Re: false portscan alarm
- From: "GEO" Me@xxxxxxxxx
- Date: Thu, 19 Oct 2006 03:56:18 GMT
On Wed, 18 Oct 2006 14:49:35 -0500, ibuprofin@xxxxxxxxxxxxxxxxxxxxxx
(Moe Trin) wrote:
I should have re-posted the explanation you gave me a few weeks
(months?) ago. :)
..... Today I have received UDP packets from 220.127.116.11.
1026, 1027, the usual.
The usual problem is windoze messenger spam sent to port 1025-1035, and
usually consists of a single packet of 400 to 1200 octets, with a bogus
message claiming to come from your system and reporting registry
corruption or similar. It has a URL to some idiot's web site unrelated
to microsoft, though the name may include the character strings 'window'
and/or 'registry'. There's an article cross-posted to comp.security.misc
and alt.computer.security yesterday that is complaining about this very
problem. Invariably, the source IP address is faked (a real address
isn't needed for this service, as one-way delivery of the spam is all
that is desired). If you look at the actual packet headers, there
are several obvious clues that the packet source is faked, especially if
you compare other similar packets received in the same general timeframe.
Such things as TTL, sequence numbers, and source port numbers often give
it away, as does source IP addresses that haven't even been delegated by
IANA, and therefore can't exist.
Either the explanation that ' wwwbaytest5.microsoft.com has some
malware hunting for more exploitable systems' is correct, or they have
managed to spoof the IP address.
Spoofing UDP is _very_ common.
- Prev by Date: Re: false portscan alarm
- Next by Date: Re: Privacy/Security: How to change my IP address daily or weekly on DSL
- Previous by thread: Re: false portscan alarm
- Next by thread: false portscan alarm