Linksys WPC11 Instant Wirless Configuration Utility version 1.5 sends data over TCP Port 13 - [ Daytime ]

I just sent this mailing to Linksys after two, separate (frustrating!)
calls to Linksys technical support.

I thought that this might be of interest:


- - - - -


We have noticed that the newer version of the Linksys WPC11 Instant
Wireless Configuration Utility that comes bundled with the Linksys
drivers sends packets to various Internet IP addresses via TCP Port 13 -
[ Daytime ]. This aforementioned suspicious packet activity can be
replicated and viewed quite easily using a Windows 2000 or Windows XP
computer:


-1- Download and install the latest WPC11 version 3 drivers from the
Linksys FTP site:

ftp://ftp.linksys.com/pub/network/wp...ity_053003.exe


-2- Download and install TCPView from the following Website:

http://www.sysinternals.com/ntw2k/source/tcpview.shtml


-3- Start TCPView.

-4- Start the Linksys Wireless Configuration Utility version 1.5 and
configure the WPC11 version 3. Almost immediately, packets will be sent
to various Internet IP Addresses via TCP Port 13 and the suspicious Port
13 activity will appear in the TCPView listing of current network
activity.

-5- Exiting out of the Instant Wireless Configuration Utility will
immediately suspend the suspicious Port 13 activity.


Listed below is a SMALL sampling of the suspicious TCP Port 13 activity
as captured by our firewall logfiles:


- - - - - B E G I N F I R E W A L L L O G - - - - -


Sending TCP Reset as port (13) not allowed. Original packet
(192.168.10.185->81.52.249.54: Protocol=TCP[SYN] Port 1028->13) received
on interface 192.168.10.83

Sending TCP Reset as port (13) not allowed. Original packet
(192.168.10.185->209.246.46.51: Protocol=TCP[SYN] Port 1028->13) received
on interface 192.168.10.83

Sending TCP Reset as port (13) not allowed. Original packet
(192.168.10.185->81.52.249.71: Protocol=TCP[SYN] Port 1028->13) received
on interface 192.168.10.83

Sending TCP Reset as port (13) not allowed. Original packet
(192.168.10.185->81.52.249.95: Protocol=TCP[SYN] Port 1028->13) received
on interface 192.168.10.83


- - - - - E N D F I R E W A L L L O G - - - - -


This aforementioned behavior is also seen using version 1.4 of the
Instant Wireless Configuration Utility for the WPC11 version 3.


- - - - -


meatjamesgracedotcom

"Stimpson J. Cat" <(E-Mail Removed)> wrote in
news:Xns93DE7153CF30Cstimpsonjcatorg@140.99.99.130 :

> I just sent this mailing to Linksys after two, separate (frustrating!)
> calls to Linksys technical support.
>
> I thought that this might be of interest:
>
>
> - - - - -
>
>
> We have noticed that the newer version of the Linksys WPC11 Instant
> Wireless Configuration Utility that comes bundled with the Linksys
> drivers sends packets to various Internet IP addresses via TCP Port 13
> - [ Daytime ]. This aforementioned suspicious packet activity can be
> replicated and viewed quite easily using a Windows 2000 or Windows XP
> computer:
>
>
> -1- Download and install the latest WPC11 version 3 drivers from the
> Linksys FTP site:
>
> ftp://ftp.linksys.com/pub/network/wp...ity_053003.exe
>
>
> -2- Download and install TCPView from the following Website:
>
> http://www.sysinternals.com/ntw2k/source/tcpview.shtml
>
>
> -3- Start TCPView.
>
> -4- Start the Linksys Wireless Configuration Utility version 1.5 and
> configure the WPC11 version 3. Almost immediately, packets will be
> sent to various Internet IP Addresses via TCP Port 13 and the
> suspicious Port 13 activity will appear in the TCPView listing of
> current network activity.
>
> -5- Exiting out of the Instant Wireless Configuration Utility will
> immediately suspend the suspicious Port 13 activity.
>
>
> Listed below is a SMALL sampling of the suspicious TCP Port 13
> activity as captured by our firewall logfiles:
>
>
> - - - - - B E G I N F I R E W A L L L O G - - - - -
>
>
> Sending TCP Reset as port (13) not allowed. Original packet
> (192.168.10.185->81.52.249.54: Protocol=TCP[SYN] Port 1028->13)
> received on interface 192.168.10.83
>
> Sending TCP Reset as port (13) not allowed. Original packet
> (192.168.10.185->209.246.46.51: Protocol=TCP[SYN] Port 1028->13)
> received on interface 192.168.10.83
>
> Sending TCP Reset as port (13) not allowed. Original packet
> (192.168.10.185->81.52.249.71: Protocol=TCP[SYN] Port 1028->13)
> received on interface 192.168.10.83
>
> Sending TCP Reset as port (13) not allowed. Original packet
> (192.168.10.185->81.52.249.95: Protocol=TCP[SYN] Port 1028->13)
> received on interface 192.168.10.83
>
>
> - - - - - E N D F I R E W A L L L O G - - - - -
>
>
> This aforementioned behavior is also seen using version 1.4 of the
> Instant Wireless Configuration Utility for the WPC11 version 3.
>
>
> - - - - -
>
>
> meatjamesgracedotcom
>

