Re: [Dshield] Dramatic increase in port 1026 probes...

jayjwa jayjwa at atr2.ath.cx
Fri Jan 7 04:42:38 GMT 2005


On Thu, 6 Jan 2005, [iso-8859-2] Zyzio wrote:

+ 
+ > Does anyone have an idea why there has been such a
+ > dramatic increase in the number of probes to port 1026?
+ > I have also noticed that the vast majority, if not all,
+ > of the offending source IP addresses originate in Asia...
+ Could you give more datails about this traffic? 
+ 
+ > Any educated theories welcome. :-)
+ If this is UDP traffic this could be SPAM using Windows Messenger.
+ If this is TCP traffic this probes may look for service which are
+ starded at windows start (as a third program that uses ports. Firts
+ program listen on 1024, secend at 1025 etc ...)


For a few months now I've seen a dramatic increase in UDP MS Messenger 
Spam, the vast majority is from swbell and genuity (or appears that way). 
I've captured packets, tracked the spam, found the sites, and found the 
scams. One was a site in Korea called "www.updatenow.org", pretending to 
be Microsoft-affiliated, wanted people to buy a patch.


Packets supposedly from 70.240.0.0/16 are the most common:

Internet Protocol, Src Addr: 70.240.169.254 (70.240.169.254)
     Header length: 20 bytes
     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
         0000 00.. = Differentiated Services Codepoint: Default (0x00)
         .... ..0. = ECN-Capable Transport (ECT): 0
         .... ...0 = ECN-CE: 0
     Total Length: 809
     Identification: 0xec78 (60536)
     Flags: 0x00
         0... = Reserved bit: Not set
         .0.. = Don't fragment: Not set
         ..0. = More fragments: Not set
     Fragment offset: 0
     Time to live: 108
     Protocol: UDP (0x11)
     Header checksum: 0x1fc6 (correct)
     Source: 70.240.169.254 (70.240.169.254)
     Destination: 64.179.13.228 (64.179.13.228)
User Datagram Protocol, Src Port: 8310 (8310), Dst Port: 1026 (1026)
     Source port: 8310 (8310)
     Destination port: 1026 (1026)
     Length: 789
     Checksum: 0x0000 (none)

0080  00 00 00 00 0a 00 00 00 55 50 44 41 54 45 4e 4f   ........UPDATENO
0090  57 00 00 00 0a 00 00 00 00 00 00 00 0a 00 00 00   W...............
00a0  57 49 4e 44 4f 57 53 00 00 00 00 00 81 02 00 00   WINDOWS.........
00b0  00 00 00 00 81 02 00 00 49 6d 70 6f 72 74 61 6e   ........Importan
00c0  74 20 4e 6f 74 69 63 65 20 46 72 6f 6d 20 4d 53   t Notice From MS
00d0  4f 46 54 0d 0a 0d 0a 42 75 66 66 65 72 20 4f 76   OFT....Buffer Ov
00e0  65 72 66 6c 6f 77 20 69 6e 20 4d 65 73 73 65 6e   erflow in Messen
00f0  67 65 72 20 53 65 72 76 69 63 65 20 41 6c 6c 6f   ger Service Allo
0100  77 73 20 55 6e 65 78 70 65 63 74 65 64 20 43 6f   ws Unexpected Co
0110  6d 70 75 74 65 72 20 53 68 75 74 64 6f 77 6e 2c   mputer Shutdown,
0120  0d 0a 56 69 72 75 73 20 49 6e 66 65 63 74 69 6f   ..Virus Infectio
0130  6e 20 61 6e 64 20 52 65 6d 6f 74 65 20 43 6f 64   n and Remote Cod
0140  65 20 45 78 65 63 75 74 69 6f 6e 0d 0a 0d 0a 41   e Execution....A
0150  66 66 65 63 74 65 64 20 53 6f 66 74 77 61 72 65   ffected Software
0160  3a 20 0d 0a 0d 0a 4d 69 63 72 6f 73 6f 66 74 20   : ....Microsoft
0170  57 69 6e 64 6f 77 73 20 4e 54 20 57 6f 72 6b 73   Windows NT Works
0180  74 61 74 69 6f 6e 20 0d 0a 4d 69 63 72 6f 73 6f   tation ..Microso
0190  66 74 20 57 69 6e 64 6f 77 73 20 4e 54 20 53 65   ft Windows NT Se
01a0  72 76 65 72 20 34 2e 30 20 0d 0a 4d 69 63 72 6f   rver 4.0 ..Micro
01b0  73 6f 66 74 20 57 69 6e 64 6f 77 73 20 32 30 30   soft Windows 200
01c0  30 20 20 20 0d 0a 4d 69 63 72 6f 73 6f 66 74 20   0   ..Microsoft
01d0  57 69 6e 64 6f 77 73 20 58 50 20 20 0d 0a 4d 69   Windows XP  ..Mi
01e0  63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20   crosoft Windows
01f0  57 69 6e 39 38 20 20 20 0d 0a 4d 69 63 72 6f 73   Win98   ..Micros
0200  6f 66 74 20 57 69 6e 64 6f 77 73 20 53 65 72 76   oft Windows Serv
0210  65 72 20 32 30 30 33 0d 0a 0d 0a 4e 6f 6e 20 41   er 2003....Non A
0220  66 66 65 63 74 65 64 20 53 6f 66 74 77 61 72 65   ffected Software
0230  3a 20 0d 0a 0d 0a 4d 69 63 72 6f 73 6f 66 74 20   : ....Microsoft
0240  57 69 6e 64 6f 77 73 20 4d 69 6c 6c 65 6e 6e 69   Windows Millenni
0250  75 6d 20 45 64 69 74 69 6f 6e 0d 0a 0d 0a 59 6f   um Edition....Yo
0260  75 72 20 73 79 73 74 65 6d 20 49 53 20 61 66 66   ur system IS aff
0270  65 63 74 65 64 2c 20 64 6f 77 6e 6c 6f 61 64 20   ected, download
0280  74 68 65 20 70 61 74 63 68 20 66 72 6f 6d 20 74   the patch from t
0290  68 65 20 61 64 64 72 65 73 73 20 62 65 6c 6f 77   he address below
02a0  20 21 20 0d 0a 46 49 52 53 54 20 54 59 50 45 20    ! ..FIRST TYPE
02b0  54 48 45 20 55 52 4c 20 42 45 4c 4f 57 20 49 4e   THE URL BELOW IN
02c0  54 4f 20 59 4f 55 52 20 49 4e 54 45 52 4e 45 54   TO YOUR INTERNET
02d0  20 42 52 4f 57 53 45 52 2c 20 54 48 45 4e 20 43    BROWSER, THEN C
02e0  4c 49 43 4b 20 27 4f 4b 27 20 0d 0a 20 20 20 20   LICK 'OK' ..

I sent a total of 17 messages between them over the months without a 
single response, so I just gave up. They're little more than an annoyance 
to me, knowing that they are there, because I have to actively sniff for 
them in order to see them.

There are a few known exploits around too, but I see much, much more spam 
on those ports than exploit packets.


--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++



More information about the list mailing list