Odd tcpdump packet question

Discussion in 'Mac Basics and Help' started by tag, Jun 27, 2005.

  1. tag macrumors 6502a

    tag

    Joined:
    Apr 29, 2005
    Location:
    PA, US
    #1
    Ok, I was wondering if anyone had any clue about this. I was searching through some packets via tcpdump, and I keep coming across these type of packets which I can't explain. Not only do they keep coming when Im not really running any apps, other than terminal of course, but they are coming from different IPs. I can't find these messages any where on my iMac either, other than when I use tcpdump, so I'm not sure what program is requesting/sending this info. Does anyone know if there is a way to find out?

    I've added 3 snippets from a dump file below. Also to note the domains listed below are all from different countries such as Sweden and Poland. It seems to be some type of scam to get you to download windows software, no doubt virus/trojan infected, though Im not sure how I'm receiving these through the Mac. Basically I'm not real worried or a nything, just really bored today and curious about this.


    15:11:15.666234 IP (tos 0x0, ttl 116, id 57157, offset 0, flags [none], length: 821) 211.189.212.184.10849 > user216-178-76-164.netcarrier.net.cap: [no cksum] UDP, length: 793
    ...CUSTOMER....................Important Notice From MSOFT{Z........O...a.

    Buffer Overflow in Messenger Service Causes Unexpected Computer Shutdown,
    Virus Infection and Remote Code Execution

    Affected Software:

    Microsoft Windows NT Workstation
    Microsoft Windows NT Server 4.0
    Microsoft Windows 2000
    Microsoft Windows XP
    Microsoft Windows Win98
    Microsoft Windows Server 2003

    Non Affected Software:

    Microsoft Windows Millennium Edition

    Your system IS affected, download the patch from the address below !
    FIRST TYPE THE URL BELOW INTO YOUR INTERNET BROWSER, THEN CLICK 'OK'


    WWW.WUPDATE.NET.
    15:11:15.666312 IP (tos 0x0, ttl 64, id 21437, offset 0, flags [none], length: 56) user216-178-76-164.netcarrier.net > 211.189.212.184: icmp 36: user216-178-76-164.netcarrier.net udp port cap unreachable for IP (tos 0x0, ttl 116, id 57157, offset 0, flags [none], length: 821) 211.189.212.184.10849 > user216-178-76-164.netcarrier.net.cap: [no cksum] UDP, length: 793





    15:12:13.764905 IP (tos 0x0, ttl 119, id 20578, offset 0, flags [none], length: 908) 205.232.60.138.15984 > user216-178-76-164.netcarrier.net.cap: [no cksum] UDP, length: 880
    ...!E...Pb..w..5..<...L.>p...x....(.......................{Z........O......#Bfz-....`..................... .................SECURITY MONITOR................WINDOWS USER....................Important Windows Security Bulletin
    ======================
    Buffer Overrun in Messenger Service Allows Remote Code Execution,
    Virus Infection and Unexpected Computer Shutdowns

    Affected Software:

    Microsoft Windows NT Workstation
    Microsoft Windows NT Server 4.0
    Microsoft Windows 2000
    Microsoft Windows XP
    Microsoft Windows Win98
    Microsoft Windows Server 2003

    Non Affected Software:

    Microsoft Windows Millennium Edition

    Your system is affected, download the patch from the address below !
    FIRST TYPE THE ADDRESS BELOW INTO YOUR INTERNET BROWSER, THEN CLICK 'OK'.
    THE ADDRESS WILL DISAPPEAR ONCE YOU CLICK 'OK'.

    www.updatepatch.info
    .
    15:12:13.764987 IP (tos 0x0, ttl 64, id 21462, offset 0, flags [none], length: 56) user216-178-76-164.netcarrier.net > 205.232.60.138: icmp 36: user216-178-76-164.netcarrier.net udp port cap unreachable for IP (tos 0x0, ttl 119, id 20578, offset 0, flags [none], length: 908) 205.232.60.138.15984 > user216-178-76-164.netcarrier.net.cap: [no cksum] UDP, length: 880





    15:15:45.271388 IP (tos 0x0, ttl 50, id 0, offset 0, flags [DF], length: 492) 222.241.95.8.32801 > user216-178-76-164.netcarrier.net.cap: [udp sum ok] UDP, length: 464
    ...!E.....@.2....._...L..!....&5..(.......................{Z........O.... 0V...R ...S.]2....................................SYSTEM......................ALERT...........<.......<...STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.

    Windows has found Critical Errors.

    To fix the errors please do the following:
    1. Download Registry Repair from: http://www.repairreg.com
    2. Install Registry Repair
    3. Run Registry Repair
    4. Reboot your computer
    FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!

    .
    15:15:45.271471 IP (tos 0x0, ttl 64, id 21714, offset 0, flags [DF], length: 56) user216-178-76-164.netcarrier.net > 222.241.95.8: icmp 36: user216-178-76-164.netcarrier.net udp port cap unreachable for IP (tos 0x0, ttl 50, id 0, offset 0, flags [DF], length: 492) 222.241.95.8.32801 > user216-178-76-164.netcarrier.net.cap: [no cksum] UDP, length: 464
     
  2. bankshot macrumors 65816

    bankshot

    Joined:
    Jan 23, 2003
    Location:
    Southern California
    #2
    Several Windows machines on your subnet are running some sort of spyware, worm, or trojan which broadcasts these packets. When received by an unprotected Windows machine, the packet causes a Windows Messenger popup to display the message within. Presumably its purpose is to trick the user into going to that site and downloading their program. Of course the program is malware which not only sends out more of these packets to other machines, but also probably does some sort of damage. People who are naive will believe the popup message and willingly install the malware, further contributing to the problem!

    More info at http://www.lurhq.com/popup_spam.html or try this google search.

    Of course, it's nothing to worry about with the Mac. ;)
     
  3. tag thread starter macrumors 6502a

    tag

    Joined:
    Apr 29, 2005
    Location:
    PA, US
    #3
    Thanks for filling me in bankshot. I didn't think to google for the ports and such. Thanks for the links mate.
     

Share This Page