[Dshield] port 1026-1031 update

Bill McCarty bmccarty at pt-net.net
Mon Dec 1 22:26:17 GMT 2003

Hi all,

Until about five hours ago, the UDP 1026-31 traffic I've been monitoring 
has all been directed to a single host within my Class C. Within an 
interval of about one hour following that time, I began receiving the 
traffic on several other hosts. I am now seeing the traffic, which has an 
unvarying 0x0000 payload, incoming to at least seven of my hosts, none of 
which seems to have responded to these probes in an encouraging manner. 
Indeed, the majority of the targeted hosts are Red Hat Linux honeypots, 
which respond with an ICMP Port Unreachable message.

The new traffic differs from the old in one notable respect. It targets 
only ports 1026 and 1030, rather than every port in the range 1026-31.

Has anyone else noticed changes in the UDP 1026-31 traffic they've been 
monitoring? My speculative suspicion that this activity is the scan phase 
of one or more Windows Messenger worms is growing....


Bill McCarty

More information about the list mailing list