[Dshield] What kind of !#@$%! Is this?!?

John Sage jsage at finchhaven.com
Sun Aug 24 15:31:23 GMT 2003


On Sun, Aug 24, 2003 at 08:24:03AM -0500, Doug White wrote:
> That is one of the pop-up messages directed to those who have
> messaging running
> 
<snip advertisement...>
> 
> ----- Original Message ----- 
> From: "Ronnie & Stacy Clark" <rsclark at kingwoodcable.net>
> To: "General DShield Discussion List" <list at dshield.org>
> Sent: Sunday, August 24, 2003 12:30 AM
> Subject: [Dshield] What kind of !#@$%! Is this?!?
> 
> 
> | While watching traffic on my home network, I get this packet:
> |
> | 00:23:39.112665 64.174.34.21.32781 > aaa.bbb.ccc.xxx.1026: udp 552
<more snippage>

64.174.34.21 (domain name pointer
adsl-64-174-34-21.dsl.snfc21.pacbell.net.) has been almost the single
source of popup spam I've seen in the last week or so...

I emailed:


To: trouble at pbi.net
Cc: abuse at pbi.net
Subject: DSL customer sending UDP:1026 popups
User-Agent: Mutt/1.4.1i

A DSL customer of yours seems to have made a quick transition to
sending popup spam to UDP:1026, now that UDP:135 is being blocked...

ngrep_host: src host 64.174.34.21 in snort.log.1061218705
Generated 09:18:39 (TZ -07:00) 08/18/2003

input: snort.log.1061218705
filter: ip and ( src host 64.174.34.21 )
#
U 2003/08/18 08:20:07.837427 64.174.34.21:32772 -> 12.82.157.157:1026
  04 00 28 00 10 00 00 00    00 00 00 00 00 00 00 00    ..(.............
  00 00 00 00 00 00 00 00    f8 91 7b 5a 00 ff d0 11    ..........{Z....
  a9 b2 00 c0 4f b6 e6 fc    6d 2e bb 10 aa 7a cc 97    ....O...m....z..
  ce ad e1 06 f1 1b f0 bf    00 00 00 00 01 00 00 00    ................
  00 00 00 00 00 00 ff ff    ff ff ea 00 00 00 00 00    ................
  0e 00 00 00 00 00 00 00    0e 00 00 00 55 52 47 45    ............URGE
  4e 54 20 4e 4f 54 49 43    45 00 00 00 04 00 00 00    NT NOTICE.......
  00 00 00 00 04 00 00 00    59 4f 55 00 b2 00 00 00    ........YOU.....
<snip>

The customer may be associated with this domain name:
[jsage at sparky /etc/snort] $ whois endads.com
BW whois 3.4 by Bill Weinman (http://whois.bw.org/)

Request: endads.com
whois server for *.com is whois.crsnic.net ...
connected to whois.crsnic.net [198.41.3.54:43] ...
connected to whois.opensrs.net [216.40.33.170:43] ...

Registrant:
 ByeByeAds
 PO BOX 22271
 San Diego, Ca 92192
 US

 Domain name: ENDADS.COM
<snip email>


back on August 18, and haven't heard a peep. 


- John
-- 
"Warning: time of day goes back, taking countermeasures."




More information about the list mailing list