[Dshield] port 1026-1031 update

Chris Brenton cbrenton at chrisbrenton.org
Tue Dec 2 01:33:02 GMT 2003


Howdy Bill,

On Mon, 2003-12-01 at 19:41, Bill McCarty wrote:
> 
> the rate 
> of increase seems exponential at the moment: In the ensuing couple of hours 
> since my earlier message, the number of targets in my own network has 
> almost doubled, increasing from 7 to 12.

Oh joy. Sounds like we have (yet another) RPC/DCOM/etc. exploit running
around. It could be pop-up ad stuff, but it just does not feel that way.
Did I hear you correctly in that the initial packets had no payload? If
so, we have two possibles:

1) Probe that will be followed by a real attack if no response is
returned

2) Weirdness in the header info

I've setup a honeypot to try and capture some data, but given I've seen
very little of this traffic so far I'm not sure how long it will take.

HTH,
C







More information about the list mailing list