Do I need to be concerned about this?

  • Thread starter Thread starter Tim
  • Start date Start date
T

Tim

I have Norton Personal Firewall 2003 installed on my WinXP Pro system. The past
15 minutes, I've been getting reports of the SVCHOST receiving and inbound UDP
Packet on the following port numbers: 30110, 30111, 30112, and 32815.

It asks me if I want to block or permit the connection. I don't know if I am
running a program that's requesting that information (although I doubt it), or
if it is a well-known attack.

Is there a list anywhere of UDP/TCP ports with a cross-check between known
viruses or hacking attempts? That'd help save me from posting a question like
this in the future :-)

Thanks!

Tim
 
check out symantec.com to find resources on
viruses...sounds like a possible hacker? check it out and
see; I would block this attempt temporarily to I'll find
out where it was coming from.
 
Tim;
I know nothing about Norton. I use Zone Alarm. With ZA you can get more
info about any inbound or out bound traffic, right from ZA. I would think
Norton would have the same type options.
As an example:
"ZoneAlarm blocked traffic to port 1026 on your machine from port
32782 on a remote computer whose IP address is 61.172.3.23. This communication
attempt may have been a port scan, or simply one of the millions of unsolicited
commercial or network control messages that are routinely sent out over the
Internet. Such unsolicited messages are often called Internet background
noise."
If it's more serious, ZA tells you that too. I got this info for free.
What do you get with a paid for Norton outfit? If in doubt, block it. If it'
something you need, you'll know soon enough. This may be of some interest to
you:
http://www.symantec.com/techsupp/npf/
Some links to info on ports:
http://isc.incidents.org/

http://www.iss.net/security_center/advice/Exploits/Ports/groups/Microsoft/default.htm

http://www.iss.net/security_center/advice/Exploits/Ports/

http://www.portsdb.org/bin/portsdb.cgiportnumber=2132&protocol=ANY

Until someone smart comes along, I hope this helps. Let us know.
Wes
 
SVCHOST is a windows process I vaguely remember that it
has something to do with online DLL's, I checked
www.grc.org about the ports listed (no info). I subscribe
to a few newsletters and one of them has said to let
SVCHOST to do it's thing
Later
 
That is running 3times on my PC, 2 of them r connecting
to net with server permissions which means previoudly I
skd it out as OK. They've been running for 1yr so any
damage they were gonna do would have been done already.

HTH - Larry

On Mon, 13 Oct 2003 01:39:45 -0500, "Tim"

|I have Norton Personal Firewall 2003 installed on my WinXP Pro system. The past
|15 minutes, I've been getting reports of the SVCHOST receiving and inbound UDP
|Packet on the following port numbers: 30110, 30111, 30112, and 32815.
|
|It asks me if I want to block or permit the connection. I don't know if I am
|running a program that's requesting that information (although I doubt it), or
|if it is a well-known attack.
|
|Is there a list anywhere of UDP/TCP ports with a cross-check between known
|viruses or hacking attempts? That'd help save me from posting a question like
|this in the future :-)
|
|Thanks!
|
|Tim
|


Any advice given is my attempt to show appreciation for all
the excellent help I've received here but I'm no MVP so it
may only apply NUGS. Personal attacks, nitpicking & criticism
of anything but content will NOT be responded to. Those
posters should spend their time taking the test @
http://www.nimh.nih.gov/publicat/ocdtrt1.htm
 
Not finding the info on the ports in question on grc doesn't surprise me
seeing as that guy knows as much about PC security as I do about the inner
workings of the Space Shuttle :) See www.grcsucks.com for more
information... :) They also have link there for REAL security related
sites...

Lorne
 
Tim said:
I have Norton Personal Firewall 2003 installed on
my WinXP Pro system. The past 15 minutes, I've
been getting reports of the SVCHOST receiving
and inbound UDP Packet on the following port
numbers: 30110, 30111, 30112, and 32815.

It asks me if I want to block or permit the connection.
I don't know if I am running a program that's requesting
that information (although I doubt it), or if it is a
well-known attack.


You can find "svchost.exe" running in your Task Manager while you're
online (often several copies). It is part of Windows. UDP packets are most
often generated by the Internet Connection Sharing client, which is part of
the UPNP (Universal Plug & Play) service. If you have the Internet
Connection Sharing client installed, it may be sending these requests.
However, before permitting the connection, make sure you have the following
patch from Microsoft installed first (recent versions of XP have it
installed and earlier versions should have it installed if the user is
keeping up with critical updates).

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-059.asp

On the other hand, here are a few other things to keep in mind. UPNP
traffic is rarely moved across the internet and fake UDP packets are a very
common way for hackers to gain control of other computers. By sending fake
UDP packets, an attacker can force XP to connect to a specified IP address
and pass on HTTP/S requests (mainly used to perform Unicode and random CGI
attacks). Even with the above patch available, hackers continue to try this
type of attack because it is occasionally successful and very effective when
it is successful. Because of this, I would recommend denying all such
connection requests (refuse UDP packets). Others recommend completely
uninstalling the Internet Connection Sharing client (it is often installed
by OEM companies).

If you would like to know more, search for "UDP Packet" on the internet.


Dwight Stewart (W5NET)

http://www.qsl.net/w5net/
 
Dwight;
Thanks for your reply. Visited your site. I've got an old copy of "The
Radio Amateur's Handbook" by ARRL in one of the bookcases. Radio has always
fascinated me. I am an amateur AM BCB DXer. A little SW also.
Been doing it off and on since I built a crystal radio when I was a kid. I
could pick up one station, about a mile and a half from our house. :o) And
Nikola Tesla invented Radio. I belonged to the International Tesla Society
until it went bust.
;-)
Wes (J. E., CO #9180)
 
Dwight;
Thanks for your reply. Visited your site. I've got an old copy of "The
Radio Amateur's Handbook" by ARRL in one of the bookcases. Radio has always
fascinated me. I am an amateur AM BCB DXer. A little SW also.
Been doing it off and on since I built a crystal radio when I was a kid. I
could pick up one station, about a mile and a half from our house. And
Nikola Tesla invented Radio. I belonged to the International Tesla Society
until it went bust.

Wes (J. E., CO #9180)
 
Wesley VogelX said:
Thanks for your reply. Visited your site. I've got
an old copy of "The Radio Amateur's Handbook" by
ARRL in one of the bookcases. Radio has always
fascinated me. I am an amateur AM BCB DXer. A
little SW also.
Been doing it off and on since I built a crystal radio
when I was a kid. I could pick up one station, about a
mile and a half from our house. :o) And Nikola Tesla
invented Radio. I belonged to the International Tesla
Society until it went bust. ;-)


Nice to meet you, Wes. And thanks for visiting my web site. My interest
in radio also dates back to my youth. And, like most radio enthusiasts, I'm
also interested in shortwave (SW), scanners, and so on. I don't tend to
build as much radio equipment as I once did. Instead, I spend more time on
computers, interfacing, programming, and robotics.

Have you checked out Ham Radio recently? There are massive, and somewhat
controversial, changes now taking place, from several recent license changes
to a sharp reduction in the code test requirement for all license classes to
a serious move to eliminate code testing entirely (the ITU voted to end the
international requirement, prompting the FCC to now officially consider a
similar change - many countries have already done so).

Well, I suppose if we want to talk more about any of this, we should do so
by email. Feel free to do so by simply removing "NO" and "SPAM" from my
email address. Otherwise, if you have nothing else to say, take care and
nice talking with you.


Dwight Stewart (W5NET)

http://www.qsl.net/w5net/
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Back
Top