Windows Exploit Faked Update Connection Attempt.

Discussion in 'Windows XP Security' started by willisharps, Jun 14, 2004.

  1. willisharps

    willisharps Guest

    Hello,

    Getting connection attempts from someone pretending to be
    as a microsoft update.
    - Bright minds wasted on hacking.

    Here is my connection log.

    File Version : 5.1.2600.0 (xpclient.010817-1148)
    File Description : Generic Host Process for Win32
    Services (svchost.exe)
    File Path : C:\WINDOWS\system32\svchost.exe
    Process ID : 0x5A4 (Heximal) 1444 (Decimal)

    Connection origin : remote initiated
    Protocol : UDP
    Local Address : 24.30.191.253
    Local Port : 1029
    Remote Name :
    Remote Address : 206.255.15.20
    Remote Port : 12576

    Ethernet packet details:
    Ethernet II (Packet Length: 851)
    Destination: 00-40-2b-70-9f-db
    Source: 00-03-6c-4a-18-a8
    Type: IP (0x0800)
    Internet Protocol
    Version: 4
    Header Length: 20 bytes
    Flags:
    .0.. = Don't fragment: Not set
    ..0. = More fragments: Not set
    Fragment offset:0
    Time to live: 112
    Protocol: 0x11 (UDP - User Datagram Protocol)
    Header checksum: 0xa349 (Correct)
    Source: 206.255.15.20
    Destination: 24.30.191.253
    User Datagram Protocol
    Source port: 12576
    Destination port: 1029
    Length: 8
    Checksum: 0x0 (Correct)
    Data (817 Bytes)

