[Dshield] Increased activity

Rick Klinge rick at jaray.net
Sun Aug 17 17:44:43 GMT 2003


Yes we are experiencing a rather high influx of UDP 1026 activity too.
Question to the masses:  What other ports will the spammers use to ingest
windows messenger pop ups?  Also.. we run Cisco devices exclusively and I am
wondering if there is a way to automatically add IP ranges or blocks to the
ACL list.  Would NBAR be useful in this?

TIA,

~Rick


There is a pronounced increase in port 1026 traffic.
It is expected that popup spammers moved to this port
to bypass port 135 blocks.

On Sun, 2003-08-17 at 09:49, Synergy wrote:
> Hullo - I'm seeing somewhat increased activity here (cox.net, in RI)
> starting last night, and to a lesser extent on Comcast systems in Kittery
> ME and Seattle WA.  There are three patterns -- one is scanning from
within
> the local class-B space, but not to port 135, rather a number of ports in
> the 1000-2000 range.  Here at least these seem to come from remote port
> 1025.  Second is bursts of scans from port 80 to ports in the 1145-1150
> range, from IPs that Smartwhois says belong to Akamai.  Third is scans
> alleging to come from 127.0.0.1, from port 80 to a number of ports in
> 1000-2000 range.  There are also a couple of French IPs banging on port
> 1026...total altogether (here in RI) is maybe 150 or so starting last
night.
>
> regds,
> david
>
> --

___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.




More information about the list mailing list