[Dshield] UPD Spam

jayjwa jayjwa at atr2.ath.cx
Thu Apr 15 18:40:04 GMT 2004



Hello List,

Today I was looking thru my logs, and I noticed alot of connection
attempts to ports 1026/1027. (More than usual.) A quick check of the
search engines showed that this port frequently is for WinPopUp. I decided
to sniff a bit; not more than 5 minutes into it, I captured packets
of 795-byte blocks of pornographic spam. I had IpTraf running as well:

Thu Apr 15 13:12:25 2004; ******** IP traffic monitor started ********

Thu Apr 15 13:15:25 2004; UDP; ppp0; 795 bytes; from 129.170.66.12:2872 to ppp160.tc-1.syr-ch.ny.localnet.com:1026
Thu Apr 15 13:15:25 2004; UDP; ppp0; 795 bytes; from 129.170.66.12:2957 to ppp160.tc-1.syr-ch.ny.localnet.com:1027

Thu Apr 15 13:27:09 2004; UDP; ppp0; 795 bytes; from 204.212.234.144:dbstar to ppp160.tc-1.syr-ch.ny.localnet.com:1026
Thu Apr 15 13:27:09 2004; UDP; ppp0; 795 bytes; from 204.212.234.144:novell-lu6 to ppp160.tc-1.syr-ch.ny.localnet.com:1027

Thu Apr 15 13:32:28 2004; ******** IP traffic monitor stopped ********


The first IP (frame #2) came back as a machine at Dartmouth.edu, possibly
compromised. There were several different sources sending these. Some were
slightly smaller, around 600+ bytes. Here's a sample from the packet
capture:



Frame 1 (396 bytes on wire, 396 bytes captured)
    Arrival Time: Apr 15, 2004 13:14:47.169388000
    Time delta from previous packet: 0.000000000 seconds
    Time since reference or first frame: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 396 bytes
    Capture Length: 396 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 21.223.195.4 (21.223.195.4), Dst Addr: 64.179.12.160 (64.179.12.160)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 380
    Identification: 0xd807 (55303)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 203
    Protocol: UDP (0x11)
    Header checksum: 0xb032 (correct)
    Source: 21.223.195.4 (21.223.195.4)
    Destination: 64.179.12.160 (64.179.12.160)
User Datagram Protocol, Src Port: domain (53), Dst Port: 1026 (1026)
    Source port: domain (53)
    Destination port: 1026 (1026)
    Length: 360
    Checksum: 0xd976 (correct)
Domain Name System (response)
    Transaction ID: 0x0400
    Flags: 0xa880 (Dynamic update response, No error)
        1... .... .... .... = Response: Message is a response
        .010 1... .... .... = Opcode: Dynamic update (5)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 1... .... = Recursion available: Server can do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 4097
    Answer RRs: 43
    Authority RRs: 43
    Additional RRs: 43
    Zone
        <Root>: type unused, class unknown
            Name: <Root>
            Type: unused
            Class: unknown
        <Root>: type unused, class unknown
            Name: <Root>
            Type: unused
            Class: unknown
        <Root>: type unknown, class unknown
            Name: <Root>
            Type: Unknown RR type (248)
            Class: unknown
        <Unknown extended label>: type ANY, class unknown
            Name: <Unknown extended label>
            Type: Request for all records
            Class: unknown
[Malformed Packet: DNS]

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 01 7c d8 07 40 00 cb 11 b0 32 15 df c3 04   E..|.. at ....2....
0020  40 b3 0c a0 00 35 04 02 01 68 d9 76 04 00 a8 80   @....5...h.v....
0030  10 01 00 2b 00 2b 00 2b 00 00 00 00 00 00 00 00   ...+.+.+........
0040  00 00 00 00 f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0   ......{Z........
0050  4f b6 e6 fc ae 39 87 c3 c7 f8 5f 34 d0 17 a3 cc   O....9...._4....
0060  0b 98 d0 70 00 00 00 00 01 00 00 00 00 00 00 00   ...p............
0070  00 00 ff ff ff ff 10 01 00 00 00 00 0c 00 00 00   ................
0080  00 00 00 00 0c 00 00 00 52 65 61 6c 20 57 6f 6d   ........Real Wom
0090  65 6e 00 00 04 00 00 00 00 00 00 00 04 00 00 00   en..............
00a0  59 6f 75 00 dc 00 00 00 00 00 00 00 dc 00 00 00   You.............
00b0  2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 57 41 4e 54   **********..WANT
00c0  20 53 45 58 3f 0d 0a 0d 0a 54 69 72 65 64 20 6f    SEX?....Tired o
00d0  66 20 61 6c 6c 20 74 68 65 20 27 77 6f 6d 65 6e   f all the 'women
00e0  27 20 6f 6e 20 74 68 65 20 64 61 74 69 6e 67 20   ' on the dating
00f0  73 69 74 65 73 20 77 68 6f 20 77 61 6e 74 20 27   sites who want '
0100  72 6f 6d 61 6e 63 65 27 20 20 3f 0d 0a 0d 0a 42   romance'  ?....B
0110  65 6c 69 65 76 65 20 69 74 20 6f 72 20 6e 6f 74   elieve it or not
0120  2c 20 74 68 65 72 65 20 61 72 65 20 4d 41 4e 59   , there are MANY
0130  20 77 6f 6d 65 6e 20 77 68 6f 20 77 61 6e 74 20    women who want
0140  48 4f 54 20 70 61 73 73 69 6f 6e 61 74 65 20 73   HOT passionate s
0150  65 78 20 4e 4f 57 21 21 21 21 21 0d 0a 2a 2a 2a   ex NOW!!!!!..***
0160  2a 2a 2a 2a 2a 2a 2a 0d 0a 0d 0a 46 49 4e 44 20   *******....FIND
0170  55 53 20 41 54 3a 0d 0a 0d 0a 09 77 77 77 2e 68   US AT:.....www.h
0180  6f 73 74 31 30 31 2e 55 53 0d 0a 00               ost101.US...

