UDP to port 1027

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

 I asked a related question in comp.security.misc. Now I see that the
UDP packet I keep on receiving is going to ports 1026 or 1027. It does
include an address to a page (www.patchupdate.info) that offers to
download a patch for some versions of Windows from a different page,
not a MS page.
  What is port 1027 used for? I don't find any mention of it being
used for anything in particular.

Please set follow-up to the most appropiate group.


PS: The ping from might have come from a compromised
computer not related to this packet.

Re: UDP to port 1027

In comp.security.misc "GEO" wrote:
Quoted text here. Click to load it

For anything you're implementing. There is no close realtionship between
port number and usage.

There only are _recommendations_ which ports to use for what.

Port UDP/1027 sometimes is used for ICQ. And usually client side
processes are using ports beyond 1024.

"If you want to play with a piece of windows software that makes you
click all over the place, there's always minesweeper."

                    Kyle Stedman about "Personal Firewalls" in c.s.f

Re: UDP to port 1027

"GEO" Me@home.here wrote:

Quoted text here. Click to load it

On Windows machines The ports short above 1024 are usually used for
certain RPC implemented services like Task Scheduler and Netsend
Messaging. However, this only applies to TCP, so I guess those fools
have some misconception.

Quoted text here. Click to load it

Eh, shouldn't you do that? But well, fup2csf

Re: UDP to port 1027

Quoted text here. Click to load it

This is just Messenger spam.  It's extremely common and has been going
on for ages.  They are trying to get packets thru that pop up little ads
on your desktop via the Messenger service running on your machine.  Just
let your firewall block the incoming UDP packets and don't worry about
it.  It's pure noise..


Re: UDP to port 1027


Quoted text here. Click to load it

  Thank you.  As I don't have Messenger on my Windows 3.1, I'll just
ignore them.

  This Messenger stuff reminds me of the idea of letting the fridge
call the store when I run out milk.


Re: UDP to port 1027

On Sat, 17 Jun 2006, in the Usenet newsgroup comp.security.firewalls, in article

Quoted text here. Click to load it

Which rock have you been hiding under for the past eight years?  That is
ordinary windoze messenger spam, because you haven't blocked it (we port
shift _outgoing_ UDP which is generally DNS queries, such that the source
port is not in the 1025 to ~1075 range, allowing our upstream to silently
discard incoming to that range). You should also disable this "feature"
in your windoze setup - I have no idea how, as I got rid of that crap in
1992.  Do a google search for 'messenger spam' and you'll find instructions
from microsoft on how to disable it, as well as Eleventy-Zillion programs
you can purchase for only $20 or so that claim to block it.

Don't bother trying to reject (ICMP Error) the packets. The last time I
bothered to look at these packets, it was QUITE OBVIOUS that the source
address was forged (TTLs wrong, and in about 4% of the cases, the claimed
source address had not been released by IANA, never mind assigned to some
entity by a Regional Internet Registry like ARIN, RIPE, or APNIC). The
forged source addresses seem to be generated by a poorly written random
number generator script.

The web pages were generally at newly registered domains, but actually
hosted by well-known spam service centers in the Portland (OR.us) to
Vancouver (BC.ca), Chicago, or New York City metropolitan areas.

Quoted text here. Click to load it

Following the others - set to c.s.f

Quoted text here. Click to load it

Not enough information.  Oh, wait - that's the posting where you are
"using Trumpet on Windows 3.1".  I guess that explains why you haven't
noticed messenger spam before, but it really is a "feature" that
microsoft adopted more than fifteen years after the UNIX version, and as
usual without bothering to look at the preceeding experience and thus know
that it's a massive abuse problem waiting to happen.  Oh, and 'ping' is
not UDP, but rather a function in ICMP. Real pings have not been an exploit
since the "Ping of Death" that targeted the incompetently written network
stack in the first three versions of windoze-9x.

I suspect your use of the word "ping" here is incorrect, and you are
actually referring to the UDP messenger spam. That being the case, the
address is almost certainly forged.

        Old guy

Site Timeline