[gentoo-user] Strange traffic says I am using windoze and have a bug. - gentoo-user

From:	Dale <dalek@××××××××××.net>
To:	gentoo-user@l.g.o
Subject:	[gentoo-user] Strange traffic says I am using windoze and have a bug.
Date:	Mon, 26 Dec 2005 05:15:38
Message-Id:	`43AF7B37.10807@exceedtech.net`

1

Hi guys, and Holly,  :D

2

3

I'm on dial-up and try to watch my traffic and every once in a while I 

4

see a little blip on gkrellm.  I fired up ethreal and started to sniff 

5

around.  Parden the pun there.  LOL  This is what it says though which 

6

is strange.  It's really the last two lines that matter but I am putting 

7

the whole thing here just in case.  Sorry so long.

8

9

> No.     Time        Source                Destination

10

> Protocol Info

11

>       1 0.000000    215.146.157.191       205.208.159.31

12

> Messenger NetrSendMessage request

13

>

14

> Frame 1 (710 bytes on wire, 710 bytes captured)

15

>     Arrival Time: Dec 25, 2005 22:50:19.101533000

16

>     Time delta from previous packet: 0.000000000 seconds

17

>     Time since reference or first frame: 0.000000000 seconds

18

>     Frame Number: 1

19

>     Packet Length: 710 bytes

20

>     Capture Length: 710 bytes

21

>     Protocols in frame: sll:ip:udp:dcerpc

22

> Linux cooked capture

23

>     Packet type: Unicast to us (0)

24

>     Link-layer address type: 512

25

>     Link-layer address length: 0

26

>     Source: <MISSING>

27

>     Protocol: IP (0x0800)

28

> Internet Protocol, Src: 215.146.157.191 (215.146.157.191), Dst:

29

> 205.208.159.31 (205.208.159.31)

30

>     Version: 4

31

>     Header length: 20 bytes

32

>     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

33

>         0000 00.. = Differentiated Services Codepoint: Default (0x00)

34

>         .... ..0. = ECN-Capable Transport (ECT): 0

35

>         .... ...0 = ECN-CE: 0

36

>     Total Length: 694

37

>     Identification: 0x7411 (29713)

38

>     Flags: 0x00

39

>         0... = Reserved bit: Not set

40

>         .0.. = Don't fragment: Not set

41

>         ..0. = More fragments: Not set

42

>     Fragment offset: 0

43

>     Time to live: 53

44

>     Protocol: UDP (0x11)

45

>     Header checksum: 0x2ce4 [correct]

46

>         Good: True

47

>         Bad : False

48

>     Source: 215.146.157.191 (215.146.157.191)

49

>     Destination: 205.208.159.31 (205.208.159.31)

50

> User Datagram Protocol, Src Port: 44356 (44356), Dst Port: 1026 (1026)

51

>     Source port: 44356 (44356)

52

>     Destination port: 1026 (1026)

53

>     Length: 674

54

>     Checksum: 0x0000 (none)

55

> DCE RPC Request, Seq: 0, Serial: 0, Frag: 0, FragLen: 583

56

>     Version: 4

57

>     Packet type: Request (0)

58

>     Flags1: 0x78 "Broadcast" "Idempotent" "Maybe" "No Fack"

59

>         0... .... = Reserved: Not set

60

>         .1.. .... = Broadcast: Set

61

>         ..1. .... = Idempotent: Set

62

>         ...1 .... = Maybe: Set

63

>         .... 1... = No Fack: Set

64

>         .... .0.. = Fragment: Not set

65

>         .... ..0. = Last Fragment: Not set

66

>         .... ...0 = Reserved: Not set

67

>     Flags2: 0x00

68

>         0... .... = Reserved: Not set

69

>         .0.. .... = Reserved: Not set

70

>         ..0. .... = Reserved: Not set

71

>         ...0 .... = Reserved: Not set

72

>         .... 0... = Reserved: Not set

73

>         .... .0.. = Reserved: Not set

74

>         .... ..0. = Cancel Pending: Not set

75

>         .... ...0 = Reserved: Not set

76

>     Data Representation: 100000 (Order: Little-endian, Char: ASCII,

77

> Float: IEEE)

78

>         Byte order: Little-endian (1)

79

>         Character: ASCII (0)

80

>         Floating-point: IEEE (0)

