[Dshield] Increased activity
rick at jaray.net
Sun Aug 17 17:44:43 GMT 2003
Yes we are experiencing a rather high influx of UDP 1026 activity too.
Question to the masses: What other ports will the spammers use to ingest
windows messenger pop ups? Also.. we run Cisco devices exclusively and I am
wondering if there is a way to automatically add IP ranges or blocks to the
ACL list. Would NBAR be useful in this?
There is a pronounced increase in port 1026 traffic.
It is expected that popup spammers moved to this port
to bypass port 135 blocks.
On Sun, 2003-08-17 at 09:49, Synergy wrote:
> Hullo - I'm seeing somewhat increased activity here (cox.net, in RI)
> starting last night, and to a lesser extent on Comcast systems in Kittery
> ME and Seattle WA. There are three patterns -- one is scanning from
> the local class-B space, but not to port 135, rather a number of ports in
> the 1000-2000 range. Here at least these seem to come from remote port
> 1025. Second is bursts of scans from port 80 to ports in the 1145-1150
> range, from IPs that Smartwhois says belong to Akamai. Third is scans
> alleging to come from 127.0.0.1, from port 80 to a number of ports in
> 1000-2000 range. There are also a couple of French IPs banging on port
> 1026...total altogether (here in RI) is maybe 150 or so starting last
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.
More information about the list