    Binary dump of the packet:
    0000: 00 40 2B 70 9F DB 00 03 : 6C 4A 18 A8 08 00 45 00
    | .@+p....lJ....E.
    0010: 03 45 47 D6 00 00 70 11 : 49 A3 CE FF 0F 14 18 1E
    | .EG...p.I.......
    0020: BF FD 31 20 04 05 03 31 : 00 00 04 00 28 00 10 00
    | ..1 ...1....(...
    0030: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00
    | ................
    0040: 00 00 F8 91 7B 5A 00 FF : D0 11 A9 B2 00 C0 4F B6
    | ....{Z........O.
    0050: E6 FC CC 43 77 C7 C1 67 : 9D E9 73 5B 18 10 7D E2
    | ...Cw..g..s[..}.
    0060: FA 5B 00 00 00 00 01 00 : 00 00 00 00 00 00 00 00
    | .[..............
    0070: FF FF FF FF D9 02 00 00 : 00 00 13 00 00 00 00 00
    | ................
    0080: 00 00 13 00 00 00 4D 49 : 43 52 4F 53 4F 46 54 20
    | ......MICROSOFT
    0090: 4E 45 54 57 4F 52 4B 53 : 00 00 13 00 00 00 00 00
    | NETWORKS........
    00A0: 00 00 13 00 00 00 57 49 : 4E 44 4F 57 53 20 55 53
    | ......WINDOWS US
    00B0: 45 52 00 00 00 00 00 00 : 00 00 8D 02 00 00 00 00
    | ER..............
    00C0: 00 00 8D 02 00 00 4D 69 : 63 72 6F 73 6F 66 74 20
    | ......Microsoft
    00D0: 53 65 63 75 72 69 74 79 : 20 42 75 6C 6C 65 74 69
    | Security Bulleti
    00E0: 6E 20 4D 53 30 33 2D 30 : 34 33 0D 0A 0D 0A 42 75
    | n MS03-043....Bu
    00F0: 66 66 65 72 20 4F 76 65 : 72 72 75 6E 20 69 6E 20
    | ffer Overrun in
    0100: 4D 65 73 73 65 6E 67 65 : 72 20 53 65 72 76 69 63
    | Messenger Servic
    0110: 65 20 43 6F 75 6C 64 20 : 41 6C 6C 6F 77 20 43 6F
    | e Could Allow Co
    0120: 64 65 20 45 78 65 63 75 : 74 69 6F 6E 20 28 38 32
    | de Execution (82
    0130: 38 30 33 35 29 0D 0A 0D : 0A 41 66 66 65 63 74 65
    | 8035)....Affecte
    0140: 64 20 53 6F 66 74 77 61 : 72 65 3A 20 0D 0A 0D 0A
    | d Software: ....
    0150: 4D 69 63 72 6F 73 6F 66 : 74 20 57 69 6E 64 6F 77
    | Microsoft Window
    0160: 73 20 4E 54 20 57 6F 72 : 6B 73 74 61 74 69 6F 6E
    | s NT Workstation
    0170: 20 0D 0A 4D 69 63 72 6F : 73 6F 66 74 20 57 69 6E
    | ..Microsoft Win
    0180: 64 6F 77 73 20 4E 54 20 : 53 65 72 76 65 72 20 34
    | dows NT Server 4
    0190: 2E 30 20 0D 0A 4D 69 63 : 72 6F 73 6F 66 74 20 57
    | .0 ..Microsoft W
    01A0: 69 6E 64 6F 77 73 20 32 : 30 30 30 20 20 20 0D 0A
    | indows 2000 ..
    01B0: 4D 69 63 72 6F 73 6F 66 : 74 20 57 69 6E 64 6F 77
    | Microsoft Window
    01C0: 73 20 58 50 20 20 0D 0A : 4D 69 63 72 6F 73 6F 66
    | s XP ..Microsof
    01D0: 74 20 57 69 6E 64 6F 77 : 73 20 57 69 6E 39 38 20
    | t Windows Win98
    01E0: 20 20 0D 0A 4D 69 63 72 : 6F 73 6F 66 74 20 57 69
    | ..Microsoft Wi
    01F0: 6E 64 6F 77 73 20 53 65 : 72 76 65 72 20 32 30 30
    | ndows Server 200
    0200: 33 0D 0A 0D 0A 4E 6F 6E : 20 41 66 66 65 63 74 65
    | 3....Non Affecte
    0210: 64 20 53 6F 66 74 77 61 : 72 65 3A 20 0D 0A 0D 0A
    | d Software: ....
    0220: 4D 69 63 72 6F 73 6F 66 : 74 20 57 69 6E 64 6F 77
    | Microsoft Window
    0230: 73 20 4D 69 6C 6C 65 6E : 6E 69 75 6D 20 45 64 69
    | s Millennium Edi
    0240: 74 69 6F 6E 0D 0A 0D 0A : 59 6F 75 72 20 73 79 73
    | tion....Your sys
    0250: 74 65 6D 20 69 73 20 61 : 66 66 65 63 74 65 64 2C
    | tem is affected,
    0260: 20 64 6F 77 6E 6C 6F 61 : 64 20 74 68 65 20 70 61
    | download the pa
    0270: 74 63 68 20 66 72 6F 6D : 20 74 68 65 20 61 64 64
    | tch from the add
    0280: 72 65 73 73 20 62 65 6C : 6F 77 20 21 20 0D 0A 46
    | ress below ! ..F
    0290: 49 52 53 54 20 54 59 50 : 45 20 54 48 45 20 41 44
    | IRST TYPE THE AD
    02A0: 44 52 45 53 53 20 42 45 : 4C 4F 57 20 49 4E 54 4F
    | DRESS BELOW INTO
    02B0: 20 59 4F 55 52 20 49 4E : 54 45 52 4E 45 54 20 42
    | YOUR INTERNET B
    02C0: 52 4F 57 53 45 52 2C 20 : 54 48 45 4E 20 43 4C 49
    | ROWSER, THEN CLI
    02D0: 43 4B 20 27 4F 4B 27 2E : 0D 0A 54 48 45 20 41 44
    | CK 'OK'...THE AD
    02E0: 44 52 45 53 53 20 57 49 : 4C 4C 20 44 49 53 41 50
    | DRESS WILL DISAP
    02F0: 50 45 41 52 20 4F 4E 43 : 45 20 59 4F 55 20 48 49
    | PEAR ONCE YOU HI
    0300: 54 20 27 4F 4B 27 2E 0D : 0A 0D 0A 20 20 20 20 20
    | T 'OK'.....
    0310: 20 20 20 20 20 20 20 20 : 20 20 20 20 20 20 20 20
    |
    0320: 20 20 20 20 20 20 20 20 : 20 20 20 20 20 20 20 20
    |
    0330: 20 20 20 20 20 20 20 20 : 20 20 20 77 77 77 2E 77
    | www.w
    0340: 69 6E 64 6F 77 73 70 61 : 74 63 68 2E 69 6E 66 6F
    | indowspatch.info
    0350: 0D 0A 00 :
    | ...
     
    willisharps, Jun 14, 2004
    #1
    1. Advertisements

  2. Make sure your firewall is enabled. You cannot prevent a hacker
    from attempting to connect to your computer, but your firewall
    can prevent the connection from actually occurring. If you are
    using a third-party firewall program, then you need to disable
    Windows XP's firewall.

    HOW TO: Enable or Disable Internet Connection Firewall in Windows XP
    http://support.microsoft.com/default.aspx?scid=kb;en-us;283673&Product=winxp

    Special note if you use AOL:

    America Online installs its own connection settings that override
    the ones that come with Windows XP. America Online's
    connection settings don't include a way to turn on Windows XP's
    built-in firewall.

