[Intrusions] Port 1026 and 1027
Hillery
rhillery at hawksi.org
Thu Jun 3 00:37:28 GMT 2004
Peter,
That would be spam hitting boxes with the ms messenger service open by
default on those ports (kind of a GUI net send). Creates a pop-up box
(that code's already in the ms OS, a DLL I think) with the text as the
content centered in the box. Clicking OK just makes the pop-up go away,
& doesn't actually send you to a link.
That's why spammers use this -- the UDP is light-weight & often open in
FW rules, and an amazing number of people write down the info & visit
the sites.
You may be able to stop the messenger service completely without breaking any apps (ymmv). You should certainly block this traffic at the firewall.
Bob Hillery, CISSP, GCIA
IntelGuardians, LLC
"Quis custodiet ipsos custodes?"
(Juvenal)
Peter Stewart wrote:
>Morning all,
>
>I seem to be seeing alot of traffic on dst port 1026 and 1027 today, is
>anyone seeing the same thing or have any ideas. After looking at the data
>of the packet I am sure I know what this is I just do not know why it is
>on ports 1026 and 1027.
>
>Sorry for the lack of detail, I was half asleep when I fired up tcpdump
>and forgot the "-vv". My logs indicate that the below packets are the only
>ones received from the src hosts.
>
>08:34:32.325771 218.39.89.244.4418 > 192.168.100.10.1026: udp 529
>0x0000 4500 022d 2fc4 0000 6b11 c52d da27 59f4 E..-/...k..-.'Y.
>0x0010 c0a8 640a 1142 0402 0219 b0e4 0400 2800 ..d..B........(.
>0x0020 1000 0000 0000 0000 0000 0000 0000 0000 ................
>0x0030 0000 0000 f891 7b5a 00ff d011 a9b2 00c0 ......{Z........
>0x0040 4fb6 e6fc 9633 f2ac 3133 3132 3030 3032 O....3..13120002
>0x0050 3230 3130 0000 0000 0100 0000 0000 0000 2010............
>0x0060 0000 ffff ffff c101 0000 0000 1300 0000 ................
>0x0070 0000 0000 1300 0000 2020 2020 2020 204c ...............L
>0x0080 4542 5a20 2020 2020 2020 0000 1300 0000 EBZ.............
>0x0090 0000 0000 1300 0000 2020 2020 2020 2020 ................
>0x00a0 596f 7520 2020 2020 2020 0000 7501 0000 You.........u...
>0x00b0 0000 0000 7501 0000 0a0a 544f 524f 4e54 ....u.....TORONT
>0x00c0 4f20 5048 4152 4d41 4345 5554 4943 414c O.PHARMACEUTICAL
>0x00d0 530a 0a54 4f50 204d 4544 533a 2056 4941 S..TOP.MEDS:.VIA
>0x00e0 4752 412c 2043 4941 4c49 532c 2058 414e GRA,.CIALIS,.XAN
>0x00f0 4158 2c20 5641 4c49 554d 2c20 414d 4249 AX,.VALIUM,.AMBI
>0x0100 454e 202e 2e2e 2e0a 0a4f 7572 2067 656e EN.......Our.gen
>0x0110 6572 6963 7320 6172 6520 7468 6520 6578 erics.are.the.ex
>0x0120 6163 7420 7361 6d65 2066 6f72 6d75 6c61 act.same.formula
>0x0130 2061 7320 7468 6520 6e61 6d65 2062 7261 .as.the.name.bra
>0x0140 6e64 732c 206f 6e6c 7920 6d75 6368 2063 nds,.only.much.c
>0x0150 6865 6170 6572 2e0a 4e6f 7720 796f 7520 heaper..Now.you.
>0x0160 6361 6e20 7361 7665 206d 6f6e 6579 2061 can.save.money.a
>0x0170 6e64 2072 6563 6569 7665 2074 6865 2073 nd.receive.the.s
>0x0180 616d 6520 7472 6561 746d 656e 7420 796f ame.treatment.yo
>0x0190 7520 6e65 6564 210a 0a4e 4f20 7072 696f u.need!..NO.prio
>0x01a0 7220 7072 6573 6372 6970 7469 6f6e 206e r.prescription.n
>0x01b0 6565 6465 6421 0a4f 7264 6572 2054 6f72 eeded!.Order.Tor
>0x01c0 6f6e 746f 2074 6f20 6765 7420 7468 6520 onto.to.get.the.
>0x01d0 6269 6767 6573 7420 6469 7363 6f75 6e74 biggest.discount
>0x01e0 7321 0a0a 5479 7065 2074 6865 2066 6f6c s!..Type.the.fol
>0x01f0 6c6f 7769 6e67 2057 4542 2061 6464 7265 lowing.WEB.addre
>0x0200 7373 2069 6e20 796f 7572 2062 726f 7773 ss.in.your.brows
>0x0210 6572 3a0a 0a57 2057 2057 202e 204c 2052 er:..W.W.W...L.R
>0x0220 2042 205a 202e 2055 2053 0a0a 00 .B.Z...U.S...