Frame 2 (811 bytes on wire, 811 bytes captured)
    Arrival Time: Apr 15, 2004 13:15:25.519423000
    Time delta from previous packet: 38.350035000 seconds
    Time since reference or first frame: 38.350035000 seconds
    Frame Number: 2
    Packet Length: 811 bytes
    Capture Length: 811 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 129.170.66.12 (129.170.66.12), Dst Addr: 64.179.12.160 (64.179.12.160)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 795
    Identification: 0xa094 (41108)
    Flags: 0x00
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 105
    Protocol: UDP (0x11)
    Header checksum: 0x9d34 (correct)
    Source: 129.170.66.12 (129.170.66.12)
    Destination: 64.179.12.160 (64.179.12.160)
User Datagram Protocol, Src Port: 2872 (2872), Dst Port: 1026 (1026)
    Source port: 2872 (2872)
    Destination port: 1026 (1026)
    Length: 775
    Checksum: 0x2535 (correct)
DCE RPC
    Version: 4
    Packet type: Request (0)
    Flags1: 0x28
        0... .... = Reserved: Not set
        .0.. .... = Broadcast: Not set
        ..1. .... = Idempotent: Set
        ...0 .... = Maybe: Not set
        .... 1... = No Fack: Set
        .... .0.. = Fragment: Not set
        .... ..0. = Last Fragment: Not set
        .... ...0 = Reserved: Not set
    Flags2: 0x00
        0... .... = Reserved: Not set
        .0.. .... = Reserved: Not set
        ..0. .... = Reserved: Not set
        ...0 .... = Reserved: Not set
        .... 0... = Reserved: Not set
        .... .0.. = Reserved: Not set
        .... ..0. = Cancel Pending: Not set
        .... ...0 = Reserved: Not set
    Data Representation: 100000
        Byte order: Little-endian (1)
        Character: ASCII (0)
        Floating-point: IEEE (0)
    Serial High: 0x00
    Object UUID: 00000000-0000-0000-0000-000000000000
    Interface: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
    Activity: 2657fced-3331-3231-3030-303232303130
    Server boot time: 0x00000000
    Interface Ver: 1
    Sequence num: 0
    Opnum: 0
    Interface Hint: 0xffff
    Activity Hint: 0xffff
    Fragment len: 687
    Fragment num: 0
    Auth proto: None (0)
    Serial Low: 0x00
Microsoft Messenger Service
    Operation: NetrSendMessage (0)
    Server
        Max Count: 19
        Offset: 0
        Actual Count: 19
        Server:  WWW.BIGBONER.BIZ
    Client
        Max Count: 19
        Offset: 0
        Actual Count: 19
        Client:    Current User
    Message
        Max Count: 611
        Offset: 0
        Actual Count: 611
        Message: \nStay Longer! Go HARDER! BE BIGGER!\nEnjoy the most intense orgasms of your life! Become immensely confident.\n\n*- Increased circulation and ENLARGE your girth and size up to 3 inches or even larger\n*- Increased semen and sperm