    Visit the following web site for instructions on downloading
    a FREE firewall program for your computer.

    Ref: http://www.updatexp.com/free.html

    --
    Carey Frisch
    Microsoft MVP
    Windows XP - Shell/User

    Be Smart! Protect your PC!
    http://www.microsoft.com/security/protect/

    --------------------------------------------------------------------------


    | Hello,
    |
    | Getting connection attempts from someone pretending to be
    | as a microsoft update.
    | - Bright minds wasted on hacking.
    |
    | Here is my connection log.
    |
    | File Version : 5.1.2600.0 (xpclient.010817-1148)
    | File Description : Generic Host Process for Win32
    | Services (svchost.exe)
    | File Path : C:\WINDOWS\system32\svchost.exe
    | Process ID : 0x5A4 (Heximal) 1444 (Decimal)
    |
    | Connection origin : remote initiated
    | Protocol : UDP
    | Local Address : 24.30.191.253
    | Local Port : 1029
    | Remote Name :
    | Remote Address : 206.255.15.20
    | Remote Port : 12576
    |
    | Ethernet packet details:
    | Ethernet II (Packet Length: 851)
    | Destination: 00-40-2b-70-9f-db
    | Source: 00-03-6c-4a-18-a8
    | Type: IP (0x0800)
    | Internet Protocol
    | Version: 4
    | Header Length: 20 bytes
    | Flags:
    | .0.. = Don't fragment: Not set
    | ..0. = More fragments: Not set
    | Fragment offset:0
    | Time to live: 112
    | Protocol: 0x11 (UDP - User Datagram Protocol)
    | Header checksum: 0xa349 (Correct)
    | Source: 206.255.15.20
    | Destination: 24.30.191.253
    | User Datagram Protocol
    | Source port: 12576
    | Destination port: 1029
    | Length: 8
    | Checksum: 0x0 (Correct)
    | Data (817 Bytes)
    |
    | Binary dump of the packet:
    | 0000: 00 40 2B 70 9F DB 00 03 : 6C 4A 18 A8 08 00 45 00
    || .@+p....lJ....E.
    | 0010: 03 45 47 D6 00 00 70 11 : 49 A3 CE FF 0F 14 18 1E
    || .EG...p.I.......
    | 0020: BF FD 31 20 04 05 03 31 : 00 00 04 00 28 00 10 00
    || ..1 ...1....(...
    | 0030: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00
    || ................
    | 0040: 00 00 F8 91 7B 5A 00 FF : D0 11 A9 B2 00 C0 4F B6
    || ....{Z........O.
    | 0050: E6 FC CC 43 77 C7 C1 67 : 9D E9 73 5B 18 10 7D E2
    || ...Cw..g..s[..}.
    | 0060: FA 5B 00 00 00 00 01 00 : 00 00 00 00 00 00 00 00
    || .[..............
    | 0070: FF FF FF FF D9 02 00 00 : 00 00 13 00 00 00 00 00
    || ................
    | 0080: 00 00 13 00 00 00 4D 49 : 43 52 4F 53 4F 46 54 20
    || ......MICROSOFT
    | 0090: 4E 45 54 57 4F 52 4B 53 : 00 00 13 00 00 00 00 00
    || NETWORKS........
    | 00A0: 00 00 13 00 00 00 57 49 : 4E 44 4F 57 53 20 55 53
    || ......WINDOWS US
    | 00B0: 45 52 00 00 00 00 00 00 : 00 00 8D 02 00 00 00 00
    || ER..............
    | 00C0: 00 00 8D 02 00 00 4D 69 : 63 72 6F 73 6F 66 74 20
    || ......Microsoft
    | 00D0: 53 65 63 75 72 69 74 79 : 20 42 75 6C 6C 65 74 69
    || Security Bulleti
    | 00E0: 6E 20 4D 53 30 33 2D 30 : 34 33 0D 0A 0D 0A 42 75
    || n MS03-043....Bu
    | 00F0: 66 66 65 72 20 4F 76 65 : 72 72 75 6E 20 69 6E 20
    || ffer Overrun in
    | 0100: 4D 65 73 73 65 6E 67 65 : 72 20 53 65 72 76 69 63
