RE: [Full-Disclosure] Increase probe on UDP port 1026

Tue, 02 Dec 2003 12:33:56 -0800 

This is not that.  They do not have source ports of 6666 - they are
dynamically assigned source ports in "normal" ranges (1024+).  They do
not contain a meaningful payload.  Here is the ASCII cap of a few of
them:

802.1Q vlan#604 P0 137.99.175.80.3233 > 192.189.8.166.1026:  [udp sum
ok] udp 2 (ttl 126, id 28390, len 30)
0x0000   025c 0800 4500 001e 6ee6 0000 7e11 cbd1        .\..E...n...~...
0x0010   8963 af50 c0bd 08a6 0ca1 0402 000a ed1f        .c.P............
0x0020   0000 ffff ffff ffff ffff ffff ffff ffff        ................
0x0030   ffff                                           ..

802.1Q vlan#604 P0 137.99.175.80.3234 > 192.189.8.166.1030:  [udp sum
ok] udp 2 (ttl 126, id 28391, len 30)
0x0000   025c 0800 4500 001e 6ee7 0000 7e11 cbd0        .\..E...n...~...
0x0010   8963 af50 c0bd 08a6 0ca2 0406 000a ed1a        .c.P............
0x0020   0000 ffff ffff ffff ffff ffff ffff ffff        ................
0x0030   ffff                                           ..

802.1Q vlan#604 P0 137.99.175.80.3233 > 171.75.168.173.1026:  [udp sum
ok] udp 2 (ttl 126, id 28392, len 30)
0x0000   025c 0800 4500 001e 6ee8 0000 7e11 413a        .\..E...n...~.A:
0x0010   8963 af50 ab4b a8ad 0ca1 0402 000a 628a        .c.P.K........b.
0x0020   0000 ffff ffff ffff ffff ffff ffff ffff        ................
0x0030   ffff                                           ..

802.1Q vlan#604 P0 137.99.175.80.3234 > 171.75.168.173.1030:  [udp sum
ok] udp 2 (ttl 126, id 28393, len 30)
0x0000   025c 0800 4500 001e 6ee9 0000 7e11 4139        .\..E...n...~.A9
0x0010   8963 af50 ab4b a8ad 0ca2 0406 000a 6285        .c.P.K........b.
0x0020   0000 ffff ffff ffff ffff ffff ffff ffff        ................
0x0030   ffff                                           ..

On Tue, 2003-12-02 at 04:16, Nicob wrote:
> On Tue, 2003-12-02 at 03:10, Rodrigues, Philip wrote:
> > I'm sitting in front of two Class B's.  We saw a steady increase in the unique
> > external IPs scanning us for UDP 1026, 1030 today since 0700 EST.  This chart
> > shows the number of unique external IPs with incoming UDP 1026 traffic per hour
> > since noon.
> 
> This was discussed this month on some french security related
> newsgroups, and it seems that most of the scans have a source port of
> 666/UDP.
> 
> I captured some packets and it appears to be (only) a Windows Messenger
> "spam" for a "penis enlargement" product.
> 
> F*cking spammers ...
-- 

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: [EMAIL PROTECTED]
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Reply via email to