Windows Exploit Faked Update Connection Attempt.

W

willisharps

Hello,

Getting connection attempts from someone pretending to be
as a microsoft update.
- Bright minds wasted on hacking.

Here is my connection log.

File Version : 5.1.2600.0 (xpclient.010817-1148)
File Description : Generic Host Process for Win32
Services (svchost.exe)
File Path : C:\WINDOWS\system32\svchost.exe
Process ID : 0x5A4 (Heximal) 1444 (Decimal)

Connection origin : remote initiated
Protocol : UDP
Local Address : 24.30.191.253
Local Port : 1029
Remote Name :
Remote Address : 206.255.15.20
Remote Port : 12576

Ethernet packet details:
Ethernet II (Packet Length: 851)
Destination: 00-40-2b-70-9f-db
Source: 00-03-6c-4a-18-a8
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 112
Protocol: 0x11 (UDP - User Datagram Protocol)
Header checksum: 0xa349 (Correct)
Source: 206.255.15.20
Destination: 24.30.191.253
User Datagram Protocol
Source port: 12576
Destination port: 1029
Length: 8
Checksum: 0x0 (Correct)
Data (817 Bytes)

Binary dump of the packet:
0000: 00 40 2B 70 9F DB 00 03 : 6C 4A 18 A8 08 00 45 00
| .@+p....lJ....E.
0010: 03 45 47 D6 00 00 70 11 : 49 A3 CE FF 0F 14 18 1E
| .EG...p.I.......
0020: BF FD 31 20 04 05 03 31 : 00 00 04 00 28 00 10 00
| ..1 ...1....(...
0030: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00
| ................
0040: 00 00 F8 91 7B 5A 00 FF : D0 11 A9 B2 00 C0 4F B6
| ....{Z........O.
0050: E6 FC CC 43 77 C7 C1 67 : 9D E9 73 5B 18 10 7D E2
| ...Cw..g..s[..}.
0060: FA 5B 00 00 00 00 01 00 : 00 00 00 00 00 00 00 00
| .[..............
0070: FF FF FF FF D9 02 00 00 : 00 00 13 00 00 00 00 00
| ................
0080: 00 00 13 00 00 00 4D 49 : 43 52 4F 53 4F 46 54 20
| ......MICROSOFT
0090: 4E 45 54 57 4F 52 4B 53 : 00 00 13 00 00 00 00 00
| NETWORKS........
00A0: 00 00 13 00 00 00 57 49 : 4E 44 4F 57 53 20 55 53
| ......WINDOWS US
00B0: 45 52 00 00 00 00 00 00 : 00 00 8D 02 00 00 00 00
| ER..............
00C0: 00 00 8D 02 00 00 4D 69 : 63 72 6F 73 6F 66 74 20
| ......Microsoft
00D0: 53 65 63 75 72 69 74 79 : 20 42 75 6C 6C 65 74 69
| Security Bulleti
00E0: 6E 20 4D 53 30 33 2D 30 : 34 33 0D 0A 0D 0A 42 75
| n MS03-043....Bu
00F0: 66 66 65 72 20 4F 76 65 : 72 72 75 6E 20 69 6E 20
| ffer Overrun in
0100: 4D 65 73 73 65 6E 67 65 : 72 20 53 65 72 76 69 63
| Messenger Servic
0110: 65 20 43 6F 75 6C 64 20 : 41 6C 6C 6F 77 20 43 6F
| e Could Allow Co
0120: 64 65 20 45 78 65 63 75 : 74 69 6F 6E 20 28 38 32
| de Execution (82
0130: 38 30 33 35 29 0D 0A 0D : 0A 41 66 66 65 63 74 65
| 8035)....Affecte
0140: 64 20 53 6F 66 74 77 61 : 72 65 3A 20 0D 0A 0D 0A
| d Software: ....
0150: 4D 69 63 72 6F 73 6F 66 : 74 20 57 69 6E 64 6F 77
| Microsoft Window
0160: 73 20 4E 54 20 57 6F 72 : 6B 73 74 61 74 69 6F 6E
| s NT Workstation
0170: 20 0D 0A 4D 69 63 72 6F : 73 6F 66 74 20 57 69 6E
| ..Microsoft Win
0180: 64 6F 77 73 20 4E 54 20 : 53 65 72 76 65 72 20 34
