Re: false portscan alarm

On Wed, 18 Oct 2006 14:49:35 -0500, ibuprofin@xxxxxxxxxxxxxxxxxxxxxx
(Moe Trin) wrote:

I should have re-posted the explanation you gave me a few weeks
(months?) ago. :)

..... Today I have received UDP packets from 204.16.208.74.

Destination port?

1026, 1027, the usual.

The usual problem is windoze messenger spam sent to port 1025-1035, and
usually consists of a single packet of 400 to 1200 octets, with a bogus
message claiming to come from your system and reporting registry
corruption or similar. It has a URL to some idiot's web site unrelated
to microsoft, though the name may include the character strings 'window'
and/or 'registry'. There's an article cross-posted to comp.security.misc
and alt.computer.security yesterday that is complaining about this very
problem. Invariably, the source IP address is faked (a real address
isn't needed for this service, as one-way delivery of the spam is all
that is desired). If you look at the actual packet headers, there
are several obvious clues that the packet source is faked, especially if
you compare other similar packets received in the same general timeframe.
Such things as TTL, sequence numbers, and source port numbers often give
it away, as does source IP addresses that haven't even been delegated by
IANA, and therefore can't exist.

Either the explanation that ' wwwbaytest5.microsoft.com has some
malware hunting for more exploitable systems' is correct, or they have
managed to spoof the IP address.

Spoofing UDP is _very_ common.


Geo

.

Relevant Pages