[unisog] anyone else seeing lots of popup spam/malware?

Peter Van Epp vanepp at sfu.ca
Wed Oct 26 16:24:45 GMT 2005


On Wed, Oct 26, 2005 at 10:18:44AM -0500, John Rowan Littell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> Lo, Russell Fulton and the teakettle whistled in unison:
> 
> > Over the last couple of weeks we have noticed an increasing amount of
> > UDP traffic with a source port of 0 and destination port of 102x (
> > x=5,6) packets are always a variation of this:
> [snip]
> 
> Upon looking at our Argus logs, I do see a number of these.  I can't
> confirm the payload, since I have Argus set to ignore that, but all
> the other characteristics match.
> 

	Me too, although it looks to be entirely unsuccessful at getting 
replies here.

25 Oct 05 00:01:35           udp   72.164.71.228.0      ->     142.58.xx.xx.1025  1        0         532          0           INT
...
25 Oct 05 00:01:35           udp   72.164.71.228.0      ->    142.58.xx.xx.1026  1        0         532          0           INT

(here someone new joins indicating it probably isn't spoofed source addresses))

25 Oct 05 00:01:35           udp   219.72.53.217.0      ->    142.58.xx.xx.1025  1        0         532          0           INT
25 Oct 05 00:01:35           udp   72.164.71.228.0      ->     142.58.xx.xx.1025  1        0         532          0           INT
...

(72.164.71.228 fades out here leaving the new one)

25 Oct 05 00:01:35           udp   72.164.71.228.0      ->    142.58.xx.xx.1026  1        0         532          0           INT
25 Oct 05 00:01:35           udp   219.72.53.217.0      ->    142.58.xx.xx.1025  1        0         532          0           INT
...
(and a new one starts up ...)
25 Oct 05 00:01:35           udp   219.72.53.217.0      ->    142.58.xx.xx.1025  1        0         532          0           INT
25 Oct 05 00:03:06     I     udp   74.153.31.120.0      ->    142.58.xxx.x.1025  1        0         532          0           INT
...
(then abruptly switches)
25 Oct 05 00:03:06           udp   74.153.31.120.0      ->  142.58.xxx.xxx.1026  1        0         532          0           INT
25 Oct 05 00:03:45           udp      3.3.50.120.0      ->     142.58.xx.xx.1026  1        0         536          0           INT
...

	Blocking UDP inbound with a source port of 0 sounds to me like a good
bet (I don't see anything else using it in a quick scan through the argus 
logs).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


More information about the unisog mailing list