/\/\/\/\
It is just updating it's clock. Port 13 is time/clock service. Earlier
versions used FM (fu...king magic) to set their clocks but newer routers
have resorted to communicating with time servers (via UDP/TCP port 13
?!??!?).
campbell

I know what TCP Port 13 is!

-1- It isn't sending the data to [ Daytime ] servers and it is making
HUNDREDS of attempts to send data to various Internet IP addresses...

-2- Why would a Wireless NIC configuration utility be attempting to set my
computer's clock using Daytime instead of using NTP?


This is also being discussed in:

alt.privacy.spyware




TC <(E-Mail Removed)> wrote in news:Xns93DE54614DF81Campbell@
207.225.159.8:

> /\/\/\/\
> It is just updating it's clock. Port 13 is time/clock service. Earlier
> versions used FM (fu...king magic) to set their clocks but newer routers
> have resorted to communicating with time servers (via UDP/TCP port 13
> ?!??!?).
> campbell
>

"Stimpson J. Cat" <(E-Mail Removed)> wrote in message
news:Xns93DE86C3CAD6stimpsonjcatorg@140.99.99.130. ..
> I know what TCP Port 13 is!
>
> -1- It isn't sending the data to [ Daytime ] servers and it is making
> HUNDREDS of attempts to send data to various Internet IP addresses...
>
> -2- Why would a Wireless NIC configuration utility be attempting to set
my
> computer's clock using Daytime instead of using NTP?
>
>
> This is also being discussed in:
>
> alt.privacy.spyware
>
>
>
>
> TC <(E-Mail Removed)> wrote in news:Xns93DE54614DF81Campbell@
> 207.225.159.8:
>
> > /\/\/\/\
> > It is just updating it's clock. Port 13 is time/clock service. Earlier
> > versions used FM (fu...king magic) to set their clocks but newer routers
> > have resorted to communicating with time servers (via UDP/TCP port 13
> > ?!??!?).
> > campbell
> >

/\/\/\/\/\
Well ... your absoutely correct ... and this is probably a terrible plot
being executed.
However ... the "two" sites previously posted as being continually contacted
and rejecting a port 13 inquiry ...

- from previously posted log -
> Sending TCP Reset as port (13) not allowed. Original packet
> (192.168.10.185->81.52.249.54: Protocol=TCP[SYN] Port 1028->13)
> received on interface 192.168.10.83
>
> Sending TCP Reset as port (13) not allowed. Original packet
> (192.168.10.185->209.246.46.51: Protocol=TCP[SYN] Port 1028->13)
> received on interface 192.168.10.83

81.52.249.54
and
209.246.46.51

both are time servers.

I just tested them and they both reject a port 13 (daytime) inquiry (they
also reject port 37/time) but respond very nicely to an SNTP/NTP (port 123)
inquiry.

One of the errant port 13 packets should be captured and the contents
examined to revealed the secret information the software is attempting to
offload to the time servers.

IMHO as always ...
campbell