advanced button. In the Advanced Settings dialog box, under General settings, make sure the option, Block Internet servers, is enabled. This will prevent the Internet-aware applications on your PC from communicating outbound without your permission.

    Hope this helps.

    WATCHER

  6. #6
    jameelch Guest

    Default Re: Getting UDP Messages to port 17582

    I have now shutdown uPnP on my Windows XP also as suggested by Watcher. I thought I had done this before but lo and behold it was running again!
    Oldsod - the Source IP's are from all over the place78.146.174.XX86.29.96.XX59.167.149.XX190.82.1 41.XX
    And so on. All coming to the same destination IP/port (POrt = 17582). Of course the
    source IP's may be spoofed
    - but many have source DNS entries that look legit. (I am reporting this from the ZAfree Firewall logs!).
    Also, for DHCP type requests I would expect maybe just one response - the above UDP's arrive at the rate of one every 2-3 minutes on average.
    As I said, disabling uPnP in the router has stopped these messages.
    Thanks,
    Jester

  7. #7
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Getting UDP Messages to port 17582

    If you are not doing any special kind of networking (P2P, IMs,etc) then open the router and block the entire TCP/UDP port range of 5001-65535. That should put an end to it. Or just block the 17000's in the router. Almost the entire range in the 17000's is designated as unassigned ports. It would not be really missed.
    Oldsod

    Message Edited by Oldsod on 01-22-2008 10:33 PM
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •