[Dshield] What kind of !#@$%! Is this?!?

Ben Robson ben at robson.ph
Sun Aug 24 13:42:08 GMT 2003


This looks like one of those ads you get at the top of websites.  The 
ones that are made to look like a Windows dialog box with the "OK" 
button on them.

Does anyone know if these ads stick to port 80, or do they use other 
ports as well?

BenR.

Ronnie & Stacy Clark wrote:

>While watching traffic on my home network, I get this packet:
>
>00:23:39.112665 64.174.34.21.32781 > aaa.bbb.ccc.xxx.1026: udp 552
>0x0000   4500 0244 77ed 0000 f211 4a35 40ae 2215        E..Dw.....J5 at .".
>0x0010   aabb ccxx 800d 0402 0230 ba3c 0400 2800        .........0.<..(.
>0x0020   1000 0000 0000 0000 0000 0000 0000 0000        ................
>0x0030   0000 0000 f891 7b5a 00ff d011 a9b2 00c0        ......{Z........
>0x0040   4fb6 e6fc 1e1b 2dcc 9968 d2e0 fbcb cc8f        O.....-..h......
>0x0050   ad4a 1fef 0000 0000 0100 0000 0000 0000        .J..............
>0x0060   0000 ffff ffff d801 0000 0000 0e00 0000        ................
>0x0070   0000 0000 0e00 0000 414c 4552 5420 5345        ........ALERT.SE
>0x0080   5256 4943 4500 0000 0400 0000 0000 0000        RVICE...........
>0x0090   0400 0000 594f 5500 a001 0000 0000 0000        ....YOU.........
>0x00a0   a001 0000 2020 2020 2020 2020 2057 4152        .............WAR
>0x00b0   4e49 4e47 3a20 594f 5552 2043 4f4d 5055        NING:.YOUR.COMPU
>0x00c0   5445 5220 4953 204f 5045 4e20 544f 2041        TER.IS.OPEN.TO.A
>0x00d0   5454 4143 4b53 210a 0a59 6f75 7220 636f        TTACKS!..Your.co
>0x00e0   6d70 7574 6572 2068 6173 2062 6565 6e20        mputer.has.been.
>0x00f0   6465 7465 6374 6564 2074 6f20 6265 206f        detected.to.be.o
>0x0100   7065 6e20 746f 2048 6163 6b65 7273 2077        pen.to.Hackers.w
>0x0110   686f 2063 616e 2073 7465 616c 2079 6f75        ho.can.steal.you
>0x0120   720a 7072 6976 6174 6520 696e 666f 726d        r.private.inform
>0x0130   6174 696f 6e20 616e 6420 696e 7661 6465        ation.and.invade
>0x0140   2079 6f75 7220 636f 6d70 7574 6572 2077        .your.computer.w
>0x0150   6974 6820 4d65 7373 656e 6765 7220 506f        ith.Messenger.Po
>0x0160   7055 7073 0a6c 696b 6520 7468 6973 210a        pUps.like.this!.
>0x0170   0a47 6f20 746f 2077 7777 2e45 4e44 4144        .Go.to.www.ENDAD
>0x0180   532e 636f 6d20 746f 2070 726f 7465 6374        S.com.to.protect
>0x0190   2079 6f75 7273 656c 6620 616e 6420 7374        .yourself.and.st
>0x01a0   6f70 2074 6865 7365 2061 6473 2069 6e20        op.these.ads.in.
>0x01b0   6d69 6e75 7465 732e 0a0a 5072 6573 7369        minutes...Pressi
>0x01c0   6e67 204f 4b20 7769 6c6c 206e 6f74 2074        ng.OK.will.not.t
>0x01d0   616b 6520 796f 7520 746f 2077 7777 2e45        ake.you.to.www.E
>0x01e0   4e44 4144 532e 636f 6d20 736f 200a 7772        NDADS.com.so..wr
>0x01f0   6974 6520 646f 776e 2074 6865 2077 6562        ite.down.the.web
>0x0200   7369 7465 2062 6566 6f72 6520 7072 6573        site.before.pres
>0x0210   7369 6e67 204f 4b2e 0a0a 2020 2020 2020        sing.OK.........
>0x0220   2020 2020 2020 2020 2020 2020 2020 2020        ................
>0x0230   2077 7777 2e44 4553 5452 4f59 4144 532e        .www.DESTROYADS.
>0x0240   636f 6d00
>
>What kind of junk is this?!?. At least my FW dropped it. 
>
>Ron Clark
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>
>  
>




More information about the list mailing list