>08:34:32.381539 218.39.89.244.4598 > 192.168.100.10.1027: udp 529
>0x0000 4500 022d 3058 0000 6b11 c499 da27 59f4 E..-0X..k....'Y.
>0x0010 c0a8 640a 11f6 0403 0219 719b 0400 2800 ..d.......q...(.
>0x0020 1000 0000 0000 0000 0000 0000 0000 0000 ................
>0x0030 0000 0000 f891 7b5a 00ff d011 a9b2 00c0 ......{Z........
>0x0040 4fb6 e6fc 3551 9223 3133 3132 3030 3032 O...5Q.#13120002
>0x0050 3230 3130 0000 0000 0100 0000 0000 0000 2010............
>0x0060 0000 ffff ffff c101 0000 0000 1300 0000 ................
>0x0070 0000 0000 1300 0000 2020 2020 2020 204c ...............L
>0x0080 4542 5a20 2020 2020 2020 0000 1300 0000 EBZ.............
>0x0090 0000 0000 1300 0000 2020 2020 2020 2020 ................
>0x00a0 596f 7520 2020 2020 2020 0000 7501 0000 You.........u...
>0x00b0 0000 0000 7501 0000 0a0a 544f 524f 4e54 ....u.....TORONT
>0x00c0 4f20 5048 4152 4d41 4345 5554 4943 414c O.PHARMACEUTICAL
>0x00d0 530a 0a54 4f50 204d 4544 533a 2056 4941 S..TOP.MEDS:.VIA
>0x00e0 4752 412c 2043 4941 4c49 532c 2058 414e GRA,.CIALIS,.XAN
>0x00f0 4158 2c20 5641 4c49 554d 2c20 414d 4249 AX,.VALIUM,.AMBI
>0x0100 454e 202e 2e2e 2e0a 0a4f 7572 2067 656e EN.......Our.gen
>0x0110 6572 6963 7320 6172 6520 7468 6520 6578 erics.are.the.ex
>0x0120 6163 7420 7361 6d65 2066 6f72 6d75 6c61 act.same.formula
>0x0130 2061 7320 7468 6520 6e61 6d65 2062 7261 .as.the.name.bra
>0x0140 6e64 732c 206f 6e6c 7920 6d75 6368 2063 nds,.only.much.c
>0x0150 6865 6170 6572 2e0a 4e6f 7720 796f 7520 heaper..Now.you.
>0x0160 6361 6e20 7361 7665 206d 6f6e 6579 2061 can.save.money.a
>0x0170 6e64 2072 6563 6569 7665 2074 6865 2073 nd.receive.the.s
>0x0180 616d 6520 7472 6561 746d 656e 7420 796f ame.treatment.yo
>0x0190 7520 6e65 6564 210a 0a4e 4f20 7072 696f u.need!..NO.prio
>0x01a0 7220 7072 6573 6372 6970 7469 6f6e 206e r.prescription.n
>0x01b0 6565 6465 6421 0a4f 7264 6572 2054 6f72 eeded!.Order.Tor
>0x01c0 6f6e 746f 2074 6f20 6765 7420 7468 6520 onto.to.get.the.
>0x01d0 6269 6767 6573 7420 6469 7363 6f75 6e74 biggest.discount
>0x01e0 7321 0a0a 5479 7065 2074 6865 2066 6f6c s!..Type.the.fol
>0x01f0 6c6f 7769 6e67 2057 4542 2061 6464 7265 lowing.WEB.addre
>0x0200 7373 2069 6e20 796f 7572 2062 726f 7773 ss.in.your.brows
>0x0210 6572 3a0a 0a57 2057 2057 202e 204c 2052 er:..W.W.W...L.R
>0x0220 2042 205a 202e 2055 2053 0a0a 00 .B.Z...U.S...
>
>Just got this packet, this time I had the "-vv" in tcpdump.
>
>08:56:45.790477 202.106.191.122.24396 > 192.168.100.10.1028: [no cksum]
>udp
>809 (ttl 108, id 35592, len 837)
>0x0000 4500 0345 8b08 0000 6c11 1208 ca6a bf7a E..E....l....j.z
>0x0010 c0a8 640a 5f4c 0404 0331 0000 0400 2800 ..d._L...1....(.
>0x0020 1000 0000 0000 0000 0000 0000 0000 0000 ................
>0x0030 0000 0000 f891 7b5a 00ff d011 a9b2 00c0 ......{Z........
>0x0040 4fb6 e6fc 8573 5300 c3de 84b5 3c48 0d5c O....sS.....<H.\
>0x0050 f2d7 8fb0 0000 0000 0100 0000 0000 0000 ................
>0x0060 0000 ffff ffff d902 0000 0000 1300 0000 ................
>0x0070 0000 0000 1300 0000 4d49 4352 4f53 4f46 ........MICROSOF
>0x0080 5420 4e45 5457 4f52 4b53 0000 1300 0000 T.NETWORKS......
