[unisog] Windows Messaging Spam

Mike Iglesias iglesias at draco.acs.uci.edu
Fri Oct 11 16:24:09 GMT 2002


We started seeing this yesterday.  Here's what transpired against
one system on campus:

10 Oct 02 17:49:15    udp  207.44.137.241.2192   ->   aaa.bbb.ccc.ddd.135 
10 Oct 02 17:48:21    udp  207.44.137.241.1115  <->   aaa.bbb.ccc.ddd.135 
10 Oct 02 17:48:53   icmp  207.44.137.241       <->   aaa.bbb.ccc.ddd     
10 Oct 02 17:48:53    udp  207.44.137.241.137   <->   aaa.bbb.ccc.ddd.137 
10 Oct 02 17:49:15    udp aaa.bbb.ccc.ddd.2955  <->    207.44.137.241.2192
10 Oct 02 17:49:15    udp aaa.bbb.ccc.ddd.1028  <->    207.44.137.241.2192
10 Oct 02 17:51:22    udp 140.128.179.240.1026  <->   aaa.bbb.ccc.ddd.137 

207.44.137.241 (registered to Everyone's Internet) started probing
random campus IP addresses around 12:45 yesterday afternoon, and continued
until about 11pm last night.

One thing I noticed about the IP addresses they were poking at:  The
last octet of the IP had a pattern to it.  First they started poking at

  aaa.bbb.ccc.11
  aaa.bbb.ccc.71
  aaa.bbb.ccc.131
  aaa.bbb.ccc.196

Then:

  aaa.bbb.ccc.12
  aaa.bbb.ccc.72
  aaa.bbb.ccc.132
  aaa.bbb.ccc.197

The kept incrementing the last octet by one until they stopped at

  aaa.bbb.ccc.37
  aaa.bbb.ccc.97
  aaa.bbb.ccc.152
  aaa.bbb.ccc.222

They're all 26 more than the starting IP except the one ending in 152.


Mike Iglesias                          Internet:    iglesias at draco.acs.uci.edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2069



More information about the unisog mailing list