hacking security forum

RE: [Full-Disclosure] Increase probe on UDP port 1026

From: Rodrigues, Philip <phil.rodrigues@uconn.edu>
Date: Tue Dec 02 2003 - 12:05:27 CST

This is not that. They do not have source ports of 6666 - they are
dynamically assigned source ports in "normal" ranges (1024+). They do
not contain a meaningful payload. Here is the ASCII cap of a few of
them:

802.1Q vlan#604 P0 137.99.175.80.3233 > 192.189.8.166.1026: [udp sum
ok] udp 2 (ttl 126, id 28390, len 30)
0x0000 025c 0800 4500 001e 6ee6 0000 7e11 cbd1 .\..E...n...~...
0x0010 8963 af50 c0bd 08a6 0ca1 0402 000a ed1f .c.P............
0x0020 0000 ffff ffff ffff ffff ffff ffff ffff ................
0x0030 ffff ..

802.1Q vlan#604 P0 137.99.175.80.3234 > 192.189.8.166.1030: [udp sum
ok] udp 2 (ttl 126, id 28391, len 30)
0x0000 025c 0800 4500 001e 6ee7 0000 7e11 cbd0 .\..E...n...~...
0x0010 8963 af50 c0bd 08a6 0ca2 0406 000a ed1a .c.P............
0x0020 0000 ffff ffff ffff ffff ffff ffff ffff ................
0x0030 ffff ..

802.1Q vlan#604 P0 137.99.175.80.3233 > 171.75.168.173.1026: [udp sum
ok] udp 2 (ttl 126, id 28392, len 30)
0x0000 025c 0800 4500 001e 6ee8 0000 7e11 413a .\..E...n...~.A:
0x0010 8963 af50 ab4b a8ad 0ca1 0402 000a 628a .c.P.K........b.
0x0020 0000 ffff ffff ffff ffff ffff ffff ffff ................
0x0030 ffff ..

802.1Q vlan#604 P0 137.99.175.80.3234 > 171.75.168.173.1030: [udp sum
ok] udp 2 (ttl 126, id 28393, len 30)
0x0000 025c 0800 4500 001e 6ee9 0000 7e11 4139 .\..E...n...~.A9
0x0010 8963 af50 ab4b a8ad 0ca2 0406 000a 6285 .c.P.K........b.
0x0020 0000 ffff ffff ffff ffff ffff ffff ffff ................
0x0030 ffff ..

On Tue, 2003-12-02 at 04:16, Nicob wrote:
> On Tue, 2003-12-02 at 03:10, Rodrigues, Philip wrote:
> > I'm sitting in front of two Class B's. We saw a steady increase in the unique
> > external IPs scanning us for UDP 1026, 1030 today since 0700 EST. This chart
> > shows the number of unique external IPs with incoming UDP 1026 traffic per hour
> > since noon.
>
> This was discussed this month on some french security related
> newsgroups, and it seems that most of the scans have a source port of
> 666/UDP.
>
> I captured some packets and it appears to be (only) a Windows Messenger
> "spam" for a "penis enlargement" product.
>
> F*cking spammers ... 

-- 
=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut
email: phil.rodrigues@uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Tue Dec 02 13:47:30 2003

This archive was generated by hypermail 2.1.8 : Tue Dec 02 2003 - 14:01:00 CST