strange network activity on port 123 / 1230

I am experiencing some very strange network activity. Some of the
PC on my network are sending a UDP packet from port UDP
123 outbound to IP 192.0.0.192 port 1230 every 17 seconds.

Any suggestion?

Thank you.

Malke
Thu Nov 10 07:37:07 CST 2005

Daniele GB wrote:

> I am experiencing some very strange network activity. Some of the
> PC on my network are sending a UDP packet from port UDP
> 123 outbound to IP 192.0.0.192 port 1230 every 17 seconds.
>
> Any suggestion?
>
> Thank you.

That would be a private IP address. Do you have a networked printer?
Webserver/firewall-type piece of hardware on the network?

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

DanieleGB
Thu Nov 10 08:06:08 CST 2005

I have several networked printer.
Is a printer the problem?

"Malke" wrote:

> Daniele GB wrote:
>
> > I am experiencing some very strange network activity. Some of the
> > PC on my network are sending a UDP packet from port UDP
> > 123 outbound to IP 192.0.0.192 port 1230 every 17 seconds.
> >
> > Any suggestion?
> >
> > Thank you.
>
> That would be a private IP address. Do you have a networked printer?
> Webserver/firewall-type piece of hardware on the network?
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User
>

Malke
Thu Nov 10 08:32:34 CST 2005

Daniele GB wrote:

> I have several networked printer.
> Is a printer the problem?
>
> "Malke" wrote:
>
>> Daniele GB wrote:
>>
>> > I am experiencing some very strange network activity. Some of the
>> > PC on my network are sending a UDP packet from port UDP
>> > 123 outbound to IP 192.0.0.192 port 1230 every 17 seconds.
>> >

Now, without seeing your computers and knowing what printers you have,
how could I possibly answer that? Make a note of your printers' names
and models and go to their respective mftr.'s websites for tech support
contact. Then contact tech support for the printers and ask the
question there.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

DanieleGB
Thu Nov 10 08:55:03 CST 2005

Sorry but I don't understand.
Why you say "That would be a private IP address. Do you have a networked
printer?
Webserver/firewall-type piece of hardware on the network?" ?

I answer that I have networked printer and I would like know why if I have a
networked printer I see this activity on port 123.

Sorry for my bad English, I hope you understand.

Thank you.


"Malke" wrote:

> Daniele GB wrote:
>
> > I have several networked printer.
> > Is a printer the problem?
> >
> > "Malke" wrote:
> >
> >> Daniele GB wrote:
> >>
> >> > I am experiencing some very strange network activity. Some of the
> >> > PC on my network are sending a UDP packet from port UDP
> >> > 123 outbound to IP 192.0.0.192 port 1230 every 17 seconds.
> >> >
>
> Now, without seeing your computers and knowing what printers you have,
> how could I possibly answer that? Make a note of your printers' names
> and models and go to their respective mftr.'s websites for tech support
> contact. Then contact tech support for the printers and ask the
> question there.
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User
>

Mister
Thu Nov 10 09:28:07 CST 2005


"Daniele GB" <DanieleGB@discussions.microsoft.com> wrote in message
news:FD4B802E-A6C6-42B0-B3BF-926D54DB0381@microsoft.com...
> I am experiencing some very strange network activity. Some of the
> PC on my network are sending a UDP packet from port UDP
> 123 outbound to IP 192.0.0.192 port 1230 every 17 seconds.
>
> Any suggestion?
>
> Thank you.


http://www.iss.net/security_center/advice/Exploits/Ports/123/default.htm

http://isc.sans.org/port_details.php?port=1230



Do you have a Pocket PC?
http://snipurl.com/jqcd


--
M K

Malke
Thu Nov 10 10:28:09 CST 2005

Daniele GB wrote:

> Sorry but I don't understand.
> Why you say "That would be a private IP address. Do you have a
> networked printer?
> Webserver/firewall-type piece of hardware on the network?" ?
>
> I answer that I have networked printer and I would like know why if I
> have a networked printer I see this activity on port 123.
>
I asked you what devices you have on your network because the 192.*
subnet is a private subnet, not one that leads to the Internet.
Therefore if you are getting network activity going to a 192.* address,
that activity is not directed at the outside world. Malware would want
to get to the outside world. Only you know what devices you have on
your network.

Also see the answer you got from Mister Kurtz.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

bill
Thu Nov 10 19:20:01 CST 2005

that address 192.0.0.192 is the default address that an hp jetdirect print
server defaults to if it hasn't been given one. hope that helps.

"Daniele GB" wrote:

> I am experiencing some very strange network activity. Some of the
> PC on my network are sending a UDP packet from port UDP
> 123 outbound to IP 192.0.0.192 port 1230 every 17 seconds.
>
> Any suggestion?
>
> Thank you.

Malke
Thu Nov 10 19:37:37 CST 2005

bill wrote:

> that address 192.0.0.192 is the default address that an hp jetdirect
> print server defaults to if it hasn't been given one. hope that helps.
>
> "Daniele GB" wrote:
>
>> I am experiencing some very strange network activity. Some of the
>> PC on my network are sending a UDP packet from port UDP
>> 123 outbound to IP 192.0.0.192 port 1230 every 17 seconds.
>>
>> Any suggestion?
>>
>> Thank you.

Awesome, Bill. I hope the OP comes back for the info, but in any case
I'm glad to have it. Thanks!

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Imhotep
Thu Nov 10 19:54:55 CST 2005

Daniele GB wrote:

> I am experiencing some very strange network activity. Some of the
> PC on my network are sending a UDP packet from port UDP
> 123 outbound to IP 192.0.0.192 port 1230 every 17 seconds.
>
> Any suggestion?
>
> Thank you.

Port 123 is ntp (network time protocol) port. It is used to keep your
computer's time accurate. Not sure what 1230 is registered to. Google it.

Imhotep

DanieleGB
Fri Nov 11 10:33:02 CST 2005



"Malke" wrote:

> Daniele GB wrote:
>
> > Sorry but I don't understand.
> > Why you say "That would be a private IP address. Do you have a
> > networked printer?
> > Webserver/firewall-type piece of hardware on the network?" ?
> >
> > I answer that I have networked printer and I would like know why if I
> > have a networked printer I see this activity on port 123.
> >
> I asked you what devices you have on your network because the 192.*
> subnet is a private subnet, not one that leads to the Internet.
> Therefore if you are getting network activity going to a 192.* address,
> that activity is not directed at the outside world. Malware would want
> to get to the outside world. Only you know what devices you have on
> your network.
>
> Also see the answer you got from Mister Kurtz.
>
> Malke
> --


Ok, the 192.0.0.192 is a private address. But I find strange that 20 PC make
a UDP activity at the same time to this address.
I have a Firewall that block this activity.
I have installed ZoneAlarm Firewall too, and say that the application
svchost.exe try to connect to ip 192.0.0.192:1230

Is possible a virus?

Malke
Fri Nov 11 12:57:45 CST 2005

Daniele GB wrote:

>
> Ok, the 192.0.0.192 is a private address. But I find strange that 20
> PC make a UDP activity at the same time to this address.
> I have a Firewall that block this activity.
> I have installed ZoneAlarm Firewall too, and say that the application
> svchost.exe try to connect to ip 192.0.0.192:1230
>
> Is possible a virus?

Didn't you read your other responses? Someone named Bill says this is
the address that an HP Jet Direct print server defaults to unless
otherwise assigned. You should probably have your IT Dept. come in and
make sure everything is set up correctly. If you are the IT Dept. hire
an outside pro as a one-time event.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User