Re: udp and dst port 1026
From: Bill McCarty (bmccarty_at_pt-net.net)
Date: 12/02/03
- Previous message: Jens Hektor: "udp and dst port 1026"
- In reply to: Jens Hektor: "udp and dst port 1026"
- Next in thread: Cedric Foll: "Re: udp and dst port 1026"
- Reply: Cedric Foll: "Re: udp and dst port 1026"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 01 Dec 2003 19:54:55 -0800 To: Jens Hektor <hektor@rz.rwth-aachen.de>, incidents@securityfocus.com
Hi Hektor and all,
--On Tuesday, December 02, 2003 12:20 AM +0100 Jens Hektor
<hektor@rz.rwth-aachen.de> wrote:
> starting around Nov 22 and increasing from Nov 24
> until today I see packets floating around from
> various sources to almost any IP of our networks.
> Payload are two bytes with value zero.
> Any idea what this could be?
I've been tracking apparently identical traffic for several days and
there's been discussion of it on the DShield email list. In particular, I'm
seeing 0x0000 payloads delivered to UDP 135 and UDP 1026-1031. The same
sources sometimes also send a standard, 50-byte NetBIOS probe to UDP 137.
Over each of the last several days, I've seen scans by several hundred
hosts of one host on my Class C. That host, a Red Hat Linux honeypot, has
provided little encouragement to the scanners, since it responds with ICMP
Port Unreachable to all the related traffic. About midday today, additional
hosts on my network were targeted and the scans began to strongly favor UDP
1026 and UDP 1030, whereas they'd earlier generally included all ports in
the UDP 1026-1031 range. DShield graphs of the number of UDP 1026 and UDP
1030 targets went vertical today, so this is apparently an Internet-wide
phenomenon.
I still see no payloads other than 0x0000. I speculate that I'm monitoring
the scanning phase of a soon-to-be worm or worms, and that some more
interesting payload will soon arrive. My guess is that the payload will
target the Windows Messenger service, which is generally available on the
ports being probed.
One participant on the DShield list has a pair of local hosts that today
began emitting UDP 1026-1031 traffic from his .edu network. He plans to
obtain and analyze them tomorrow. Perhaps his efforts will shed light on
the traffic.
Cheers,
---------------------------------------------------
Bill McCarty
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Jens Hektor: "udp and dst port 1026"
- In reply to: Jens Hektor: "udp and dst port 1026"
- Next in thread: Cedric Foll: "Re: udp and dst port 1026"
- Reply: Cedric Foll: "Re: udp and dst port 1026"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