| dows NT Server 4
0190: 2E 30 20 0D 0A 4D 69 63 : 72 6F 73 6F 66 74 20 57
| .0 ..Microsoft W
01A0: 69 6E 64 6F 77 73 20 32 : 30 30 30 20 20 20 0D 0A
| indows 2000 ..
01B0: 4D 69 63 72 6F 73 6F 66 : 74 20 57 69 6E 64 6F 77
| Microsoft Window
01C0: 73 20 58 50 20 20 0D 0A : 4D 69 63 72 6F 73 6F 66
| s XP ..Microsof
01D0: 74 20 57 69 6E 64 6F 77 : 73 20 57 69 6E 39 38 20
| t Windows Win98
01E0: 20 20 0D 0A 4D 69 63 72 : 6F 73 6F 66 74 20 57 69
| ..Microsoft Wi
01F0: 6E 64 6F 77 73 20 53 65 : 72 76 65 72 20 32 30 30
| ndows Server 200
0200: 33 0D 0A 0D 0A 4E 6F 6E : 20 41 66 66 65 63 74 65
| 3....Non Affecte
0210: 64 20 53 6F 66 74 77 61 : 72 65 3A 20 0D 0A 0D 0A
| d Software: ....
0220: 4D 69 63 72 6F 73 6F 66 : 74 20 57 69 6E 64 6F 77
| Microsoft Window
0230: 73 20 4D 69 6C 6C 65 6E : 6E 69 75 6D 20 45 64 69
| s Millennium Edi
0240: 74 69 6F 6E 0D 0A 0D 0A : 59 6F 75 72 20 73 79 73
| tion....Your sys
0250: 74 65 6D 20 69 73 20 61 : 66 66 65 63 74 65 64 2C
| tem is affected,
0260: 20 64 6F 77 6E 6C 6F 61 : 64 20 74 68 65 20 70 61
| download the pa
0270: 74 63 68 20 66 72 6F 6D : 20 74 68 65 20 61 64 64
| tch from the add
0280: 72 65 73 73 20 62 65 6C : 6F 77 20 21 20 0D 0A 46
| ress below ! ..F
0290: 49 52 53 54 20 54 59 50 : 45 20 54 48 45 20 41 44
| IRST TYPE THE AD
02A0: 44 52 45 53 53 20 42 45 : 4C 4F 57 20 49 4E 54 4F
| DRESS BELOW INTO
02B0: 20 59 4F 55 52 20 49 4E : 54 45 52 4E 45 54 20 42
| YOUR INTERNET B
02C0: 52 4F 57 53 45 52 2C 20 : 54 48 45 4E 20 43 4C 49
| ROWSER, THEN CLI
02D0: 43 4B 20 27 4F 4B 27 2E : 0D 0A 54 48 45 20 41 44
| CK 'OK'...THE AD
02E0: 44 52 45 53 53 20 57 49 : 4C 4C 20 44 49 53 41 50
| DRESS WILL DISAP
02F0: 50 45 41 52 20 4F 4E 43 : 45 20 59 4F 55 20 48 49
| PEAR ONCE YOU HI
0300: 54 20 27 4F 4B 27 2E 0D : 0A 0D 0A 20 20 20 20 20
| T 'OK'.....
0310: 20 20 20 20 20 20 20 20 : 20 20 20 20 20 20 20 20
|
0320: 20 20 20 20 20 20 20 20 : 20 20 20 20 20 20 20 20
|
0330: 20 20 20 20 20 20 20 20 : 20 20 20 77 77 77 2E 77
| www.w
0340: 69 6E 64 6F 77 73 70 61 : 74 63 68 2E 69 6E 66 6F
| indowspatch.info
0350: 0D 0A 00 :
| ...
 
C

Carey Frisch [MVP]

Make sure your firewall is enabled. You cannot prevent a hacker
from attempting to connect to your computer, but your firewall
can prevent the connection from actually occurring. If you are
using a third-party firewall program, then you need to disable
Windows XP's firewall.

HOW TO: Enable or Disable Internet Connection Firewall in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;283673&Product=winxp

Special note if you use AOL:

America Online installs its own connection settings that override
the ones that come with Windows XP. America Online's
connection settings don't include a way to turn on Windows XP's
built-in firewall.

Visit the following web site for instructions on downloading
a FREE firewall program for your computer.

