[Intrusions] Port Scanning on 1026 & 1027
nick at virus-l.demon.co.uk
Fri Jul 29 01:32:28 GMT 2005
Earnhart, Benjamin J wrote:
> So I concur with you that they're becoming very popular, and look
> forward to somebody giving a decent explanation as to why this is
Without captures, or any other details than the initial terribly vague
"I have noticed a tremendous amount of scanning on ports 1026 and 1027"
(what exactly was meant by "scanning"? Repeated attempts to connect to
that port on each machine? A sweep across his address space for those
ports? Other?), it's difficult to say anything much useful...
As has already been suggested, in many similar past cases where more
details have been available, unexpected traffic to ports in the 1025
thru 1026/7 range has been Windows Messenger (not MSN Messenger ot
other IM)) spam that directly targets the ports Messenger most commonly
gets bound to on "standard" config Windows boxes. Given most Windows
machines exposing this service do so across a very smal range of ports,
the Messenger spambots are generally much faster if they spew a few UDP
packets at these ports than "doing the right thing" and asking the
endpoint mapper for the actual port then sending their spam to just
that port (they also get to machines where the service has not been
stopped or blocked, but the endpoint mapper has).
More information about the Intrusions