[Dshield] What is the fun of this? Daily 70 packets to 1026 and 1027
Johannes B. Ullrich
jullrich at sans.org
Mon Mar 28 15:14:15 GMT 2005
> I wonder why anybody keeps "pounding" my IP-address so consistently and
> what the fun is of this type of "attack".
This is popup spam, directed at the Windows Messaging Service (not to be
confused with 'Microsoft Instant Messenger').
Typically, this service is used via RPC-DCOM. The sneder should send a
packet to port 135, and the RPC service will pass the data to the
Messaging service which will listen on some higher port.
However, many ISPs block port 135 (for good reason. RPC-DCOM has quite a
few "issues"... ). So the popup spammers figured out that the Windows
Messaging service is usually listening on port 1025 and 1027. While it
could listen on any high port, it just picks the first available one.
If you don't have a firewall, you would see a popup that looks very much
like a windows system message. The Windows Messaging Service is usually
used to notify users about print jobs that have completed, or if a
remote administrator is about to shut down the system. So its a valid
service, but there is no need to expose it to the Internet.
Johannes Ullrich jullrich at sans.org
SANS Internet Storm Center (617) 639 5000
PGP Key: https://secure.dshield.org/PGPKEYS
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20050328/b697042c/signature.bin
More information about the list