Results 1 to 6 of 6

Thread: What uses UDP on port 52249?

  1. #1
    ceemjay Guest

    Default What uses UDP on port 52249?

    New today to both ZA and this forum so apologies if I've posted in the wrong place (I did look around before posting!)

    Been live for a few hours and nearly all the entries in the ZA log (74 of them) were all incoming and look like the following:
    Firewall UDP sourceIPport 192.168.1.2:52249 (i.e. destination is my PC port 52249)

    There are 26 source IPs - all public - though the majority of the entries (29/74) are from the outside (public) side of my gateway which is a BTHomeHub2.

    Some questions spring to mind:
    Do routers generally not prevent ports that high being passed through the gateway - I can't see anything open on my HH2?
    Alternatively, why are these getting through the gateway to my PC?
    What tries to communicate using UDP on port 52249 - several Google searches didn't throw up anything obvious?
    Is there anyway to get ZA to ask which destination IPs are valid rather than just the application being allowed? (I would like to be asked which mail systems Outlook is allowed to communicate with rather than allow Outlook to connect anywhere)

    I have had a problem with some software sending spam from my home network (probably this PC) through someone else's mail system. I'm still trying to get "the egg off my face"!

    Many thanks
    Clive
    Last edited by ceemjay; January 15th, 2010 at 10:14 AM.

  2. #2
    Join Date
    Dec 2002
    Location
    San Carlos, California
    Posts
    1,636

    Default Re: What uses UDP on port 52249?

    hello,

    A great resource for looking up what could be using certain ports is grc.com

    Here is what they have on your port in question
    https://www.grc.com/port_52249.htm

    Unfortunately there are no know threats or apps that use this port according to GRC.

    You can also Google for into on the port too.

    Forum Moderator
    ZoneAlarm
    Click here for ZA Support
    Monday-Saturday__ 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    ceemjay Guest

    Default Re: What uses UDP on port 52249?

    [I started to write this post before seeing your reply - as you can see I stumbled across grc.com anyway]

    I changed the config on my router to do the following:
    Opened up port 52249 and allowed it to pass data to the PC with ZA.
    Went to grc.com - which allows a probe on any port - tried 52249 but ZA didn't detect anything and probe reported it couldn't get through

    So I opened up port 80 went to a remote PC (ie out on the internet) and used CURL to access the public IP address of my router and the page was dished up from the PC running ZA -- ZA did not block this nor record any attempt.

    I am now a little baffled and in summary these questions are still outstanding:
    How did ZA report all the "random" UDP/52449 connections earlier but not report my connection after I'd opened up the router to pass them through?
    Why did ZA not stop or even report remote access to my PC web server when Internet Zone Security is set to high.

    Even if the results don't make sense I hope at least my description does!!

    Thanks again
    Clive
    Last edited by ceemjay; January 15th, 2010 at 01:59 PM. Reason: Saw the response to my earlier post

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: What uses UDP on port 52249?

    " Been live for a few hours and nearly all the entries in the ZA log (74 of them) were all incoming and look like the following:
    Firewall UDP sourceIPport 192.168.1.2:52249 (i.e. destination is my PC port 52249)

    There are 26 source IPs - all public - though the majority of the entries (29/74) are from the outside (public) side of my gateway which is a BTHomeHub2.

    Some questions spring to mind:

    I have had a problem with some software sending spam from my home network (probably this PC) through someone else's mail system. I'm still trying to get "the egg off my face"! "
     
    The source IP of the incoming UDP packets is indicated as in the 192.168.x.x range; this is not a Public IP but it is a Private network IP range.
    See http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml#note8 and please select the Note 8 as it specifies "192.168.0.0/16 reserved for Private-Use Networks [RFC1918]". However, 192.168.0.0/16 is correct CIDR notation for the entire IP range of 192.168.0.0 to 192.168.255.255
    Attempted connection by 26 Public IPs - could you please list these specific IPs for further clarification?
    Answers for questions that sprang to mind:
    Normally the 'router' will only allow 'incoming' return connections from previously established 'outgoing' connections as seen by the router's own seperate private network.
     