81

>     Serial High: 0x00

82

>     Object UUID: 00000000-0000-0000-0000-000000000000

83

>     Interface: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc

84

>     Activity: 00000000-0000-0000-0000-000000000000

85

>     Server boot time: Unknown (0)

86

>     Interface Ver: 1

87

>     Sequence num: 0

88

>     Opnum: 0

89

>     Interface Hint: 0xffff

90

>     Activity Hint: 0xffff

91

>     Fragment len: 583

92

>     Fragment num: 0

93

>     Auth proto: None (0)

94

>     Serial Low: 0x00

95

>     Authentication verifier

96

> Microsoft Messenger Service, NetrSendMessage

97

>     Operation: NetrSendMessage (0)

98

>     Server

99

>         Max Count: 10

100

>         Offset: 0

101

>         Actual Count: 10

102

>         Server: Microsoft

103

>     Client

104

>         Max Count: 35

105

>         Offset: 0

106

>         Actual Count: 35

107

>         Client: inform you about a virus detection

108

>     Message

109

>         Max Count: 497

110

>         Offset: 0

111

>         Actual Count: 497

112

>         Message [truncated]: Windows has detected a virus on your

113

> system. In order to remove it please follow this steps:\n\n1. Start

114

> Microsoft Internet Explorer or your default web browser.\n2. Type into

115

> the navigation bar: http://www.cleanmyreg.

116

117

118

What is this?  Is this some spam and it pops up a window if I were using 

119

windoze?  I went to the site and it looks like they want to sell 

120

something, which I ain't buying by the way.  ;-)   How can I tell them 

121

to stop this?  Oh, only my main rig does this.  My three servers which 

122

have no GUI stuff or browsers installed do not get this, that I can see 

123

anyway.

124

125

Another thing a bit off topic.  I noticed earlier that there was a post 

126

in some foreign language, looked like Japaneese or Chinese and looked 

127

like spam to me.  Later I got one in my personal email.  Can someone get 

128

my email address from this list?  I have got a few emails from people, 

129

which is OK as long as it is not spam.  Just curious.  I like the list 

130

but I didn't know my private email would become public, if this is true.

131

132

Thanks for any light you can shed on this.

133

134

Dale

135

:-)

136

137

--

138

To err is human, I'm most certainly human.

139

140

I have four rigs:

141

142

1:  Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives.

143

2:  Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive.

144

3:  Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 128MBs of ram and a 2.5GB drive.

145

4:  Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive.

146

147

All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers.  

148

149

--

150

gentoo-user@g.o mailing list

Subject	Author
Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.	Holly Bostick <motub@××××××.nl>
Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.	Walter Dnes <waltdnes@××××××××.org>