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 03 1b a0 94 00 00 69 11 9d 34 81 aa 42 0c   E.......i..4..B.
0020  40 b3 0c a0 0b 38 04 02 03 07 25 35 04 00 28 00   @....8....%5..(.
0030  10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0040  00 00 00 00 f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0   ......{Z........
0050  4f b6 e6 fc ed fc 57 26 31 33 31 32 30 30 30 32   O.....W&13120002
0060  32 30 31 30 00 00 00 00 01 00 00 00 00 00 00 00   2010............
0070  00 00 ff ff ff ff af 02 00 00 00 00 13 00 00 00   ................
0080  00 00 00 00 13 00 00 00 20 57 57 57 2e 42 49 47   ........ WWW.BIG
0090  42 4f 4e 45 52 2e 42 49 5a 20 00 00 13 00 00 00   BONER.BIZ ......
00a0  00 00 00 00 13 00 00 00 20 20 20 43 75 72 72 65   ........   Curre
00b0  6e 74 20 55 73 65 72 20 20 20 00 00 63 02 00 00   nt User   ..c...
00c0  00 00 00 00 63 02 00 00 0a 53 74 61 79 20 4c 6f   ....c....Stay Lo
00d0  6e 67 65 72 21 20 47 6f 20 48 41 52 44 45 52 21   nger! Go HARDER!
00e0  20 42 45 20 42 49 47 47 45 52 21 0a 45 6e 6a 6f    BE BIGGER!.Enjo
00f0  79 20 74 68 65 20 6d 6f 73 74 20 69 6e 74 65 6e   y the most inten
0100  73 65 20 6f 72 67 61 73 6d 73 20 6f 66 20 79 6f   se orgasms of yo
0110  75 72 20 6c 69 66 65 21 20 42 65 63 6f 6d 65 20   ur life! Become
0120  69 6d 6d 65 6e 73 65 6c 79 20 63 6f 6e 66 69 64   immensely confid
0130  65 6e 74 2e 0a 0a 2a 2d 20 49 6e 63 72 65 61 73   ent...*- Increas
0140  65 64 20 63 69 72 63 75 6c 61 74 69 6f 6e 20 61   ed circulation a
0150  6e 64 20 45 4e 4c 41 52 47 45 20 79 6f 75 72 20   nd ENLARGE your
0160  67 69 72 74 68 20 61 6e 64 20 73 69 7a 65 20 75   girth and size u
0170  70 20 74 6f 20 33 20 69 6e 63 68 65 73 20 6f 72   p to 3 inches or
0180  20 65 76 65 6e 20 6c 61 72 67 65 72 0a 2a 2d 20    even larger.*-
0190  49 6e 63 72 65 61 73 65 64 20 73 65 6d 65 6e 20   Increased semen
01a0  61 6e 64 20 73 70 65 72 6d 20 70 72 6f 64 75 63   and sperm produc
01b0  74 69 6f 6e 20 75 70 20 74 6f 20 36 30 30 20 70   tion up to 600 p
01c0  65 72 63 65 6e 74 0a 2a 2d 20 49 6e 63 72 65 61   ercent.*- Increa
01d0  73 65 64 20 74 65 73 74 6f 73 74 65 72 6f 6e 65   sed testosterone
01e0  20 75 70 20 74 6f 20 35 30 30 20 70 65 72 63 65    up to 500 perce
01f0  6e 74 0a 2a 2d 20 4f 62 74 61 69 6e 20 47 49 41   nt.*- Obtain GIA
0200  4e 54 20 72 6f 63 6b 2d 73 6f 6c 69 64 20 6d 6f   NT rock-solid mo
0210  72 65 20 70 6f 77 65 72 66 75 6c 20 65 72 65 63   re powerful erec
0220  74 69 6f 6e 73 0a 2a 2d 20 48 61 76 65 20 4c 4f   tions.*- Have LO
0230  4e 47 45 52 20 4c 41 53 54 49 4e 47 20 65 72 65   NGER LASTING ere
0240  63 74 69 6f 6e 73 0a 2a 2d 20 49 6e 63 72 65 61   ctions.*- Increa
0250  73 65 64 20 6c 69 62 69 64 6f 20 61 6e 64 20 76   sed libido and v
0260  69 74 61 6c 69 74 79 2c 20 68 61 76 65 20 6d 6f   itality, have mo
0270  72 65 20 65 6e 65 72 67 79 20 66 6f 72 20 76 69   re energy for vi
0280  67 6f 72 6f 75 73 20 61 63 74 69 76 69 74 79 0a   gorous activity.
0290  0a 4e 65 77 20 59 4f 48 49 4d 42 45 2d 46 52 45   .New YOHIMBE-FRE
02a0  45 20 41 64 76 61 6e 63 65 64 20 46 6f 72 6d 75   E Advanced Formu
02b0  6c 61 20 39 2e 30 20 41 76 61 69 6c 61 62 6c 65   la 9.0 Available
02c0  20 4e 6f 77 21 0a 0a 42 65 73 74 20 6f 66 20 61    Now!..Best of a
02d0  6c 6c 2c 20 52 65 63 6f 6d 6d 65 6e 64 65 64 20   ll, Recommended
02e0  62 79 20 72 65 61 6c 20 64 6f 63 74 6f 72 73 21   by real doctors!
02f0  0a 0a 4f 6e 20 53 61 6c 65 2c 20 4c 69 6d 69 74   ..On Sale, Limit
0300  65 64 20 54 69 6d 65 20 4f 6e 6c 79 21 0a 0a 56   ed Time Only!..V
0310  49 53 49 54 20 57 57 57 2e 42 49 47 42 4f 4e 45   ISIT WWW.BIGBONE
0320  52 2e 42 49 5a 20 4e 4f 57 21 00                  R.BIZ NOW!.



It's been a long time since I ran Windows, so maybe someone on this list
who does has seen this frequently. It shocked me, I expect email spam- but
not this. What if it was a child who saw this pop up in front of them?

-jayjwa







More information about the list mailing list