Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows VistaWindows XPWindows MeWindows 98Windows 95Virtual PCInternet ExplorerOutlook ExpressWindows MediaSecurity
Related Topics
MS Server ProductsMS OfficePC HardwareMore Topics ...
Windows Forum / Windows Me / Internet / July 2005

Tip: Looking for answers? Try searching our database.

ports 1026/1027

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Rick T - 14 Jul 2005 06:07 GMT
For the past few months my router shows a constant influx on ports 1026
and 1027; all the IP's (quite a few) seem to be in China and all the
issuing ports are in the 5 digit range.

Thought it might be a Treewalk "feature" but I uninstalled that a couple
weeks ago.

Any thoughts ?

Rick
Reply to this Message
N. Miller - 14 Jul 2005 17:25 GMT
> For the past few months my router shows a constant influx on ports 1026
> and 1027; all the IP's (quite a few) seem to be in China and all the
[quoted text clipped - 4 lines]
>
> Any thoughts ?

Worm, or Messenger Service spam. I've seen it in the logs of two different
SBC customer router logs since, roughly mid-April, or so.

Signature

Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

Reply to this Message
Rick T - 14 Jul 2005 18:32 GMT
>>For the past few months my router shows a constant influx on ports 1026
>>and 1027; all the IP's (quite a few) seem to be in China and all the
[quoted text clipped - 7 lines]
> Worm, or Messenger Service spam. I've seen it in the logs of two different
> SBC customer router logs since, roughly mid-April, or so.

thought it might be something like that, thanks... any real purpose for
those specific ports? (looking it up it's supposed to be DNS auxiliary
or something like that, but if they're never used I'm blocking them).

Rick
Reply to this Message
N. Miller - 15 Jul 2005 01:42 GMT
> thought it might be something like that, thanks... any real purpose for
> those specific ports? (looking it up it's supposed to be DNS auxiliary
> or something like that, but if they're never used I'm blocking them).

Access to the Messenger Service for Windows XP, 2K, and, maybe, NT. For
spam. I believe that unpatched systems are also vulnerable to a worm
attack; just don't recall which worm. Something to do with DCOM? RPSS?

You might have to block ports all the way up to 1030, or 1032.

Signature

Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

Reply to this Message
Rick T - 15 Jul 2005 02:30 GMT
>>thought it might be something like that, thanks... any real purpose for
>>those specific ports? (looking it up it's supposed to be DNS auxiliary
[quoted text clipped - 5 lines]
>
> You might have to block ports all the way up to 1030, or 1032.

hmm, don't want to cut the kids messenger service off (and I'm already
blocking >5K)

Thanks,

Rick
Reply to this Message
Mike M - 15 Jul 2005 09:58 GMT
Rick,

The kids use Instant Messaging which is not the same as the Windows
Messenger Service and uses a different set of ports (Yahoo 5050, AIM 5190
MSN 1863).
Signature

Mike Maltby
mike.maltby@gmail.com

>>> thought it might be something like that, thanks... any real purpose
>>> for those specific ports? (looking it up it's supposed to be DNS
[quoted text clipped - 13 lines]
>
> Rick
Reply to this Message
N. Miller - 15 Jul 2005 16:20 GMT
>>>thought it might be something like that, thanks... any real purpose for
>>>those specific ports? (looking it up it's supposed to be DNS auxiliary
[quoted text clipped - 12 lines]
>
> Rick

There are three "Messengers", thanks to MSFT choosing to use a confusing
nomenclature.

Windows Messenger Service:

Only available with Windows 2K, Windows XP, and, maybe, Windows NT (very
old OS). Used by Windows network administrators for distributing notices to
system users. Uses port 135, and the lowest of the ephemeral ports
(beginning with port 1025). UDP packets. Also used by spammers, and RPC
worms, to try to reach users with unprotected systems on Internet
connection. Completely unrelated to any of the instant message services;
certainly can't access, or be accessed by, IM servers.

Windows Messenger 4.7(?):

Only available with Windows XP. Necessary for remote desktop sharing, or
whatever that application is. Can access, and be accessed by the MSN
Messenger servers.

MSN Messenger 7.0 (latest version):

Standalone IM product that runs under all versions of Windows except
Windows 95.

Restricting the functionality of the Windows Messenger Service will not
affect the use of the MSN Messenger service.

I expect some MVP will now clarify any errors I have made...

Signature

Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

Reply to this Message
Rick T - 15 Jul 2005 17:36 GMT
ahh, I knew that (though not in that detail)...

blocked 1026&1027 since that's all I see; will this also block the first
couple Internet requests from when I boot up ?

Rick

>>>>thought it might be something like that, thanks... any real purpose for
>>>>those specific ports? (looking it up it's supposed to be DNS auxiliary
[quoted text clipped - 41 lines]
>
> I expect some MVP will now clarify any errors I have made...
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.