    However, any unsolicited or unwanted connection attempts would be automatically dropped by the router, since the router has no established private IP to forward the incoming packets which are to be sent to. Or in other words... unsolicited incoming packets are dropped by the router because the router has no correct established private address as seen in the router's own route table (which is established by the network address translation or 'NAT' of the router).
    See http://en.wikipedia.org/wiki/Network_address_translation
    In other words, only established connections will be allowed to enter and unwanted connections are dropped by the router.Private or Dynamic port range. As for the high numbered port, as it appears this originated from your own network, a possible explaination of a UDP port used in the Dynamic and/or Private Ports range ( 49152 through 65535) could be it is for some networked device or computer placed in your home network.
    IANA says this regarding the port in question:
    "DYNAMIC AND/OR PRIVATE PORTS The Dynamic and/or Private Ports are those from 49152 through 65535"
    See http://www.iana.org/assignments/port-numbers
     
    "Do routers generally not prevent ports that high being passed through the gateway - I can't see anything open on my HH2?"
    Not in this situation, and it is not a specific or general port question or issue as normally all ports are blocked by the router regarding unwanted incoming connections.
    "Alternatively, why are these getting through the gateway to my PC? "
    It is probably LAN or local area network traffic which maybe quite safe or harmless. UNLESS there are infected devices or computers in your home network (infected with network worms or other malware) OR the router is wireless and possiblely not properly secured and then is left 'open' to war drivers or local neighbours or unwanted users.

    "What tries to communicate using UDP on port 52249 - several Google searches didn't throw up anything obvious?"
    Possibly the operating systems (newer used ports by Microsoft's Vista or Windows 7), supported or installed software, games, local sharing, the port 52249 could be used as alternative port for a 'well known' or 'registred' port, or possible alternative port for Peer to Peer file sharing, etc and maybe even malware.

    "Is there anyway to get ZA to ask which destination IPs are valid rather than just the application being allowed? (I would like to be asked which mail systems Outlook is allowed to communicate with rather than allow Outlook to connect anywhere)"
    In general, software firewalls do not verify or validate the destination IP. Either the IP or site or server does exist and does function or it does not. If you are inquiring as to whether the connections made to the mail server by the email client are correct such not being a malicious or spoofed server, then yes the firewall does not verify but instead will ask the user as to whether to allow the new connection to the newest (and possiblely maliciously employed) email server. Further security for the email client to ensure only the correct and proper email servers are connected can be established by the 'Expert' rules, either in the Program Expert or in the Zones's Expert.

     
     

    Best regards.
    oldsod

  5. #5
    ceemjay Guest

    Default Re: What uses UDP on port 52249?

    Thanks for the lengthy reply and the links - I am aware of the private IP addressing, NAT etc and I think I have a reasonable grasp of IP networking but am certainly not an expert and always eager to learn more.

    I think I have have been a bit confusing or maybe we are confusing each other! So here is the log file from the moment I first launched ZA...
    ZoneAlarm Logging Client v9.1.007.002
    Windows XP-5.1.2600-Service Pack 3-SP
    -- snip header --
    ACCESS,2010/01/15,10:15:02 +0:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (192.168.1.2:Port 8304).,N/A,N/A
    ACCESS,2010/01/15,10:15:12 +0:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (192.168.1.254:Port 13077).,N/A,N/A
    --- snip all lines between with consecutive port numbers 13078-13129 ----
    ACCESS,2010/01/15,10:15:16 +0:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (192.168.1.254:Port 13130).,N/A,N/A
    FWIN,2010/01/15,10:15:40 +0:00 GMT,217.35.123.177:49398,192.168.1.2:52249,TCP (flags:S)
    PE,2010/01/15,10:15:56 +0:00 GMT,Bonjour Service,C:\Program Files\Bonjour\mDNSResponder.exe,213.123.27.211:53, N/A
    PE,2010/01/15,10:15:56 +0:00 GMT,Bonjour Service,C:\Program Files\Bonjour\mDNSResponder.exe,213.123.27.211:53, N/A
    FWIN,2010/01/15,10:16:58 +0:00 GMT,86.26.149.188:38486,192.168.1.2:52249,UDP
    FWIN,2010/01/15,10:17:56 +0:00 GMT,93.96.107.237:16731,192.168.1.2:52249,UDP
    FWIN,2010/01/15,10:18:00 +0:00 GMT,212.159.143.63:30297,192.168.1.2:52249,UDP
    FWIN,2010/01/15,10:18:02 +0:00 GMT,86.155.55.62:33043,192.168.1.2:52249,UDP