Ref: http://www.updatexp.com/free.html

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

--------------------------------------------------------------------------


| Hello,
|
| Getting connection attempts from someone pretending to be
| as a microsoft update.
| - Bright minds wasted on hacking.
|
| Here is my connection log.
|
| File Version : 5.1.2600.0 (xpclient.010817-1148)
| File Description : Generic Host Process for Win32
| Services (svchost.exe)
| File Path : C:\WINDOWS\system32\svchost.exe
| Process ID : 0x5A4 (Heximal) 1444 (Decimal)
|
| Connection origin : remote initiated
| Protocol : UDP
| Local Address : 24.30.191.253
| Local Port : 1029
| Remote Name :
| Remote Address : 206.255.15.20
| Remote Port : 12576
|
| Ethernet packet details:
| Ethernet II (Packet Length: 851)
| Destination: 00-40-2b-70-9f-db
| Source: 00-03-6c-4a-18-a8
| Type: IP (0x0800)
| Internet Protocol
| Version: 4
| Header Length: 20 bytes
| Flags:
| .0.. = Don't fragment: Not set
| ..0. = More fragments: Not set
| Fragment offset:0
| Time to live: 112
| Protocol: 0x11 (UDP - User Datagram Protocol)
| Header checksum: 0xa349 (Correct)
| Source: 206.255.15.20
| Destination: 24.30.191.253
| User Datagram Protocol
| Source port: 12576
| Destination port: 1029
| Length: 8
| Checksum: 0x0 (Correct)
| Data (817 Bytes)
|
| Binary dump of the packet:
| 0000: 00 40 2B 70 9F DB 00 03 : 6C 4A 18 A8 08 00 45 00
|| .@+p....lJ....E.
| 0010: 03 45 47 D6 00 00 70 11 : 49 A3 CE FF 0F 14 18 1E
|| .EG...p.I.......
| 0020: BF FD 31 20 04 05 03 31 : 00 00 04 00 28 00 10 00
|| ..1 ...1....(...
| 0030: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00
|| ................
| 0040: 00 00 F8 91 7B 5A 00 FF : D0 11 A9 B2 00 C0 4F B6
|| ....{Z........O.
| 0050: E6 FC CC 43 77 C7 C1 67 : 9D E9 73 5B 18 10 7D E2
|| ...Cw..g..s[..}.
| 0060: FA 5B 00 00 00 00 01 00 : 00 00 00 00 00 00 00 00
|| .[..............
| 0070: FF FF FF FF D9 02 00 00 : 00 00 13 00 00 00 00 00
|| ................
| 0080: 00 00 13 00 00 00 4D 49 : 43 52 4F 53 4F 46 54 20
|| ......MICROSOFT
| 0090: 4E 45 54 57 4F 52 4B 53 : 00 00 13 00 00 00 00 00
|| NETWORKS........
| 00A0: 00 00 13 00 00 00 57 49 : 4E 44 4F 57 53 20 55 53
|| ......WINDOWS US
| 00B0: 45 52 00 00 00 00 00 00 : 00 00 8D 02 00 00 00 00
|| ER..............
| 00C0: 00 00 8D 02 00 00 4D 69 : 63 72 6F 73 6F 66 74 20
|| ......Microsoft
| 00D0: 53 65 63 75 72 69 74 79 : 20 42 75 6C 6C 65 74 69
|| Security Bulleti
| 00E0: 6E 20 4D 53 30 33 2D 30 : 34 33 0D 0A 0D 0A 42 75
|| n MS03-043....Bu
| 00F0: 66 66 65 72 20 4F 76 65 : 72 72 75 6E 20 69 6E 20
|| ffer Overrun in
| 0100: 4D 65 73 73 65 6E 67 65 : 72 20 53 65 72 76 69 63
|| Messenger Servic
| 0110: 65 20 43 6F 75 6C 64 20 : 41 6C 6C 6F 77 20 43 6F
|| e Could Allow Co
| 0120: 64 65 20 45 78 65 63 75 : 74 69 6F 6E 20 28 38 32
|| de Execution (82
| 0130: 38 30 33 35 29 0D 0A 0D : 0A 41 66 66 65 63 74 65
|| 8035)....Affecte
