[Dshield] popups to UDP:1026

John Sage jsage at finchhaven.com
Tue Aug 19 14:52:30 GMT 2003


Jeff:

On Mon, Aug 18, 2003 at 10:27:08PM -0400, Jeff Kell wrote:
> John Sage wrote:
> 
> >Doesn't take 'em long, does it :-/
> >
> >
> >input: snort.log.1061144222
> >filter: ip and ( dst host 12.82.158.246 and dst port 1026 )
> 
> Were these preceeded by a portmapper call (udp/135) ?

All that I have seen have not; all have been from 210.5.22.10,
starting with this at 2003/08/13 04:51:07, the very first one.

Today (08/19) I have seen some from 64.174.34.21, and 210.5.22.10
seems to have gone quiet :-/ but again, nothing preceeding to UDP:135


input: snort.log-Aug.13.18:26
filter: ip and ( dst port 1026 and src host 210.5.22.10 )
#
U 2003/08/13 04:51:07.944428 210.5.22.10:32770 -> 12.82.157.216:1026
  04 00 28 00 10 00 00 00    00 00 00 00 00 00 00 00    ..(.............
  00 00 00 00 00 00 00 00    f8 91 7b 5a 00 ff d0 11    ..........{Z....
  a9 b2 00 c0 4f b6 e6 fc    20 96 3f 5b a6 e5 a3 52    ....O... .?[...R
  88 66 9a 0c 00 cf a9 4a    00 00 00 00 01 00 00 00    .f.....J........
  00 00 00 00 00 00 ff ff    ff ff b7 01 00 00 00 00    ................
  0d 00 00 00 00 00 00 00    0d 00 00 00 53 59 53 54    ............SYST
  45 4d 20 41 4c 45 52 54    00 00 00 00 0e 00 00 00    EM ALERT........
  00 00 00 00 0e 00 00 00    43 4f 4d 50 55 54 45 52    ........COMPUTER
  20 55 53 45 52 00 00 00    73 01 00 00 00 00 00 00     USER...s.......
  73 01 00 00 0a 20 20 20    20 20 20 20 20 20 20 20    s....
  20 20 20 20 2a 2a 2a 53    45 43 55 52 49 54 59 20        ***SECURITY
  57 41 52 4e 49 4e 47 2a    2a 2a 0a 0a 54 68 65 20    WARNING***..The
  72 65 63 65 69 70 74 20    6f 66 20 74 68 69 73 20    receipt of this
  6d 65 73 73 61 67 65 20    63 6f 6e 66 69 72 6d 73    message confirms
  20 61 20 70 6f 73 73 69    62 6c 65 20 2a 53 65 63     a possible *Sec
  75 72 69 74 79 20 52 69    73 6b 2a 20 6f 6e 20 79    urity Risk* on y
<snip>


- John
-- 
"Warning: time of day goes back, taking countermeasures."




More information about the list mailing list