[unisog] Windows Messaging Spam

Peter Van Epp vanepp at sfu.ca
Fri Oct 11 16:50:27 GMT 2002


	Yep, someone here that isn't running Windows in quiet/secure mode
(rather oddly named as "Power Off" :-)) as I do got one this morning. The 
source looks to be changing source addresses because just after hitting the 
machine (and before I managed to get a tcpdump of it) he stopped, presumably 
to move to a new IP address.

11 Oct 02 08:53:28    udp  218.150.206.80.1026  <->      aaa.bb.c.ddd.137   1        1         92           325         ACC
11 Oct 02 08:53:29    tcp  218.150.206.80.2444   ->      aaa.bb.c.ddd.139   6        4         484          273         FIN

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


> 
> We started seeing this yesterday.  Here's what transpired against
> one system on campus:
> 
> 10 Oct 02 17:49:15    udp  207.44.137.241.2192   ->   aaa.bbb.ccc.ddd.135 
> 10 Oct 02 17:48:21    udp  207.44.137.241.1115  <->   aaa.bbb.ccc.ddd.135 
> 10 Oct 02 17:48:53   icmp  207.44.137.241       <->   aaa.bbb.ccc.ddd     
> 10 Oct 02 17:48:53    udp  207.44.137.241.137   <->   aaa.bbb.ccc.ddd.137 
> 10 Oct 02 17:49:15    udp aaa.bbb.ccc.ddd.2955  <->    207.44.137.241.2192
> 10 Oct 02 17:49:15    udp aaa.bbb.ccc.ddd.1028  <->    207.44.137.241.2192
> 10 Oct 02 17:51:22    udp 140.128.179.240.1026  <->   aaa.bbb.ccc.ddd.137 
> 
> 207.44.137.241 (registered to Everyone's Internet) started probing
> random campus IP addresses around 12:45 yesterday afternoon, and continued
> until about 11pm last night.
> 
> One thing I noticed about the IP addresses they were poking at:  The
> last octet of the IP had a pattern to it.  First they started poking at
> 
>   aaa.bbb.ccc.11
>   aaa.bbb.ccc.71
>   aaa.bbb.ccc.131
>   aaa.bbb.ccc.196
> 
> Then:
> 
>   aaa.bbb.ccc.12
>   aaa.bbb.ccc.72
>   aaa.bbb.ccc.132
>   aaa.bbb.ccc.197
> 
> The kept incrementing the last octet by one until they stopped at
> 
>   aaa.bbb.ccc.37
>   aaa.bbb.ccc.97
>   aaa.bbb.ccc.152
>   aaa.bbb.ccc.222
> 
> They're all 26 more than the starting IP except the one ending in 152.
> 
> 
> Mike Iglesias                          Internet:    iglesias at draco.acs.uci.edu
> University of California, Irvine       phone:       949-824-6926
> Network & Academic Computing Services  FAX:         949-824-2069
> 
> 



More information about the unisog mailing list