| 0140: 64 20 53 6F 66 74 77 61 : 72 65 3A 20 0D 0A 0D 0A
|| d Software: ....
| 0150: 4D 69 63 72 6F 73 6F 66 : 74 20 57 69 6E 64 6F 77
|| Microsoft Window
| 0160: 73 20 4E 54 20 57 6F 72 : 6B 73 74 61 74 69 6F 6E
|| s NT Workstation
| 0170: 20 0D 0A 4D 69 63 72 6F : 73 6F 66 74 20 57 69 6E
|| ..Microsoft Win
| 0180: 64 6F 77 73 20 4E 54 20 : 53 65 72 76 65 72 20 34
|| dows NT Server 4
| 0190: 2E 30 20 0D 0A 4D 69 63 : 72 6F 73 6F 66 74 20 57
|| .0 ..Microsoft W
| 01A0: 69 6E 64 6F 77 73 20 32 : 30 30 30 20 20 20 0D 0A
|| indows 2000 ..
| 01B0: 4D 69 63 72 6F 73 6F 66 : 74 20 57 69 6E 64 6F 77
|| Microsoft Window
| 01C0: 73 20 58 50 20 20 0D 0A : 4D 69 63 72 6F 73 6F 66
|| s XP ..Microsof
| 01D0: 74 20 57 69 6E 64 6F 77 : 73 20 57 69 6E 39 38 20
|| t Windows Win98
| 01E0: 20 20 0D 0A 4D 69 63 72 : 6F 73 6F 66 74 20 57 69
|| ..Microsoft Wi
| 01F0: 6E 64 6F 77 73 20 53 65 : 72 76 65 72 20 32 30 30
|| ndows Server 200
| 0200: 33 0D 0A 0D 0A 4E 6F 6E : 20 41 66 66 65 63 74 65
|| 3....Non Affecte
| 0210: 64 20 53 6F 66 74 77 61 : 72 65 3A 20 0D 0A 0D 0A
|| d Software: ....
| 0220: 4D 69 63 72 6F 73 6F 66 : 74 20 57 69 6E 64 6F 77
|| Microsoft Window
| 0230: 73 20 4D 69 6C 6C 65 6E : 6E 69 75 6D 20 45 64 69
|| s Millennium Edi
| 0240: 74 69 6F 6E 0D 0A 0D 0A : 59 6F 75 72 20 73 79 73
|| tion....Your sys
| 0250: 74 65 6D 20 69 73 20 61 : 66 66 65 63 74 65 64 2C
|| tem is affected,
| 0260: 20 64 6F 77 6E 6C 6F 61 : 64 20 74 68 65 20 70 61
|| download the pa
| 0270: 74 63 68 20 66 72 6F 6D : 20 74 68 65 20 61 64 64
|| tch from the add
| 0280: 72 65 73 73 20 62 65 6C : 6F 77 20 21 20 0D 0A 46
|| ress below ! ..F
| 0290: 49 52 53 54 20 54 59 50 : 45 20 54 48 45 20 41 44
|| IRST TYPE THE AD
| 02A0: 44 52 45 53 53 20 42 45 : 4C 4F 57 20 49 4E 54 4F
|| DRESS BELOW INTO
| 02B0: 20 59 4F 55 52 20 49 4E : 54 45 52 4E 45 54 20 42
|| YOUR INTERNET B
| 02C0: 52 4F 57 53 45 52 2C 20 : 54 48 45 4E 20 43 4C 49
|| ROWSER, THEN CLI
| 02D0: 43 4B 20 27 4F 4B 27 2E : 0D 0A 54 48 45 20 41 44
|| CK 'OK'...THE AD
| 02E0: 44 52 45 53 53 20 57 49 : 4C 4C 20 44 49 53 41 50
|| DRESS WILL DISAP
| 02F0: 50 45 41 52 20 4F 4E 43 : 45 20 59 4F 55 20 48 49
|| PEAR ONCE YOU HI
| 0300: 54 20 27 4F 4B 27 2E 0D : 0A 0D 0A 20 20 20 20 20
|| T 'OK'.....
| 0310: 20 20 20 20 20 20 20 20 : 20 20 20 20 20 20 20 20
||
| 0320: 20 20 20 20 20 20 20 20 : 20 20 20 20 20 20 20 20
||
| 0330: 20 20 20 20 20 20 20 20 : 20 20 20 77 77 77 2E 77
|| www.w
| 0340: 69 6E 64 6F 77 73 70 61 : 74 63 68 2E 69 6E 66 6F
|| indowspatch.info
| 0350: 0D 0A 00 :
|| ...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Event ID 1000, 1004 3
ODBC errors in Access - reports a ntdll.dll fault 0
Access denied while adding a NamedProperty 0
Windows XP Eventlog Error MPSampleSubmission mptelemetry 0
Outlook - Application Error - PLEASE HELP 4
Anyone have any info on this ? 8
Opening more than one file crashes powerpoint 2007 0
Outlook crashes - error report 2

Top