[Dshield] port 1026-1031 update

Jeff Kell jeff-kell at utc.edu
Tue Dec 2 01:48:54 GMT 2003

Bill McCarty wrote:

> Until about five hours ago, the UDP 1026-31 traffic I've been monitoring 
> has all been directed to a single host within my Class C. Within an 
> interval of about one hour following that time, I began receiving the 
> traffic on several other hosts. I am now seeing the traffic, which has 
> an unvarying 0x0000 payload, incoming to at least seven of my hosts, 
> none of which seems to have responded to these probes in an encouraging 
> manner. Indeed, the majority of the targeted hosts are Red Hat Linux 
> honeypots, which respond with an ICMP Port Unreachable message.
> The new traffic differs from the old in one notable respect. It targets 
> only ports 1026 and 1030, rather than every port in the range 1026-31.

Could be pop-up messenger spam, although that should be a dying art 
given the ease of blocking 139 (RPC portmapper), and the previous 
Blaster, Nachi, and friends shoring up the 135-139 and 445 ranges.
The pop-up "shortcut" is to "guess" which port the messenger service is 
running on, and presto, almost all the time it will be in the range of 
1026-1031/udp.  Sounds like they've settled on 1026 and 1030 (which may 
correspond to particular Windows builds).


More information about the list mailing list