[gentoo-user] Strange traffic says I am using windoze and have a bug.

Sun, 25 Dec 2005 21:15:59 -0800 

Hi guys, and Holly,  :D
I'm on dial-up and try to watch my traffic and every once in a while I see a little blip on gkrellm. I fired up ethreal and started to sniff around. Parden the pun there. LOL This is what it says though which is strange. It's really the last two lines that matter but I am putting the whole thing here just in case. Sorry so long. 


No.     Time        Source                Destination           
Protocol Info
      1 0.000000    215.146.157.191       205.208.159.31        
Messenger NetrSendMessage request


Frame 1 (710 bytes on wire, 710 bytes captured)
    Arrival Time: Dec 25, 2005 22:50:19.101533000
    Time delta from previous packet: 0.000000000 seconds
    Time since reference or first frame: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 710 bytes
    Capture Length: 710 bytes
    Protocols in frame: sll:ip:udp:dcerpc
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)

Internet Protocol, Src: 215.146.157.191 (215.146.157.191), Dst: 
205.208.159.31 (205.208.159.31)

    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 694
    Identification: 0x7411 (29713)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 53
    Protocol: UDP (0x11)
    Header checksum: 0x2ce4 [correct]
        Good: True
        Bad : False
    Source: 215.146.157.191 (215.146.157.191)
    Destination: 205.208.159.31 (205.208.159.31)
User Datagram Protocol, Src Port: 44356 (44356), Dst Port: 1026 (1026)
    Source port: 44356 (44356)
    Destination port: 1026 (1026)
    Length: 674
    Checksum: 0x0000 (none)
DCE RPC Request, Seq: 0, Serial: 0, Frag: 0, FragLen: 583
    Version: 4
    Packet type: Request (0)
    Flags1: 0x78 "Broadcast" "Idempotent" "Maybe" "No Fack"
        0... .... = Reserved: Not set
        .1.. .... = Broadcast: Set
        ..1. .... = Idempotent: Set
        ...1 .... = Maybe: Set
        .... 1... = No Fack: Set
        .... .0.. = Fragment: Not set
        .... ..0. = Last Fragment: Not set
        .... ...0 = Reserved: Not set
    Flags2: 0x00
        0... .... = Reserved: Not set
        .0.. .... = Reserved: Not set
        ..0. .... = Reserved: Not set
        ...0 .... = Reserved: Not set
        .... 0... = Reserved: Not set
        .... .0.. = Reserved: Not set
        .... ..0. = Cancel Pending: Not set
        .... ...0 = Reserved: Not set

    Data Representation: 100000 (Order: Little-endian, Char: ASCII, 
Float: IEEE)

        Byte order: Little-endian (1)
        Character: ASCII (0)
        Floating-point: IEEE (0)
    Serial High: 0x00
    Object UUID: 00000000-0000-0000-0000-000000000000
    Interface: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
    Activity: 00000000-0000-0000-0000-000000000000
    Server boot time: Unknown (0)
    Interface Ver: 1
    Sequence num: 0
    Opnum: 0
    Interface Hint: 0xffff
    Activity Hint: 0xffff
    Fragment len: 583
    Fragment num: 0
    Auth proto: None (0)
    Serial Low: 0x00
    Authentication verifier
Microsoft Messenger Service, NetrSendMessage
    Operation: NetrSendMessage (0)
    Server
        Max Count: 10
        Offset: 0
        Actual Count: 10
        Server: Microsoft
    Client
        Max Count: 35
        Offset: 0
        Actual Count: 35
        Client: inform you about a virus detection
    Message
        Max Count: 497
        Offset: 0
        Actual Count: 497

        Message [truncated]: Windows has detected a virus on your 
system. In order to remove it please follow this steps:\n\n1. Start 
Microsoft Internet Explorer or your default web browser.\n2. Type into 
the navigation bar: http://www.cleanmyreg.




What is this?  Is this some spam and it pops up a window if I were using 
windoze?  I went to the site and it looks like they want to sell 
something, which I ain't buying by the way.  ;-)   How can I tell them 
to stop this?  Oh, only my main rig does this.  My three servers which 
have no GUI stuff or browsers installed do not get this, that I can see 
anyway.



Another thing a bit off topic.  I noticed earlier that there was a post 
in some foreign language, looked like Japaneese or Chinese and looked 
like spam to me.  Later I got one in my personal email.  Can someone get 
my email address from this list?  I have got a few emails from people, 
which is OK as long as it is not spam.  Just curious.  I like the list 
but I didn't know my private email would become public, if this is true.


Thanks for any light you can shed on this.

Dale
:-)

--
To err is human, I'm most certainly human.

I have four rigs:

1:  Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 
80GB hard drives.
2:  Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive.
3:  Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 128MBs of ram and a 2.5GB 
drive.
4:  Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB 
SCSI drive.


All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers.  


--
[email protected] mailing list























					Reply via email to