[Dshield] Bizarre Activity Spurt...

David Taylor ltr at isc.upenn.edu
Fri Oct 14 13:40:47 GMT 2005


I guess it could always be a Bot network sending out popup spam.


==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security 
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
================================================== 

SANS - The Twenty Most Critical Internet Security Vulnerabilities 
http://www.sans.org/top20/

SANS - Internet Storm Center
http://isc.sans.org

irc.freenode.net #dshielders
http://freenode.net/



-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Robert Nelson
Sent: Friday, October 14, 2005 6:25 AM
To: 'General DShield Discussion List'
Subject: Re: [Dshield] Bizarre Activity Spurt...


I'm used to seeing the messenger spam - but I've never seen it arrive in a
burst like this before.

It happened again at just after midnight my time and again at 4:46 AM CDT...

Robert

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Brian Dessent
Sent: October 14, 2005 3:05 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Bizarre Activity Spurt...


Robert Nelson wrote:

> I just had 232 hits on ports 1025 and 1026, all udp, in 42 seconds. 
> All had the source port of 7568. All but the first IP listed hit 8 
> times, port 1025 then 1026, in a one-second burst each. One IP hit 8 
> times, then the next IP hit 8 times... Each 1025-1026 pair was at the 
> same time, the next pair from that IP was 12-15 ms later.

Windows messenger spam.
<http://www.wired.com/news/technology/0,1282,55795,00.html>

> The following are the source IPs

The source address of these packets was probably spoofed and is meaningless.

> Anybody ever seen anything quite like this?

Frankly, I'd be surprised if it was possible to connect to the internet
these days and *not* receive this.

Brian


_________________________________________
Using .Net? Need to know more about .Net Security?
http://isc.sans.org/banner_count.php?dest=dotnet

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list