[get complete service list]
Port Information
Protocol Service Name
udp win-rpc Windows RPC
tcp cap Calendar Access Protocol,[Doug_Royer],[Doug_Royer],2010-12-09,,,,,
udp cap Calendar Access Protocol,[Doug_Royer],[Doug_Royer],2010-12-09,,,,,
tcp nterm remote_login network_terminal
Top IPs Scanning
Today Yesterday (50) (446) (32) (137) (24) (90) (20) (53) (18) (41) (14) (40) (14) (36) (13) (28) (11) (24) (10) (24)
Port diary mentions
Port 1026-1031 increase
Nachia Decline; Increased Activity on Port 1026
Beagle Exploit, SSL NULL encryption (update), port 12345 and 1026
User Comments
Submitted By Date
alerter 2009-10-04 18:45:22
The vast majority of these probes on UDP 1026, post-MS-RPC-DCOM exploit ("MS Blaster"), are Windows Messaging Service using alternate ports (UDP 1025-1027) to transmit/blast WMS Desktop Pop-up SPAM. This is because several ISP-s have blocked and/or continue to block UDP 135 post-MS-Blaster. A few offensive and ongoing UDP 1026 WMS SPAMmer source IP-s are: (VSNL-IN), (CHINANET-GD), (LACNIC-ARIN BR), (EAGLE-CN), whose respective ISP-s have been entirely unresponsive and unreactive to ongoing net abuse complaints (check incidents logged with DeepSight Security Analyzer and DShield).
2009-10-04 18:45:22
I wonder if it is related to "new attack vectors for rpc vulnerabilities" http://www2.corest.com/common/showdoc.php?idx=393&;;idxseccion=10
Ken Hollis 2004-01-30 19:53:56
UDP Port 1026 (And as AFAIK ports 1027, 1028 and 1029) are the ports for Windows Messenger Popup Spam. See: http://www.lurhq.com/popup_spam.html
Ken Hollis 2003-12-23 21:09:04
Greetings and Salutations: Since this is UDP, the spammers forge the source IP address to some unsuspecting party. Do not trust the source address, the packets would have to be traced hop by hop to actually find the perpetrator. Ken
CVE Links
CVE # Description