Re: udp and dst port 1026

From: Cedric Foll (cedric.foll_at_ac-rouen.fr)
Date: 12/02/03

  • Next message: Dejan Markovic: "Re: Same sequence... Resolved" 
    To: Bill McCarty <bmccarty@pt-net.net>
Date: 02 Dec 2003 17:03:08 +0100

    > I still see no payloads other than 0x0000. I speculate that I'm monitoring
    > the scanning phase of a soon-to-be worm or worms, and that some more
    > interesting payload will soon arrive. My guess is that the payload will
    > target the Windows Messenger service, which is generally available on the
    > ports being probed.

    I think that it's just SPAM.
    I've wrote a script on a server behind our firewall.

    When it see a udp paquet to 1026 (i use libpcap) with 0x0000 I response
    with hping (I spoof ip and i send the usual response of a windows
    station which receive 0x0000 on port 1026).

    This is what i get:
    U 2003/12/02 16:11:30.339601 80.39.177.73:1133 -> 194.167.110.64:1026
      00 00 ..
    #
    U 2003/12/02 16:11:30.359611 194.167.110.64:1026 -> 80.39.177.73:1133
      04 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
      00 00 00 00 00 00 00 00 59 b8 c3 3f 00 00 00 00 ........Y..?....
      00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 ................
      08 00 00 1c ....
    #
    U 2003/12/02 16:11:31.443237 80.39.177.73:1147 -> 194.167.110.64:1026
      04 00 08 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
      00 00 00 00 00 00 00 00 f8 91 7b 5a 00 ff d0 11 ..........{Z....
      a9 b2 00 c0 4f b6 e6 fc b4 38 d5 70 74 61 66 e1 ....O....8.ptaf.
      f9 7d 41 07 b5 15 5e 42 00 00 00 00 01 00 00 00 .}A...^B........
      00 00 00 00 00 00 ff ff ff ff b7 01 00 00 00 00 ................
      14 00 00 00 00 00 00 00 14 00 00 00 57 57 57 2e ............WWW.
      50 4f 50 41 44 53 54 4f 50 2e 43 4f 4d 00 00 00 POPADSTOP.COM...
      14 00 00 00 00 00 00 00 14 00 00 00 55 4e 53 45 ............UNSE
      43 55 52 45 44 20 43 4f 4d 50 55 54 45 52 00 00 CURED COMPUTER..
      6b 01 00 00 00 00 00 00 6b 01 00 00 50 55 42 4c k.......k...PUBL
      49 43 20 53 45 52 56 49 43 45 20 41 4e 4e 4f 55 IC SERVICE ANNOU
      4e 43 45 4d 45 4e 54 3a 0d 0a 0d 0a 0d 0a 59 4f NCEMENT:......YO
      55 52 20 43 4f 4d 50 55 54 45 52 20 49 53 20 4e UR COMPUTER IS N
      4f 54 20 53 45 43 55 52 45 44 20 41 47 41 49 4e OT SECURED AGAIN
      53 54 20 50 4f 50 2d 55 50 53 21 21 21 0d 0a 0d ST POP-UPS!!!...
      0a 0d 0a 44 4f 4e 27 54 20 53 50 45 4e 44 20 41 ...DON'T SPEND A
      4e 59 20 4d 4f 4e 45 59 20 46 4f 52 20 41 4e 59 NY MONEY FOR ANY
      20 50 4f 50 2d 55 50 20 42 4c 4f 43 4b 45 52 21 POP-UP BLOCKER!
      0d 0a 0d 0a 47 65 74 20 6f 75 72 73 20 66 6f 72 ....Get ours for
      20 46 52 45 45 21 21 21 0d 0a 0d 0a 59 65 73 20 FREE!!!....Yes
      74 68 61 74 27 73 20 72 69 67 68 74 2c 20 53 54 that's right, ST
      4f 50 20 50 6f 70 2d 55 70 20 61 64 73 20 66 6f OP Pop-Up ads fo
      72 20 46 52 45 45 21 21 21 0d 0a 0d 0a 0d 0a 0d r FREE!!!.......
      0a 20 20 20 20 20 20 20 20 20 20 20 20 20 2a 20 . *
      2a 20 2a 20 20 20 20 20 44 4f 20 4e 4f 54 20 43 * * DO NOT C
      4c 49 43 4b 20 22 4f 4b 22 20 42 45 46 4f 52 45 LICK "OK" BEFORE
      20 47 4f 49 4e 47 20 54 4f 20 4f 55 52 20 57 45 GOING TO OUR WE
      42 53 49 54 45 20 20 20 20 20 2a 20 2a 20 2a 0d BSITE * * *.
      0a 0d 0a 4f 6e 20 79 6f 75 72 20 77 65 62 20 62 ...On your web b
      72 6f 77 73 65 72 27 73 20 61 64 64 72 65 73 73 rowser's address
      20 62 61 72 2c 20 54 59 50 45 20 49 4e 3a 20 20 bar, TYPE IN:
      20 20 20 77 77 77 2e 50 6f 70 41 64 53 74 6f 70 www.PopAdStop
      2e 63 6f 6d 0d 0a 00 .com...
    #

    So i think that this 0x0000 is just a kind of 'ping'. 

    -- 
==================
Cedric Foll
Ingénieur réseaux, Rectorat de Rouen
mèl: cedric.foll@ac-rouen.fr
tèl: 02 35 14 77 51
"L'orgueil a plus de part que la bonté 
aux remontrances que nous faisons à 
ceux qui commettent des fautes; et nous 
ne les reprenons pas tant pour les en 
corriger que pour leur persuader que 
nous en sommes exempts."
La rochefoucauld
===================

  • Next message: Dejan Markovic: "Re: Same sequence... Resolved"

    Relevant Pages

    • Re: rapping noise, gun noise?
      ... > I have closed all ports below 1000 to listening for stuff coming in. ... > firewall, and it is the entry point for spam appearing in windows from ... > Windows Messenger Service. ... Window's Messenger Service is not to be trusted especially with those cool ...
      (comp.security.firewalls)
    • Re: rapping noise, gun noise?
      ... I have closed all ports below 1000 to listening for stuff coming in. ... There is lots of lit on the Web ... firewall, and it is the entry point for spam appearing in windows from your own ... Windows Messenger Service. ...
      (comp.security.firewalls)