[Dshield] What is the fun of this? Daily 70 packets to 1026 and 1027

Johannes B. Ullrich jullrich at sans.org
Mon Mar 28 15:14:15 GMT 2005


> I wonder why anybody keeps "pounding" my IP-address so consistently and 
> what the fun is of this type of "attack".

This is popup spam, directed at the Windows Messaging Service (not to be 
confused with 'Microsoft Instant Messenger').

Typically, this service is used via RPC-DCOM. The sneder should send a 
packet to port 135, and the RPC service will pass the data to the 
Messaging service which will listen on some higher port.

However, many ISPs block port 135 (for good reason. RPC-DCOM has quite a 
few "issues"... ). So the popup spammers figured out that the Windows 
Messaging service is usually listening on port 1025 and 1027. While it 
could listen on any high port, it just picks the first available one.

If you don't have a firewall, you would see a popup that looks very much 
like a windows system message. The Windows Messaging Service is usually 
used to notify users about print jobs that have completed, or if a 
remote administrator is about to shut down the system. So its a valid 
service, but there is no need to expose it to the Internet.



-- 
---------
Johannes Ullrich                        jullrich at sans.org
SANS Internet Storm Center                 (617) 639 5000
http://isc.sans.org
PGP Key: https://secure.dshield.org/PGPKEYS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20050328/b697042c/signature.bin


More information about the list mailing list