Re: Lots of incoming traffic on UDP 1026 and UDP 1027?

JGrimshaw_at_ASAP.com
Date: 12/28/04

Next message: Joe Hood: "Re: bridge detection"

Previous message: JGrimshaw_at_ASAP.com: "Re: Lots of incoming traffic on UDP 1026 and UDP 1027?"
In reply to: FocusHacks: "Lots of incoming traffic on UDP 1026 and UDP 1027?"
Next in thread: Paul Duffany: "RE: Lots of incoming traffic on UDP 1026 and UDP 1027?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: webmaster@focushacks.com
Date: Tue, 28 Dec 2004 11:39:04 -0600

I believe it's windows messenger traffic, most likely spam.

Search google for udp port 1026 and you'll get a lot of links regarding
it. Activity to the windows messenger port seems to have been on the
upswing since early December.

I know that ICQ (a chat program) used udp port 1027. That could be spam
coming in, too.

FocusHacks <focushacks@gmail.com>
12/27/2004 12:34 PM
Please respond to
webmaster@focushacks.com

To
security-basics@securityfocus.com
cc

Subject
Lots of incoming traffic on UDP 1026 and UDP 1027?

I searched the archives at SecurityFocus and couldn't come up with
anything useful other than someone with Zone Alarm obviously saw the
same activity and people were trying to tell him to look for listening
ports on his machine, which is not the case.

I'm getting literally hammered by tons of various IP's on UDP 1026 and UDP
1027

I've attached a CSV log, modified a bit, from my NetScreen 5. I only
showed the last 15 bytes of the Source IP:Port so the first octet,
give or take a few bytes, is cut off. I left a few columns out as
well.

Let me know, this has been going on for quite a while, and all my
searches are ending in vain. Any ideas?

-- 
http://www.FocusHacks.com - The Ford Focus Modification Site!

application/octet-stream attachment: 1026-1027.csv

Next message: Joe Hood: "Re: bridge detection"

Previous message: JGrimshaw_at_ASAP.com: "Re: Lots of incoming traffic on UDP 1026 and UDP 1027?"
In reply to: FocusHacks: "Lots of incoming traffic on UDP 1026 and UDP 1027?"
Next in thread: Paul Duffany: "RE: Lots of incoming traffic on UDP 1026 and UDP 1027?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Cisco VPN client
... The UDP port 10000 configuration reference is proprietary to the Cisco VPN ... transit between the VPN client and the concentrator. ...
(Security-Basics)
Re: bind() udp behavior 2.6.8.1
... > clearing out a UDP connection in a firewall coming from a high port is ... Allowing a high numbered udp port to remain ... I think the current OpenAFS ...
(Linux-Kernel)
Re: Easy RRAS VPN question
... L2TP traffic at the UDP port of 1701. ... the security layer encountered a processing error during initial ... Jarryd ...
(microsoft.public.windows.server.networking)
Re: tcludp - bug when closing 1-of-2 listening ports
... It is indeed linked with zero-sized UDP packets. ... Listening on udp port: 1300 ... recv at 1300: 4 ...
(comp.lang.tcl)
Re: Auditing
... I still see scanners looking for UDP port 22 every once in a while ... (script kiddies looking for poorly configured PC-Anywhere instances). ... So, this could be unrelated to your incident, and just be some random ...
(FreeBSD-Security)