Constant stream of UDP packets from same four addresses...

I need some help with the following...

My router has been blocking a steady stream of UDP packets from the
same four IP addresses. This has been going on for several days now.

Here is an extract from the router's log. This same sequence repeats
itself "ad infinitum" ;-)

[INFO] Sun Apr 20 15:25:11 2008 Blocked incoming UDP packet from
207.118.109.219:50197 to 76.xxx.xxx.xxx:38043
[INFO] Sun Apr 20 15:25:05 2008 Blocked incoming UDP packet from
75.167.206.47:29547 to 76.xxx.xxx.xxx:38043
[INFO] Sun Apr 20 15:24:53 2008 Blocked incoming UDP packet from
71.54.69.146:14853 to 76.xxx.xxx.xxx:38043
[INFO] Sun Apr 20 15:24:51 2008 Blocked incoming UDP packet from
189.47.157.200:60611 to 76.xxx.xxx.xxx:38043

Just in case, I rebooted the router and the computer... same results.
I also checked SANS to see if there was any new activity and none was
noted in relation to these ports.

Comments?

______________________

The Traveller
Carlsbad, California

Consider installing a good antivirus program, such as Windows OneCare.
You can try it absolutely FREE for 90 days.
http://onecare.live.com/standard/en-us/default.htm

--
Carey Frisch
Microsoft MVP
Windows Desktop Experience -
Windows System & Performance

---------------------------------------------------------------

"The Traveller" wrote:

I need some help with the following...

My router has been blocking a steady stream of UDP packets from the
same four IP addresses. This has been going on for several days now.

Here is an extract from the router's log. This same sequence repeats
itself "ad infinitum" ;-)

[INFO] Sun Apr 20 15:25:11 2008 Blocked incoming UDP packet from
207.118.109.219:50197 to 76.xxx.xxx.xxx:38043
[INFO] Sun Apr 20 15:25:05 2008 Blocked incoming UDP packet from
75.167.206.47:29547 to 76.xxx.xxx.xxx:38043
[INFO] Sun Apr 20 15:24:53 2008 Blocked incoming UDP packet from
71.54.69.146:14853 to 76.xxx.xxx.xxx:38043
[INFO] Sun Apr 20 15:24:51 2008 Blocked incoming UDP packet from
189.47.157.200:60611 to 76.xxx.xxx.xxx:38043

Just in case, I rebooted the router and the computer... same results.
I also checked SANS to see if there was any new activity and none was
noted in relation to these ports.

Comments?

______________________

The Traveller
Carlsbad, California

On Sun, 20 Apr 2008 21:18:09 -0500, "Carey Frisch [MVP]"
<cnfrisch@nospamgamil.com> wrote:

>Consider installing a good antivirus program, such as Windows OneCare.
>You can try it absolutely FREE for 90 days.
>http://onecare.live.com/standard/en-us/default.htm

Hmm... thanks, but I fail to see the relevance?

I am using AVG Security Suite 8.x on this computer, Norton 360 on my
wife's system, and the router has its own firewall. Remember that
those UDP packets are INBOUND and that they are being stopped by the
router. No unusual OUTBOUND traffic is being monitored (I even used
WIRESHARK to monitor all traffic).

______________________

The Traveller
Carlsbad, California

You "might" have something on your computer that is trying to download more
garbage to infect your computer.

Try scanning with Spybot S & D, and then leave Spywareblaster running in the
background.

http://www.safer-networking.org/en/index.html

For Spyware removal, use the above link to “Spybot Search & Destroy 1.5.2�
Download it, install it, update it, immunize your system and scan your
System with it.

http://www.javacoolsoftware.com/

For a non-scanning, but running in the background, Program to STOP Spyware
being downloaded to your Computer, use SpywareBlaster 4, available at the
above link.


Mick Murphy - Qld - Australia


"The Traveller" wrote:

> On Sun, 20 Apr 2008 21:18:09 -0500, "Carey Frisch [MVP]"
> <cnfrisch@nospamgamil.com> wrote:
>
> >Consider installing a good antivirus program, such as Windows OneCare.
> >You can try it absolutely FREE for 90 days.
> >http://onecare.live.com/standard/en-us/default.htm
>
> Hmm... thanks, but I fail to see the relevance?
>
> I am using AVG Security Suite 8.x on this computer, Norton 360 on my
> wife's system, and the router has its own firewall. Remember that
> those UDP packets are INBOUND and that they are being stopped by the
> router. No unusual OUTBOUND traffic is being monitored (I even used
> WIRESHARK to monitor all traffic).
>
> ______________________
>
> The Traveller
> Carlsbad, California
>

On Mon, 21 Apr 2008 12:43:01 -0700, Mick Murphy
<MickMurphy@discussions.microsoft.com> wrote:

>You "might" have something on your computer that is trying to download more
>garbage to infect your computer.
>
>Try scanning with Spybot S & D, and then leave Spywareblaster running in the
>background.

Nope... scanned using emergency CD to no avail. Used AVG's emergency
disk and Ad-Aware. WIRESHARK shows no outgoing activity. I will run
SPYBOT S&D and report back.

However, 3/5 UPD sources have stopped pinging me.

To my surprise, ISPs "do" respond to problems.

I traced each of the five offenders. Some were in Brazil and in Europe
while the others were in the USA. I then sent polite E-mail messages
to the security administrators for each ISP. The first to respond was
COMCAST (pre-canned message). However, it did not stop there.
COMCAST took action. I can see in my log when another IP from COMCAST
probed my system (TCP & UDP), then killed the offending IP address.
(i.e. multiple probes, then the offending IP disappeared).

Next was the ISP from Brazil. Very similar logs... they probe my
system then kill the IP. The same occurred for another one in Europe.

Now only two remain and one of the ISPs responded that the
administrator was out until Wednesday (sic)

There is hope ;-)

______________________

The Traveller
Carlsbad, California