Gentoo Archives: gentoo-user

Replies

1	Hi guys, and Holly, :D
2
3	I'm on dial-up and try to watch my traffic and every once in a while I
4	see a little blip on gkrellm. I fired up ethreal and started to sniff
5	around. Parden the pun there. LOL This is what it says though which
6	is strange. It's really the last two lines that matter but I am putting
7	the whole thing here just in case. Sorry so long.
8
9	> No. Time Source Destination
10	> Protocol Info
11	> 1 0.000000 215.146.157.191 205.208.159.31
12	> Messenger NetrSendMessage request
13	>
14	> Frame 1 (710 bytes on wire, 710 bytes captured)
15	> Arrival Time: Dec 25, 2005 22:50:19.101533000
16	> Time delta from previous packet: 0.000000000 seconds
17	> Time since reference or first frame: 0.000000000 seconds
18	> Frame Number: 1
19	> Packet Length: 710 bytes
20	> Capture Length: 710 bytes
21	> Protocols in frame: sll:ip:udp:dcerpc
22	> Linux cooked capture
23	> Packet type: Unicast to us (0)
24	> Link-layer address type: 512
25	> Link-layer address length: 0
26	> Source: <MISSING>
27	> Protocol: IP (0x0800)
28	> Internet Protocol, Src: 215.146.157.191 (215.146.157.191), Dst:
29	> 205.208.159.31 (205.208.159.31)
30	> Version: 4
31	> Header length: 20 bytes
32	> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
33	> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
34	> .... ..0. = ECN-Capable Transport (ECT): 0
35	> .... ...0 = ECN-CE: 0
36	> Total Length: 694
37	> Identification: 0x7411 (29713)
38	> Flags: 0x00
39	> 0... = Reserved bit: Not set
40	> .0.. = Don't fragment: Not set
41	> ..0. = More fragments: Not set
42	> Fragment offset: 0
43	> Time to live: 53
44	> Protocol: UDP (0x11)
45	> Header checksum: 0x2ce4 [correct]
46	> Good: True
47	> Bad : False
48	> Source: 215.146.157.191 (215.146.157.191)
49	> Destination: 205.208.159.31 (205.208.159.31)
50	> User Datagram Protocol, Src Port: 44356 (44356), Dst Port: 1026 (1026)
51	> Source port: 44356 (44356)
52	> Destination port: 1026 (1026)
53	> Length: 674
54	> Checksum: 0x0000 (none)
55	> DCE RPC Request, Seq: 0, Serial: 0, Frag: 0, FragLen: 583
56	> Version: 4
57	> Packet type: Request (0)
58	> Flags1: 0x78 "Broadcast" "Idempotent" "Maybe" "No Fack"
59	> 0... .... = Reserved: Not set
60	> .1.. .... = Broadcast: Set
61	> ..1. .... = Idempotent: Set
62	> ...1 .... = Maybe: Set
63	> .... 1... = No Fack: Set
64	> .... .0.. = Fragment: Not set
65	> .... ..0. = Last Fragment: Not set
66	> .... ...0 = Reserved: Not set
67	> Flags2: 0x00
68	> 0... .... = Reserved: Not set
69	> .0.. .... = Reserved: Not set
70	> ..0. .... = Reserved: Not set
71	> ...0 .... = Reserved: Not set
72	> .... 0... = Reserved: Not set
73	> .... .0.. = Reserved: Not set
74	> .... ..0. = Cancel Pending: Not set
75	> .... ...0 = Reserved: Not set
76	> Data Representation: 100000 (Order: Little-endian, Char: ASCII,
77	> Float: IEEE)
78	> Byte order: Little-endian (1)
79	> Character: ASCII (0)
80	> Floating-point: IEEE (0)
81	> Serial High: 0x00
82	> Object UUID: 00000000-0000-0000-0000-000000000000
83	> Interface: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
84	> Activity: 00000000-0000-0000-0000-000000000000
85	> Server boot time: Unknown (0)
86	> Interface Ver: 1
87	> Sequence num: 0
88	> Opnum: 0
89	> Interface Hint: 0xffff
90	> Activity Hint: 0xffff
91	> Fragment len: 583
92	> Fragment num: 0
93	> Auth proto: None (0)
94	> Serial Low: 0x00
95	> Authentication verifier
96	> Microsoft Messenger Service, NetrSendMessage
97	> Operation: NetrSendMessage (0)
98	> Server
99	> Max Count: 10
100	> Offset: 0
101	> Actual Count: 10
102	> Server: Microsoft
103	> Client
104	> Max Count: 35
105	> Offset: 0
106	> Actual Count: 35
107	> Client: inform you about a virus detection
108	> Message
109	> Max Count: 497
110	> Offset: 0
111	> Actual Count: 497
112	> Message [truncated]: Windows has detected a virus on your
113	> system. In order to remove it please follow this steps:\n\n1. Start
114	> Microsoft Internet Explorer or your default web browser.\n2. Type into
115	> the navigation bar: http://www.cleanmyreg.
116
117
118	What is this? Is this some spam and it pops up a window if I were using
119	windoze? I went to the site and it looks like they want to sell
120	something, which I ain't buying by the way. ;-) How can I tell them
121	to stop this? Oh, only my main rig does this. My three servers which
122	have no GUI stuff or browsers installed do not get this, that I can see
123	anyway.
124
125	Another thing a bit off topic. I noticed earlier that there was a post
126	in some foreign language, looked like Japaneese or Chinese and looked
127	like spam to me. Later I got one in my personal email. Can someone get
128	my email address from this list? I have got a few emails from people,
129	which is OK as long as it is not spam. Just curious. I like the list
130	but I didn't know my private email would become public, if this is true.
131
132	Thanks for any light you can shed on this.
133
134	Dale
135	:-)
136
137	--
138	To err is human, I'm most certainly human.
139
140	I have four rigs:
141
142	1: Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives.
143	2: Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive.
144	3: Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 128MBs of ram and a 2.5GB drive.
145	4: Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive.
146
147	All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers.
148
149	--
150	gentoo-user@g.o mailing list