Handler on Duty: Didier Stevens
Threat Level: green
Loading...
|
|
|||||||||||||||||||||||||||||||||||||
| URL |
|---|
| Port 1026-1031 increase |
| Nachia Decline; Increased Activity on Port 1026 |
| Beagle Exploit, SSL NULL encryption (update), port 12345 and 1026 |
| Submitted By | Date |
|---|---|
| Comment | |
| alerter | 2009-10-04 18:45:22 |
| The vast majority of these probes on UDP 1026, post-MS-RPC-DCOM exploit ("MS Blaster"), are Windows Messaging Service using alternate ports (UDP 1025-1027) to transmit/blast WMS Desktop Pop-up SPAM. This is because several ISP-s have blocked and/or continue to block UDP 135 post-MS-Blaster. A few offensive and ongoing UDP 1026 WMS SPAMmer source IP-s are: 203.197.199.183 (VSNL-IN), 61.143.182.138 (CHINANET-GD), 200.210.170.10 (LACNIC-ARIN BR), 202.131.221.61 (EAGLE-CN), whose respective ISP-s have been entirely unresponsive and unreactive to ongoing net abuse complaints (check incidents logged with DeepSight Security Analyzer and DShield). | |
| 2009-10-04 18:45:22 | |
| I wonder if it is related to "new attack vectors for rpc vulnerabilities" http://www2.corest.com/common/showdoc.php?idx=393&;;idxseccion=10 | |
| Ken Hollis | 2004-01-30 19:53:56 |
| UDP Port 1026 (And as AFAIK ports 1027, 1028 and 1029) are the ports for Windows Messenger Popup Spam. See: http://www.lurhq.com/popup_spam.html | |
| Ken Hollis | 2003-12-23 21:09:04 |
| Greetings and Salutations: Since this is UDP, the spammers forge the source IP address to some unsuspecting party. Do not trust the source address, the packets would have to be traced hop by hop to actually find the perpetrator. Ken | |
| CVE # | Description |
|---|
© 2024 SANS™ Internet Storm Center
Developers: We have an API for you! 