    Does that help clarify my question? I am not aware of ZA asking me to allow any "unusual" program that would allow access to those IP addresses.

    These were all the source IP addresses sending data to port 52249:
    78.148.95.117
    81.105.17.92
    81.105.23.191
    81.86.22.105
    81.98.9.243
    82.30.185.123
    86.129.234.5 (public address of my router)
    86.143.158.102
    86.147.180.240
    86.155.55.62
    86.171.251.3
    86.26.149.188
    87.244.199.74
    88.106.170.213
    88.97.45.90
    89.242.147.32
    89.242.26.100
    92.239.85.82
    92.41.254.154
    93.96.107.237
    94.194.185.248
    128.135.212.247
    212.159.143.63
    217.171.129.65
    217.35.123.177
    217.39.6.16

    Many thanks for your interest
    Clive

  6. #6
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: What uses UDP on port 52249?

    I did originlly supspect some device or computer also present on your lan could be responsible for the unexpected connection attempts, and after seeing two seperate lan IP's, believing this now probably to be true. It is quite possible they are doing these connections, but these particular connections are appearing over your lan and are then seen as attempted connections to your own desktop.
    One 192.168.1.2 and another 192.168.1.254 seems to indicate two other lan devices - and assuming the router is more than likely seen as the usual 192.168.1.1.
    The only possible reason for the unwanted IP connections then could either be either of two reasons: one of the other lan computers has initiated these connections and then there would have to be an open port in the firewall of the hardware router to allow these incoming connections (in which case these could be broadcast over the entire lan network) or there is some strange/unknown outgoing connections that has initiated the connections originating from your desktop. Someone or somebody on the lan could be doing some sort of file sharing or P2P or something other than involves the unusual port and diverse/different IPs (possibly some sort of networking).
    First I checked as to which registeries for two IPs belonged to using the IANA IPv4 Address Space listings.
    http://www.iana.org/assignments/ipv4-address-space/
    One, 128.135.212.247, belongs to ARIN (american registry) and another, 78.148.95.117, belongs to RIPE (european registry).
    Next, checked with the correct associated whosis for these two IPs:
    http://ws.arin.net/whois/?queryinput=128.135.212.247
    http://www.db.ripe.net/whois?form_ty..._search=Search
    (further searches can be done using the default searches seen at these whosis, if you wish to do by yourself).
    After seeing one points to the University of Chicago, and even though the other selected result (78.148.95.117) is limited to Opal of Manchester, England, it does seem to indicate some sort file sharing or unusual networking of some sort.
    There are contact email addresses at the whosis results - it may be worth your time to contact the university and internet provider for more details/information or at least report these incidents to these people (in case there is something nefarious undergoing).
    Going back to the originally question posted in the title of your first post, further information regarding UDP port 52249 can be found here:
    http://www.seifried.org/security/por...t_number=52249
    where UDP port 52249 is described as:
    "local clients ports for outgoing traffic on Linux"

    Checking with sans.org's own Internet Storm Center it does shows an increased recent use of UDP port 52249 over the internet:
    http://isc.sans.org/port.html?port=52249
    However, the Sans graph or info does not neccessarily indicate something nefarious or just acceptable traffic - it is just an indicator of seen port activity over the internet.
    The only sensible or practical advice I can give is first create an Expert rule in the ZA to block UDP port 52249 for both Source and Destination, and then login into the router to ensure the port 52249 is closed (along with any other).
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •