Anyone have any info on this ?

[isaidpilot]

Does anyone have any information on the packet decoded below or any
comments please? (no I dont have netmeeting or netmessenger installed)

Also any info on domain 221.x.x.x ?

-Pontius-

------------------------------------------------------------------


Frame 1 (499 bytes on wire, 499 bytes captured)
Frame is marked: False
Arrival Time: Dec 18, 2005 13:15:08.810603000
Time delta from previous packet: -145.991849000 seconds
Time since reference or first frame: 745.459385000 seconds
Frame Number: 1
Packet Length: 499 bytes
Capture Length: 499 bytes
Protocols in frame: eth:ip:udp:dcerpc
Ethernet II, Src: 20:53:52:43:00:00, Dst: 44:45:53:54:00:00
Destination: 44:45:53:54:00:00 (Microsof_54:00:00)
Source: 20:53:52:43:00:00 (20:53:52:43:00:00)
Source or Destination Address: 44:45:53:54:00:00 (Microsof_54:00:00)
Source or Destination Address: 20:53:52:43:00:00 (20:53:52:43:00:00)
Type: IP (0x0800)
Internet Protocol, Src Addr: 221.6.163.50 (221.6.163.50), Dst Addr:
216.37.208.8 (216.37.208.8)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 485
Identification: 0x0000 (0)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 44
Protocol: UDP (0x11)
Header checksum: 0x2796 (correct)
Source: 221.6.163.50 (221.6.163.50)
Source or Destination Address: 221.6.163.50 (221.6.163.50)
Destination: 216.37.208.8 (216.37.208.8)
Source or Destination Address: 216.37.208.8 (216.37.208.8)
User Datagram Protocol, Src Port: 48181 (48181), Dst Port: 1027 (1027)
Source port: 48181 (48181)
Destination port: 1027 (1027)
Source or Destination Port: 48181
Source or Destination Port: 1027
Length: 465
Checksum: 0x4b90 (correct)
DCE RPC
Version: 4
Packet type: Request (0)
Flags1: 0x28
0... .... = Reserved: Not set
.0.. .... = Broadcast: Not set
..1. .... = Idempotent: Set
...0 .... = Maybe: Not set
.... 1... = No Fack: Set
.... .0.. = Fragment: Not set
.... ..0. = Last Fragment: Not set
.... ...0 = Reserved: Not set
Flags2: 0x00
0... .... = Reserved: Not set
.0.. .... = Reserved: Not set
..0. .... = Reserved: Not set
...0 .... = Reserved: Not set
.... 0... = Reserved: Not set
.... .0.. = Reserved: Not set
.... ..0. = Cancel Pending: Not set
.... ...0 = Reserved: Not set
Data Representation: 100000
Byte order: Little-endian (1)
Character: ASCII (0)
Floating-point: IEEE (0)
Serial High: 0x00
Object UUID: 00000000-0000-0000-0000-000000000000
Interface: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
Activity: 86cad260-5364-4cdb-d4af-0873dc51628e
Server boot time: Unknown (0)
Interface Ver: 1
Sequence num: 0
Opnum: 0
Interface Hint: 0xffff
Activity Hint: 0xffff
Fragment len: 377
Fragment num: 0
Auth proto: None (0)
Serial Low: 0x00
Microsoft Messenger Service, NetrSendMessage
Operation: NetrSendMessage (0)
Server
Max Count: 16
Offset: 0
Actual Count: 16
Server: FROM
Client
Max Count: 16
Offset: 0
Actual Count: 16
Client: TO
Message
Max Count: 309
Offset: 0
Actual Count: 309
Message: STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.\n\nWindows
has found 55 Critical System Errors.\n\nTo fix the errors please do the
following:\n\n1. Download Registry Update from: www.regfixit.com\n2.
Install Registry Update\n3. Run Re

0000: 44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 DEST.. SRC....E.
0010: 01 E5 00 00 40 00 2C 11 27 96 DD 06 A3 32 D5 30 ....@.,.'....2.0
0020: D0 08 BC 35 04 03 01 D1 4B 90 04 00 28 00 10 00 ...5....K...(...
0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040: 00 00 F8 91 7B 5A 00 FF D0 11 A9 B2 00 C0 4F B6 ....{Z........O.
0050: E6 FC 60 D2 CA 86 64 53 DB 4C D4 AF 08 73 DC 51 ..`...dS.L...s.Q
0060: 62 8E 00 00 00 00 01 00 00 00 00 00 00 00 00 00 b...............
0070: FF FF FF FF 79 01 00 00 00 00 10 00 00 00 00 00 ....y...........
0080: 00 00 10 00 00 00 46 52 4F 4D 00 00 00 00 00 00 ......FROM......
0090: 00 00 00 00 00 00 10 00 00 00 00 00 00 00 10 00 ................
00A0: 00 00 54 4F 00 00 00 00 00 00 00 00 00 00 00 00 ..TO............
00B0: 00 00 35 01 00 00 00 00 00 00 35 01 00 00 53 54 ..5.......5...ST
00C0: 4F 50 21 20 57 49 4E 44 4F 57 53 20 52 45 51 55 OP! WINDOWS REQU
00D0: 49 52 45 53 20 49 4D 4D 45 44 49 41 54 45 20 41 IRES IMMEDIATE A
00E0: 54 54 45 4E 54 49 4F 4E 2E 0A 0A 57 69 6E 64 6F TTENTION...Windo
00F0: 77 73 20 68 61 73 20 66 6F 75 6E 64 20 35 35 20 ws has found 55
0100: 43 72 69 74 69 63 61 6C 20 53 79 73 74 65 6D 20 Critical System
0110: 45 72 72 6F 72 73 2E 0A 0A 54 6F 20 66 69 78 20 Errors...To fix
0120: 74 68 65 20 65 72 72 6F 72 73 20 70 6C 65 61 73 the errors pleas
0130: 65 20 64 6F 20 74 68 65 20 66 6F 6C 6C 6F 77 69 e do the followi
0140: 6E 67 3A 0A 0A 31 2E 20 44 6F 77 6E 6C 6F 61 64 ng:..1. Download
0150: 20 52 65 67 69 73 74 72 79 20 55 70 64 61 74 65 Registry Update
0160: 20 66 72 6F 6D 3A 20 77 77 77 2E 72 65 67 66 69 from: www.regfi
0170: 78 69 74 2E 63 6F 6D 0A 32 2E 20 49 6E 73 74 61 xit.com.2. Insta
0180: 6C 6C 20 52 65 67 69 73 74 72 79 20 55 70 64 61 ll Registry Upda
0190: 74 65 0A 33 2E 20 52 75 6E 20 52 65 67 69 73 74 te.3. Run Regist
01A0: 72 79 20 55 70 64 61 74 65 0A 34 2E 20 52 65 62 ry Update.4. Reb
01B0: 6F 6F 74 20 79 6F 75 72 20 63 6F 6D 70 75 74 65 oot your compute
01C0: 72 0A 0A 46 41 49 4C 55 52 45 20 54 4F 20 41 43 r..FAILURE TO AC
01D0: 54 20 4E 4F 57 20 4D 41 59 20 4C 45 41 44 20 54 T NOW MAY LEAD T
01E0: 4F 20 53 59 53 54 45 4D 20 46 41 49 4C 55 52 45 O SYSTEM FAILURE
01F0: 21 0A 00 !..

 

[David H. Lipman]

From: <[email protected]>

|
| Does anyone have any information on the packet decoded below or any
| comments please? (no I dont have netmeeting or netmessenger installed)
|
| Also any info on domain 221.x.x.x ?
|
| -Pontius-
|
| ------------------------------------------------------------------

< snip >

| Message: STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.\n\nWindows
| has found 55 Critical System Errors.\n\nTo fix the errors please do the
| following:\n\n1. Download Registry Update from: www.regfixit.com\n2.
| Install Registry Update\n3. Run Re
|
| 0000: 44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 DEST.. SRC....E.
| 0010: 01 E5 00 00 40 00 2C 11 27 96 DD 06 A3 32 D5 30 ....@.,.'....2.0
| 0020: D0 08 BC 35 04 03 01 D1 4B 90 04 00 28 00 10 00 ...5....K...(...
| 0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
| 0040: 00 00 F8 91 7B 5A 00 FF D0 11 A9 B2 00 C0 4F B6 ....{Z........O.
| 0050: E6 FC 60 D2 CA 86 64 53 DB 4C D4 AF 08 73 DC 51 ..`...dS.L...s.Q
| 0060: 62 8E 00 00 00 00 01 00 00 00 00 00 00 00 00 00 b...............
| 0070: FF FF FF FF 79 01 00 00 00 00 10 00 00 00 00 00 ....y...........
| 0080: 00 00 10 00 00 00 46 52 4F 4D 00 00 00 00 00 00 ......FROM......
| 0090: 00 00 00 00 00 00 10 00 00 00 00 00 00 00 10 00 ................
| 00A0: 00 00 54 4F 00 00 00 00 00 00 00 00 00 00 00 00 ..TO............
| 00B0: 00 00 35 01 00 00 00 00 00 00 35 01 00 00 53 54 ..5.......5...ST
| 00C0: 4F 50 21 20 57 49 4E 44 4F 57 53 20 52 45 51 55 OP! WINDOWS REQU
| 00D0: 49 52 45 53 20 49 4D 4D 45 44 49 41 54 45 20 41 IRES IMMEDIATE A
| 00E0: 54 54 45 4E 54 49 4F 4E 2E 0A 0A 57 69 6E 64 6F TTENTION...Windo
| 00F0: 77 73 20 68 61 73 20 66 6F 75 6E 64 20 35 35 20 ws has found 55
| 0100: 43 72 69 74 69 63 61 6C 20 53 79 73 74 65 6D 20 Critical System
| 0110: 45 72 72 6F 72 73 2E 0A 0A 54 6F 20 66 69 78 20 Errors...To fix
| 0120: 74 68 65 20 65 72 72 6F 72 73 20 70 6C 65 61 73 the errors pleas
| 0130: 65 20 64 6F 20 74 68 65 20 66 6F 6C 6C 6F 77 69 e do the followi
| 0140: 6E 67 3A 0A 0A 31 2E 20 44 6F 77 6E 6C 6F 61 64 ng:..1. Download
| 0150: 20 52 65 67 69 73 74 72 79 20 55 70 64 61 74 65 Registry Update
| 0160: 20 66 72 6F 6D 3A 20 77 77 77 2E 72 65 67 66 69 from: www.regfi
| 0170: 78 69 74 2E 63 6F 6D 0A 32 2E 20 49 6E 73 74 61 xit.com.2. Insta
| 0180: 6C 6C 20 52 65 67 69 73 74 72 79 20 55 70 64 61 ll Registry Upda
| 0190: 74 65 0A 33 2E 20 52 75 6E 20 52 65 67 69 73 74 te.3. Run Regist
| 01A0: 72 79 20 55 70 64 61 74 65 0A 34 2E 20 52 65 62 ry Update.4. Reb
| 01B0: 6F 6F 74 20 79 6F 75 72 20 63 6F 6D 70 75 74 65 oot your compute
| 01C0: 72 0A 0A 46 41 49 4C 55 52 45 20 54 4F 20 41 43 r..FAILURE TO AC
| 01D0: 54 20 4E 4F 57 20 4D 41 59 20 4C 45 41 44 20 54 T NOW MAY LEAD T
| 01E0: 4F 20 53 59 53 54 45 4D 20 46 41 49 4C 55 52 45 O SYSTEM FAILURE
| 01F0: 21 0A 00 !..

Based upon the text it looks like a Windows "Messenger Service" Pop-Up. There have been
reports of it being send via UDP.

To disable the Windows Messenger Service, you can open a Command Prompt and type the
following commands...

sc stop Messenger
sc config Messenger start= disabled

A Router such as the Linksys BEFSR41 will also block this at the WAN/LAN interface and such
messages won't be seen on a LAN PC.

221.6.163.50

inetnum: 221.6.163.0 - 221.6.163.63
netname: YZZXYH-COM
country: CN
descr: YZZXYH-COM,YANGZHOU,JIANGSU Province
admin-c: LL58-AP
tech-c: LL58-AP
status: ASSIGNED NON-PORTABLE
changed: **@jsnetcom.com 20040708
mnt-by: MAINT-CNCGROUP-JS
source: APNIC

 

[Steve Pope]

Also any info on domain 221.x.x.x ?

-Pontius-

inetnum: 221.6.163.0 - 221.6.163.63
netname: YZZXYH-COM
country: CN
descr: YZZXYH-COM,YANGZHOU,JIANGSU Province
admin-c: LL58-AP
tech-c: LL58-AP
status: ASSIGNED NON-PORTABLE
changed: (e-mail address removed) 20040708
mnt-by: MAINT-CNCGROUP-JS
source: APNIC

person: Lan Li
nic-hdl: LL58-AP
e-mail: (e-mail address removed)
address: No. 65 Beijing West Road,Nanjing,China
phone: +86257900060
fax-no: +86252900280
country: CN
changed: (e-mail address removed) 20031117
mnt-by: MAINT-NEW
source: APNIC

 

[isaidpilot]

Based upon the text it looks like a Windows "Messenger Service" Pop-Up. There have been
reports of it being send via UDP.

To disable the Windows Messenger Service, you can open a Command Prompt and type the
following commands...

Thank you David but the point is - as I said - I dont have messenger
services installed much less running. In fact all its dll's were manually
removed when the OS was installed. It isnt even vaguaely safe to have
that stuff installed or running.

Node 221.x.x.x. have been flooding the net with these messages for some
weeks now linking various web addresses and as you identified they have
this week stared using UDP also. Clearly this is not legitimate.

221.x.x.x is the only domain on the entire net I am seeing these from and
since I'm on dialup with dynamic IP addressing they clearly are broadcast
not targeted. (No I dont ARP for them I've checked these are
entirely incoming non solicited)

Clearly they are designed to get people to go to these web sites - and
also they appear to have hidden information in the TCP headers.
Given the country of origin "claimed" by the address I think they should
be of concern.

Perhaps I've overestimated the knowledge in this newsgroup - sorry.


-Pontius-

 

[David H. Lipman]

From: <[email protected]>


| Thank you David but the point is - as I said - I dont have messenger
| services installed much less running. In fact all its dll's were manually
| removed when the OS was installed. It isnt even vaguaely safe to have
| that stuff installed or running.
|
| Node 221.x.x.x. have been flooding the net with these messages for some
| weeks now linking various web addresses and as you identified they have
| this week stared using UDP also. Clearly this is not legitimate.
|
| 221.x.x.x is the only domain on the entire net I am seeing these from and
| since I'm on dialup with dynamic IP addressing they clearly are broadcast
| not targeted. (No I dont ARP for them I've checked these are
| entirely incoming non solicited)
|
| Clearly they are designed to get people to go to these web sites - and
| also they appear to have hidden information in the TCP headers.
| Given the country of origin "claimed" by the address I think they should
| be of concern.
|
| Perhaps I've overestimated the knowledge in this newsgroup - sorry.
|
| -Pontius-

Don't confuse the Mesenger program with the NT Messenger Service !

Like I said, use a Router and the PC will not even see this traffic.

You stated -- "...appear to have hidden information in the TCP headers"
It is a UDP broadcast. There is no connection. It was NOT TCP, "Protocol: UDP (0x11)".

You also stated -- "Perhaps I've overestimated the knowledge in this newsgroup - sorry.
I hate it when people bite the hand that's feeds them.

/* Perhaps, you are overestimating your own knowledge. */

 

[isaidpilot]

From: <[email protected]>


| Thank you David but the point is - as I said - I dont have messenger
| services installed much less running. In fact all its dll's were manually
| removed when the OS was installed. It isnt even vaguaely safe to have
| that stuff installed or running.
|
| Node 221.x.x.x. have been flooding the net with these messages for some
| weeks now linking various web addresses and as you identified they have
| this week stared using UDP also. Clearly this is not legitimate.
|
| 221.x.x.x is the only domain on the entire net I am seeing these from and
| since I'm on dialup with dynamic IP addressing they clearly are broadcast
| not targeted. (No I dont ARP for them I've checked these are
| entirely incoming non solicited)
|
| Clearly they are designed to get people to go to these web sites - and
| also they appear to have hidden information in the TCP headers.
| Given the country of origin "claimed" by the address I think they should
| be of concern.
|
| Perhaps I've overestimated the knowledge in this newsgroup - sorry.
|
| -Pontius-

Don't confuse the Mesenger program with the NT Messenger Service !

Like I said, use a Router and the PC will not even see this traffic.

You stated -- "...appear to have hidden information in the TCP headers"
It is a UDP broadcast. There is no connection. It was NOT TCP, "Protocol: UDP (0x11)".

You also stated -- "Perhaps I've overestimated the knowledge in this newsgroup - sorry.
I hate it when people bite the hand that's feeds them.

/* Perhaps, you are overestimating your own knowledge. */

Like I said they have been transmitting TCP and now have started using
UDP which prompted my interest in making knowledge of this wider - I did
not post the TCP version as I'm unwilling to spread the headers.

Burying your head in the sand - or in this case a router does nothing to
make the network safer. Such an act indicates stupidity beyond belief.
Advising people to ignore these things is IMHO simply criminal.
I can only feel sorry for anyone following the links on your sig.

Your responses are either deliberate misdirection or simple ignorance.
As I also said - this group has clearly lost all competence.
I shan't trouble you again.

-Pontius-

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Like I said they have been transmitting TCP and now have started using
UDP which prompted my interest in making knowledge of this wider - I did
not post the TCP version as I'm unwilling to spread the headers.

"They" have been using UDP since these Messenger service spams first started.

Burying your head in the sand - or in this case a router does nothing to
make the network safer.

Quoting David:
- ------
To disable the Windows Messenger Service, you can open a Command Prompt and
type the
following commands...

sc stop Messenger
sc config Messenger start= disabled
- ------

Hence disabling the service and completely blocking any possible
exploitation of it, the opposite of burying one's head in the sand. He has
give you a method which does not "patch" or "work around" the issue, but
solves it.

Such an act indicates stupidity beyond belief.
Advising people to ignore these things is IMHO simply criminal. I can
only feel sorry for anyone following the links on your sig.
Your responses are either deliberate misdirection or simple ignorance.
As I also said - this group has clearly lost all competence. I shan't
trouble you again.

OTOH you could spend all of your waking time sending abuse reports to
network administrators that don't care, don't have the time or networks
that ignore abuse reports.

I would advise that you stop throwing around offensive, personal statements
and give yourself five or six years of computer and Internet-related
experience before posting in Usenet again, on this subject. That way you
won't be regarded as ignorant or rude again.

Adam Piggott,
Proprietor,
Proactive Services (Computing)
http://www.proactiveservices.co.uk/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFDptdn7uRVdtPsXDkRAqi1AJ9n9CIcjzsvL5tpgZd5NBRndC9OzQCgmRl7
Z63R0wlsXMEs4etCsUy22iA=
=eUuQ
-----END PGP SIGNATURE-----

 

[Leonard Agoado]

[chestbeating snipped]

I shan't trouble you again.

Well, there's a load off our minds.


Len Agoado
(e-mail address removed)

 

[Art]

On Mon, 19 Dec 2005 15:53:13 +0000, Adam Piggott

OTOH you could spend all of your waking time sending abuse reports to
network administrators that don't care, don't have the time or networks
that ignore abuse reports.

I would advise that you stop throwing around offensive, personal statements
and give yourself five or six years of computer and Internet-related
experience before posting in Usenet again, on this subject. That way you
won't be regarded as ignorant or rude again.

I rarely post merely to say "good post", but rules are made to be
broken, I suppose. Very good response to this clueless jerk.

Art

http://home.epix.net/~artnpeg