>0x0090 0000 0000 1300 0000 5749 4e44 4f57 5320 ........WINDOWS.
>0x00a0 5553 4552 0000 0000 0000 0000 8d02 0000 USER............
>0x00b0 0000 0000 8d02 0000 4d69 6372 6f73 6f66 ........Microsof
>0x00c0 7420 5365 6375 7269 7479 2042 756c 6c65 t.Security.Bulle
>0x00d0 7469 6e20 4d53 3033 2d30 3433 0d0a 0d0a tin.MS03-043....
>0x00e0 4275 6666 6572 204f 7665 7272 756e 2069 Buffer.Overrun.i
>0x00f0 6e20 4d65 7373 656e 6765 7220 5365 7276 n.Messenger.Serv
>0x0100 6963 6520 436f 756c 6420 416c 6c6f 7720 ice.Could.Allow.
>0x0110 436f 6465 2045 7865 6375 7469 6f6e 2028 Code.Execution.(
>0x0120 3832 3830 3335 290d 0a0d 0a41 6666 6563 828035)....Affec
>0x0130 7465 6420 536f 6674 7761 7265 3a20 0d0a ted.Software:...
>0x0140 0d0a 4d69 6372 6f73 6f66 7420 5769 6e64 ..Microsoft.Wind
>0x0150 6f77 7320 4e54 2057 6f72 6b73 7461 7469 ows.NT.Workstati
>0x0160 6f6e 200d 0a4d 6963 726f 736f 6674 2057 on...Microsoft.W
>0x0170 696e 646f 7773 204e 5420 5365 7276 6572 indows.NT.Server
>0x0180 2034 2e30 200d 0a4d 6963 726f 736f 6674 .4.0...Microsoft
>0x0190 2057 696e 646f 7773 2032 3030 3020 2020 .Windows.2000...
>0x01a0 0d0a 4d69 6372 6f73 6f66 7420 5769 6e64 ..Microsoft.Wind
>0x01b0 6f77 7320 5850 2020 0d0a 4d69 6372 6f73 ows.XP....Micros
>0x01c0 6f66 7420 5769 6e64 6f77 7320 5769 6e39 oft.Windows.Win9
>0x01d0 3820 2020 0d0a 4d69 6372 6f73 6f66 7420 8.....Microsoft.
>0x01e0 5769 6e64 6f77 7320 5365 7276 6572 2032 Windows.Server.2
>0x01f0 3030 330d 0a0d 0a4e 6f6e 2041 6666 6563 003....Non.Affec
>0x0200 7465 6420 536f 6674 7761 7265 3a20 0d0a ted.Software:...
>0x0210 0d0a 4d69 6372 6f73 6f66 7420 5769 6e64 ..Microsoft.Wind
>0x0220 6f77 7320 4d69 6c6c 656e 6e69 756d 2045 ows.Millennium.E
>0x0230 6469 7469 6f6e 0d0a 0d0a 596f 7572 2073 dition....Your.s
>0x0240 7973 7465 6d20 6973 2061 6666 6563 7465 ystem.is.affecte
>0x0250 642c 2064 6f77 6e6c 6f61 6420 7468 6520 d,.download.the.
>0x0260 7061 7463 6820 6672 6f6d 2074 6865 2061 patch.from.the.a
>0x0270 6464 7265 7373 2062 656c 6f77 2021 200d ddress.below.!..
>0x0280 0a46 4952 5354 2054 5950 4520 5448 4520 .FIRST.TYPE.THE.
>0x0290 4144 4452 4553 5320 4245 4c4f 5720 494e ADDRESS.BELOW.IN
>0x02a0 544f 2059 4f55 5220 494e 5445 524e 4554 TO.YOUR.INTERNET
>0x02b0 2042 524f 5753 4552 2c20 5448 454e 2043 .BROWSER,.THEN.C
>0x02c0 4c49 434b 2027 4f4b 272e 0d0a 5448 4520 LICK.'OK'...THE.
>0x02d0 4144 4452 4553 5320 5749 4c4c 2044 4953 ADDRESS.WILL.DIS
>0x02e0 4150 5045 4152 204f 4e43 4520 594f 5520 APPEAR.ONCE.YOU.
>0x02f0 4849 5420 274f 4b27 2e0d 0a0d 0a20 2020 HIT.'OK'........
>0x0300 2020 2020 2020 2020 2020 2020 2020 2020 ................
>0x0310 2020 2020 2020 2020 2020 2020 2020 2020 ................
>0x0320 2020 2020 2020 2020 2020 2020 2077 7777 .............www
>0x0330 2e77 696e 646f 7773 7061 7463 682e 696e .windowspatch.in
>0x0340 666f 0d0a 00 fo...
>
>_______________________________________________
>Intrusions mailing list
>Intrusions at lists.sans.org
>http://www.dshield.org/mailman/listinfo/intrusions
>
>
>
More information about the Intrusions
mailing list