[Dshield] Bizarre Activity Spurt...

Brian Dessent brian at dessent.net
Fri Oct 14 08:05:26 GMT 2005


Robert Nelson wrote:

> I just had 232 hits on ports 1025 and 1026, all udp, in 42 seconds. All had
> the source port of 7568. All but the first IP listed hit 8 times, port 1025
> then 1026, in a one-second burst each. One IP hit 8 times, then the next IP
> hit 8 times... Each 1025-1026 pair was at the same time, the next pair from
> that IP was 12-15 ms later.

Windows messenger spam.
<http://www.wired.com/news/technology/0,1282,55795,00.html>

> The following are the source IPs

The source address of these packets was probably spoofed and is
meaningless.

> Anybody ever seen anything quite like this?

Frankly, I'd be surprised if it was possible to connect to the internet
these days and *not* receive this.

Brian


More information about the list mailing list