Just curious - port 1133

Discussion in 'other security issues & news' started by Marianna, Jun 13, 2003.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi :D

    This morning - it's here 9.20 am (PDT) I found over 500 records of alerts port 1133.

    The "only" info I found regarding this port is:

    Name: SweetHeart
    Aliases: Backdoor.Zhang, Zhang,
    Ports: 600, 1133, 1183, 1183 (UDP), 2101, 2222, 2222 (UDP), 6711, 8311
    Files: Zhang.zip - Aboutagirl.exe - Girl.exe - Iloveyou.exe -
    Created:
    Requires:
    Actions: Remote Access
    Registers: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
    HKEY_CLASSES_ROOT\txtfile\shell\open\command
    Notes: Works on Windows.
    Country: written in China
    Program: Written in Delphi.

    http://www.simovits.com/nyheter9902.html

    Anyone knows what is going on??

    Thanks :D
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Portsdb.org and Neohapsis port list didn't list anything for those ports (wasn't sure if you mean UDP or TCP)

    Did the activity happen over a defined period or is it continuing?

    I enabled full packet capture on those ports on my firewall to see what it might catch but nothing yet.
     
  3. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Ooo, also, what was the situation with the source?

    All from single host?

    From static port or incremental?
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Agreed, without posting a portion of the firewall log there isn't much we can say about this. (If you can post some of the log here, you can just obscure your own IP address if you'd like to keep that from public view.)

    If you don't have a tool to capture packets yourself Marianna, you can use this freeware tool. It's not a packet sniffer, it just listens on a port and captures the packets so you can look at them. >> Freeware Port Listener Released
     
  5. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Thanks guys,

    I was in a hurry this morning - just came back. Here is a portion:

    http://members.shaw.ca/schmudlach/ZoneLog13.06.2003a.jpg

    The "alerts" are all different from almost all over the world. Sure also more port 80 in now -

    At the moment I have 778 "alerts" ....

    Thought "something" was running "wild" in the internet ??
     
  6. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    1214 points to kazaa. Seems to me that 1133 is a p2p client port too. Since the number of hits is large, a p2p connection is to be assumed :rolleyes:
     
  7. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Okay, I think the "telling" point here is the source port of 1214 which is used for Kazaa, Morpheus and Grokster. It almost seems as if you had a similar app that had been sending or listening on 1133. Is that possible?
     
  8. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    oops, meneer beat me to it (I was rambling to myself)
     
  9. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Nope, never had KaZaa neither Grokster nor Morpheus.

    It started this morning - I'm on cable.
     
  10. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Yeah, very often when I get hit with a large number of connection attempts, from a wide range of IP addresses, they invariably turn out to be related to some file sharing application. I generally confirm this by catching a few of the packets with Port Peeker.

    >> Nope, never had KaZaa neither Grokster nor Morpheus.

    Capture a few of the packets and see.
     
  11. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Marianna, do you have a static IP or is it leased by the provider. If the latter, was the IP recently changed during a lease renewal?
     
  12. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    And I bet it dies down in a few hours/days :)
     
  13. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Yes, I have a static IP - I'm not worried for my computer - have nothing to hide :D - thought there was something "brewing" in the internet.

    But if you guys don't "see" this "knocking" yet - well, maybe you get it Father's Day?? :rolleyes:
     
  14. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Here is the trend map for port 1214 (the one for 1133 was negligeable) Note that the 1214 scans were most significant when viewed on the source port side.

    http://isc.incidents.org/port_details.html?port=1214
     
  15. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Thanks, Dan !

    I appreciate it !
     
  16. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    I had another look this morning - well, I guess, I can't really look for for port "1214" - destination port is still 1133 and it is coming from:

    1214, 1332, 1391, 1824, 62698, 1749, 3323, 11680, 1886 etc.

    plus this morning a LOT more on port 80.

    So "something" is "strange" :D
     
  17. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Well, it appears that the 1133 activity is fairly unique to your system/network

    http://isc.incidents.org/port_details.html?port=1133

    Have you tried the PortPeeker app that LowWaterMark mentioned earlier in the thread. If you have, did you notice any typical packet payload?

    And your sure that you have nothing listening on 1133 and have had your public IP for a significant amount of time?

    o_O
     
  18. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    thanks Dan,

    didn't have time yesterday to download the program, I just did - will be "in" and "out" today again, will install it now - I believe I have the same IP since I started with cable and that was over 2 years ago. Checked all the ports and they show ALL stealth. I'm only running Zone alarm free as I want to know what wants to go out of my computer.

    I have WinMe is there "something" I have to know running PortPeeker??

    Thanks so much ;)
     
  19. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hey,

    Actually I hadn't heard of the PortPeeker program til it was mentioned in the thread and I haven't tried it myself but the interface seems pretty nice and the developer is reputable.

    I was curious about the IP change as that is the simplest reason for the activity (the previous user of that IP was a heavy user of Kazaa) but that only fits if your IP changed recently. Also, it is quite uncommon for cable providers to issue static IPs (as they tend to have frequent network topology changes to redistribute load, etc)
     
  20. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    HI again, Dan ;)

    will give it a try - will give "smoke signals" if I don't "understand" :D

    Maybe the cable companies in Canada are different?? As far as I know, it is still the same IP I have. Ah well, I still guess, "something" is "brewing" in the internet. I'm still "curious" what these many hits are all about.

    It's 10.51 am (PDT) and I already have 321 hits ..... meaning it did NOT slow down.

    Ah well, thanks again :)
     
  21. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Yes, definitely let us know if there is something you need help with.

    I REALLY think it was an IP change. If something was brewing on the Internet there would be signs elsewhere and doing a little research I found on your ISP's homepage (I changed the ISP's name in the quote to "<ISP>" )

    "To ensure reliable service to all customers, <ISP>'s Residential Internet network does not currently support Static IP's. Since <ISP> is designed for the average home Internet user, Static IP's provided little or no benefit while making network management difficult. Dyanmic IP brings a higher level of customer service, and many find that a long term IP is usually assigned. Using Dynamic IP, customers do not experience connection loss during network upgrades, while Static IP's can result in a temporary loss of service. "

    Hope this helps,

    Dan
     
  22. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Interesting what you found ! I must say, I am having problems in the time they "update" or "maintain". Have just written them an e-mail - hope I'll get an answer "soon" :) Maybe they can explain WHY I always "see" the same IP ??

    Have installed PortPeeker - this is weird - until now I got the most "hits" on UDP 1133 - now it has changed to TCP 1133 ?? Am I "dreaming" or what :rolleyes:
     
  23. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Are you sure you set PortPeeker to listen on UDP 1133? It sounds as if it might be set to TCP 1133
     
  24. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    FYI - You can run as many copies of Port Peeker as you'd like, so run two and have one collect from 1133/UDP and another from 1133/TCP.
     
  25. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Thanks - have to leave now - will make some copies - so I can see "MORE" .

    BTW I just got a reply from my cable company:

    "Unless you are subscribed to one of our Business Internet packages, and are specifically paying for a static IP address, then you would have a dynamic one. Though they are considered dynamic, they don't tend to change too often; they usually only change when we conduct an upgrade in the area which requires the addition of new IP addresses for new customers."

    Well, this "sais" it all - there was NO upgrade in our area - and that's why I still "see" the same IP . Good to know -

    Will catch up later....... have to run !

    In the meantime big THANKS :D
     
Loading...
Thread Status:
Not open for further replies.