Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Odd tcpdump packet question

tag

tag

macrumors 6502a
Original poster
Apr 29, 2005
918
9
Ok, I was wondering if anyone had any clue about this. I was searching through some packets via tcpdump, and I keep coming across these type of packets which I can't explain. Not only do they keep coming when Im not really running any apps, other than terminal of course, but they are coming from different IPs. I can't find these messages any where on my iMac either, other than when I use tcpdump, so I'm not sure what program is requesting/sending this info. Does anyone know if there is a way to find out?

I've added 3 snippets from a dump file below. Also to note the domains listed below are all from different countries such as Sweden and Poland. It seems to be some type of scam to get you to download windows software, no doubt virus/trojan infected, though Im not sure how I'm receiving these through the Mac. Basically I'm not real worried or a nything, just really bored today and curious about this.


15:11:15.666234 IP (tos 0x0, ttl 116, id 57157, offset 0, flags [none], length: 821) 211.189.212.184.10849 > user216-178-76-164.netcarrier.net.cap: [no cksum] UDP, length: 793
...CUSTOMER....................Important Notice From MSOFT{Z........O...a.

Buffer Overflow in Messenger Service Causes Unexpected Computer Shutdown,
Virus Infection and Remote Code Execution

Affected Software:

Microsoft Windows NT Workstation
Microsoft Windows NT Server 4.0
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Win98
Microsoft Windows Server 2003

Non Affected Software:

Microsoft Windows Millennium Edition

Your system IS affected, download the patch from the address below !
FIRST TYPE THE URL BELOW INTO YOUR INTERNET BROWSER, THEN CLICK 'OK'


WWW.WUPDATE.NET.
15:11:15.666312 IP (tos 0x0, ttl 64, id 21437, offset 0, flags [none], length: 56) user216-178-76-164.netcarrier.net > 211.189.212.184: icmp 36: user216-178-76-164.netcarrier.net udp port cap unreachable for IP (tos 0x0, ttl 116, id 57157, offset 0, flags [none], length: 821) 211.189.212.184.10849 > user216-178-76-164.netcarrier.net.cap: [no cksum] UDP, length: 793





15:12:13.764905 IP (tos 0x0, ttl 119, id 20578, offset 0, flags [none], length: 908) 205.232.60.138.15984 > user216-178-76-164.netcarrier.net.cap: [no cksum] UDP, length: 880
...!E...Pb..w..5..<...L.>p...x....(.......................{Z........O......#Bfz-....`..................... .................SECURITY MONITOR................WINDOWS USER....................Important Windows Security Bulletin
======================
Buffer Overrun in Messenger Service Allows Remote Code Execution,
Virus Infection and Unexpected Computer Shutdowns

Affected Software:

Microsoft Windows NT Workstation
Microsoft Windows NT Server 4.0
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Win98
Microsoft Windows Server 2003

Non Affected Software:

Microsoft Windows Millennium Edition

Your system is affected, download the patch from the address below !
FIRST TYPE THE ADDRESS BELOW INTO YOUR INTERNET BROWSER, THEN CLICK 'OK'.
THE ADDRESS WILL DISAPPEAR ONCE YOU CLICK 'OK'.

www.updatepatch.info
.
15:12:13.764987 IP (tos 0x0, ttl 64, id 21462, offset 0, flags [none], length: 56) user216-178-76-164.netcarrier.net > 205.232.60.138: icmp 36: user216-178-76-164.netcarrier.net udp port cap unreachable for IP (tos 0x0, ttl 119, id 20578, offset 0, flags [none], length: 908) 205.232.60.138.15984 > user216-178-76-164.netcarrier.net.cap: [no cksum] UDP, length: 880





15:15:45.271388 IP (tos 0x0, ttl 50, id 0, offset 0, flags [DF], length: 492) 222.241.95.8.32801 > user216-178-76-164.netcarrier.net.cap: [udp sum ok] UDP, length: 464
...!E.....@.2....._...L..!....&5..(.......................{Z........O.... 0V...R ...S.]2....................................SYSTEM......................ALERT...........<.......<...STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.

Windows has found Critical Errors.

To fix the errors please do the following:
1. Download Registry Repair from: http://www.repairreg.com
2. Install Registry Repair
3. Run Registry Repair
4. Reboot your computer
FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!

.
15:15:45.271471 IP (tos 0x0, ttl 64, id 21714, offset 0, flags [DF], length: 56) user216-178-76-164.netcarrier.net > 222.241.95.8: icmp 36: user216-178-76-164.netcarrier.net udp port cap unreachable for IP (tos 0x0, ttl 50, id 0, offset 0, flags [DF], length: 492) 222.241.95.8.32801 > user216-178-76-164.netcarrier.net.cap: [no cksum] UDP, length: 464
 
Several Windows machines on your subnet are running some sort of spyware, worm, or trojan which broadcasts these packets. When received by an unprotected Windows machine, the packet causes a Windows Messenger popup to display the message within. Presumably its purpose is to trick the user into going to that site and downloading their program. Of course the program is malware which not only sends out more of these packets to other machines, but also probably does some sort of damage. People who are naive will believe the popup message and willingly install the malware, further contributing to the problem!

More info at http://www.lurhq.com/popup_spam.html or try this google search.

Of course, it's nothing to worry about with the Mac. ;)
 
Thanks for filling me in bankshot. I didn't think to google for the ports and such. Thanks for the links mate.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back