[Intrusions] Port Scanning on 1026 & 1027

Nick FitzGerald nick at virus-l.demon.co.uk
Fri Jul 29 01:32:28 GMT 2005

Earnhart, Benjamin J wrote:

> So I concur with you that they're becoming very popular, and look
> forward to somebody giving a decent explanation as to why this is
> happening.

Without captures, or any other details than the initial terribly vague 
"I have noticed a tremendous amount of scanning on ports 1026 and 1027" 
(what exactly was meant by "scanning"?  Repeated attempts to connect to 
that port on each machine?  A sweep across his address space for those 
ports?  Other?), it's difficult to say anything much useful...

As has already been suggested, in many similar past cases where more 
details have been available, unexpected traffic to ports in the 1025 
thru 1026/7 range has been Windows Messenger (not MSN Messenger ot 
other IM)) spam that directly targets the ports Messenger most commonly 
gets bound to on "standard" config Windows boxes.  Given most Windows 
machines exposing this service do so across a very smal range of ports, 
the Messenger spambots are generally much faster if they spew a few UDP 
packets at these ports than "doing the right thing" and asking the 
endpoint mapper for the actual port then sending their spam to just 
that port (they also get to machines where the service has not been 
stopped or blocked, but the endpoint mapper has).


Nick FitzGerald

More information about the Intrusions mailing list