[Dshield] port 1026-1031 update
jeff-kell at utc.edu
Tue Dec 2 01:48:54 GMT 2003
Bill McCarty wrote:
> Until about five hours ago, the UDP 1026-31 traffic I've been monitoring
> has all been directed to a single host within my Class C. Within an
> interval of about one hour following that time, I began receiving the
> traffic on several other hosts. I am now seeing the traffic, which has
> an unvarying 0x0000 payload, incoming to at least seven of my hosts,
> none of which seems to have responded to these probes in an encouraging
> manner. Indeed, the majority of the targeted hosts are Red Hat Linux
> honeypots, which respond with an ICMP Port Unreachable message.
> The new traffic differs from the old in one notable respect. It targets
> only ports 1026 and 1030, rather than every port in the range 1026-31.
Could be pop-up messenger spam, although that should be a dying art
given the ease of blocking 139 (RPC portmapper), and the previous
Blaster, Nachi, and friends shoring up the 135-139 and 445 ranges.
The pop-up "shortcut" is to "guess" which port the messenger service is
running on, and presto, almost all the time it will be in the range of
1026-1031/udp. Sounds like they've settled on 1026 and 1030 (which may
correspond to particular Windows builds).
More information about the list