    || Messenger Servic
    | 0110: 65 20 43 6F 75 6C 64 20 : 41 6C 6C 6F 77 20 43 6F
    || e Could Allow Co
    | 0120: 64 65 20 45 78 65 63 75 : 74 69 6F 6E 20 28 38 32
    || de Execution (82
    | 0130: 38 30 33 35 29 0D 0A 0D : 0A 41 66 66 65 63 74 65
    || 8035)....Affecte
    | 0140: 64 20 53 6F 66 74 77 61 : 72 65 3A 20 0D 0A 0D 0A
    || d Software: ....
    | 0150: 4D 69 63 72 6F 73 6F 66 : 74 20 57 69 6E 64 6F 77
    || Microsoft Window
    | 0160: 73 20 4E 54 20 57 6F 72 : 6B 73 74 61 74 69 6F 6E
    || s NT Workstation
    | 0170: 20 0D 0A 4D 69 63 72 6F : 73 6F 66 74 20 57 69 6E
    || ..Microsoft Win
    | 0180: 64 6F 77 73 20 4E 54 20 : 53 65 72 76 65 72 20 34
    || dows NT Server 4
    | 0190: 2E 30 20 0D 0A 4D 69 63 : 72 6F 73 6F 66 74 20 57
    || .0 ..Microsoft W
    | 01A0: 69 6E 64 6F 77 73 20 32 : 30 30 30 20 20 20 0D 0A
    || indows 2000 ..
    | 01B0: 4D 69 63 72 6F 73 6F 66 : 74 20 57 69 6E 64 6F 77
    || Microsoft Window
    | 01C0: 73 20 58 50 20 20 0D 0A : 4D 69 63 72 6F 73 6F 66
    || s XP ..Microsof
    | 01D0: 74 20 57 69 6E 64 6F 77 : 73 20 57 69 6E 39 38 20
    || t Windows Win98
    | 01E0: 20 20 0D 0A 4D 69 63 72 : 6F 73 6F 66 74 20 57 69
    || ..Microsoft Wi
    | 01F0: 6E 64 6F 77 73 20 53 65 : 72 76 65 72 20 32 30 30
    || ndows Server 200
    | 0200: 33 0D 0A 0D 0A 4E 6F 6E : 20 41 66 66 65 63 74 65
    || 3....Non Affecte
    | 0210: 64 20 53 6F 66 74 77 61 : 72 65 3A 20 0D 0A 0D 0A
    || d Software: ....
    | 0220: 4D 69 63 72 6F 73 6F 66 : 74 20 57 69 6E 64 6F 77
    || Microsoft Window
    | 0230: 73 20 4D 69 6C 6C 65 6E : 6E 69 75 6D 20 45 64 69
    || s Millennium Edi
    | 0240: 74 69 6F 6E 0D 0A 0D 0A : 59 6F 75 72 20 73 79 73
    || tion....Your sys
    | 0250: 74 65 6D 20 69 73 20 61 : 66 66 65 63 74 65 64 2C
    || tem is affected,
    | 0260: 20 64 6F 77 6E 6C 6F 61 : 64 20 74 68 65 20 70 61
    || download the pa
    | 0270: 74 63 68 20 66 72 6F 6D : 20 74 68 65 20 61 64 64
    || tch from the add
    | 0280: 72 65 73 73 20 62 65 6C : 6F 77 20 21 20 0D 0A 46
    || ress below ! ..F
    | 0290: 49 52 53 54 20 54 59 50 : 45 20 54 48 45 20 41 44
    || IRST TYPE THE AD
    | 02A0: 44 52 45 53 53 20 42 45 : 4C 4F 57 20 49 4E 54 4F
    || DRESS BELOW INTO
    | 02B0: 20 59 4F 55 52 20 49 4E : 54 45 52 4E 45 54 20 42
    || YOUR INTERNET B
    | 02C0: 52 4F 57 53 45 52 2C 20 : 54 48 45 4E 20 43 4C 49
    || ROWSER, THEN CLI
    | 02D0: 43 4B 20 27 4F 4B 27 2E : 0D 0A 54 48 45 20 41 44
    || CK 'OK'...THE AD
    | 02E0: 44 52 45 53 53 20 57 49 : 4C 4C 20 44 49 53 41 50
    || DRESS WILL DISAP
    | 02F0: 50 45 41 52 20 4F 4E 43 : 45 20 59 4F 55 20 48 49
    || PEAR ONCE YOU HI
    | 0300: 54 20 27 4F 4B 27 2E 0D : 0A 0D 0A 20 20 20 20 20
    || T 'OK'.....
    | 0310: 20 20 20 20 20 20 20 20 : 20 20 20 20 20 20 20 20
    ||
    | 0320: 20 20 20 20 20 20 20 20 : 20 20 20 20 20 20 20 20
    ||
    | 0330: 20 20 20 20 20 20 20 20 : 20 20 20 77 77 77 2E 77
    || www.w
    | 0340: 69 6E 64 6F 77 73 70 61 : 74 63 68 2E 69 6E 66 6F
    || indowspatch.info
    | 0350: 0D 0A 00 :
    || ...
     
    Carey Frisch [MVP], Jun 14, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.