Unsolved
This post is more than 5 years old
1 Rookie
•
45 Posts
0
5903
norton internet worm
i am getting this security alert all the time from norton
path c:\windows\system32\svchost.exe
file name microsoft generic host process for win32 s...
direction inbound
local address all local networks
local port 1026
remote address 61.152.158.111
remote port 48222
protocol udp
i have an option to block or permit if i block it comes up again bit later
what is it?
Bill Snyder
266 Posts
0
June 25th, 2005 21:00
speedstep
9 Legend
9 Legend
•
47K Posts
0
June 25th, 2005 23:00
It may be legit but unless you are in china then its chinese hackers that are trying to take over your system. The posting telling you that its nothing to worry about is probably from the hacker that has remote control of your system. LOL.
port 1026 BDDT, Dark IRC, DataSpy Network X, Delta Remote Access , Dosh, Duddie, IRC Contact, Remote Explorer 2000, RUX The TIc.K
port 1026 (UDP) - Remote Explorer 2000
Remote Explorer 2000
--------------------------------------------------------------------
Name: Remote Explorer 2000
Aliases: RE2K, Backdoor.RE2K,
Ports: 1026, 1026 (UDP), 2000, 2000 (UDP)
Files: Remoteexplorer2000.zip - 764,865 bytes Remoteexplorer2000server.zip - 17,709 bytes Remote explorer 2000.exe - 845,242 bytes Realserver.exe - 21,504 bytes Win128.exe -
Created: Sep 1999
Requires: Mswinsck.ocx - is required to run the trojan.
Actions: Remote Access / Steals passwords
Registers: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
Notes: Works on Windows.
Country:
Program:
I would always block this and then scan to find out what trojan is on the system.
This UDP port is known to be used by trojan horses like BackDoor-G, SubSeven Apocalypse and Tiles. Refer to http://www.simovits.com for a list of well known trojans and their preferred ports.
http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.html
I would scan the system with trend micro housecall.
http://housecall.trendmicro.com/housecall/start_corp.asp
Name: SubSeven
Aliases: Sub 7, BackDoor.G, Pinkworm, SubStealth, BackDoor-G2, Backdoor.SubSeven, .LOG,
Ports: 1243, 1999, 2772, 2773, 2774, 6667, 6711, 6712, 6713, 6776, 7000, 7215, 16959, 27374, 27573, 54283 (various ports are used for different versions)
Files: Subseven.exe - 308,224 bytes Subseven.exe - 312,320 bytes Subseven.exe - 381,440 bytes Subseven.exe - 388,096 bytes Subseven.exe - 428,469 bytes Subseven.exe - 623,104 bytes Subseven.exe - 624,128 bytes Sub7.exe - 468,992 bytes Sub7.exe - 479,232 bytes Sub7.exe - 491,520 bytes Sub7.exe - 493,056 bytes Sub7.exe - 519,680 bytes Server.exe - 250,368 bytes Server.exe - 251,904 bytes Server.exe - 333,547 bytes Server.exe - 335,237 bytes Server.exe - 335,799 bytes Server.exe - 336,867 bytes Server.exe - 336,934 bytes Server.exe - 342,042 bytes Server.exe - 352,287 bytes Server.exe - 380,835 bytes Server.exe - 381,347 bytes Server.exe - 382,371 bytes Server.exe - 385,858 bytes Server.exe - 867,840 bytes Editserver.exe - 186,368 bytes Editserver.exe - 195,584 bytes Editserver.exe - 221,184 bytes Editserver.exe - 303,802 bytes Editserver.exe - 404,992 bytes Editserver.exe - 484,352 bytes Systrayicon.exe - 768 bytes Systray.exe - 33,280 bytes Icqmapi.dll - 58,368 bytes Icqmapi.dll - 58,880 bytes Kerne1.exe - Kernel16.dl - Kernel32.dl - Explore.exe - Msrexe.exe - 399,267 bytes Mueexe.exe - Fueovs.exe - Uabmruua.exe - Windos.exe - Win32.exe - Nodll.exe - 32,768 bytes Nodll.exe - 33,230 bytes Subseven.ini - Skin.ini - 454 bytes Skin.ini - 464 bytes Skin.ini - 468 bytes Skin.ini - 481 bytes Rundll1.exe - Rundll16.exe - S7undetec.exe - 321,476 bytes Subpas1.cab - 1,312,768 bytes Subpas2.cab - 145,273 bytes Setup.exe - 140,800 bytes Ssetup.exe - 140,800 bytes Setup.lst - 3,656 bytes Ssetup.lst - 3,656 bytes Task_bar.exe - Mvokh_32.dll - Favpnmcfee.dll - Watching.dll - Run.exe - 11,371 bytes Sub7bonus.exe - Wandows.com -
Message Edited by SpeedStep on 06-25-2005 08:39 PM
tstormx
39 Posts
0
June 26th, 2005 15:00
voodoo12
1 Rookie
1 Rookie
•
45 Posts
0
June 26th, 2005 16:00
Bill Snyder
266 Posts
0
June 26th, 2005 17:00
jwatt
4.4K Posts
0
June 27th, 2005 21:00
There seems to be some confusion about the direction of that traffic.
I interpret your original report...
direction inbound
local address all local networks
local port 1026
remote address 61.152.158.111
remote port 48222
protocol udp
as showing that the traffic came from IP address 61.152.158.111, and was headed for UDP port 1026 on your system.
In addition to the uses of that port cited by speedstep, an extremely common one is delivery of what's called "Messenger Spam", as described here.
If that's indeed what happened, there's a system in China that's trying to send your system spamvertising using the "Messenger Service". If the traffic's being blocked by your firewall, either locally, or because your machine is behind a router, you'll not be annoyed...except perhaps by the messages being logged by your firewall software. So far today, our automated reporting system has sent thirty-five log messages of 1026/udp traffic to MyNetWatchman.
MyNetWatchman is reporting a growing list of problems originating from 61.152.158.111, most of which are very recent and are "messenger spam".
Jim