Port 1026-1031 increase

Published: 2003-11-25
Last Updated: 2003-11-26 03:14:29 UTC
by Handlers (Version: 1)
0 comment(s)

The number of sources scanning for port 1026-1031 is increasing over the last few days. See:

http://www.dshield.org/port_report.php?port=1026

http://www.dshield.org/port_report.php?port=1031

We are currenlty looking for more data to investigtate this issue. One important hint is the change in source ports. As of Nov. 21st, most port 135 reports came
from a source port of 666 or 4177, indicating that they where crafted. However,
more recently (e.g. Nov. 25th), more reports originate from the default source
ports (1024 and up). This is illustracted in this graphic:

http://isc.sans.org/images/1026spdistribution.gif

Not shown in the graphic is a second peak for the Nov. 25th data around source
port 60,000. This data may be associated with hosts behind NAT devices.
Current possibilities:

(1) Popup Spam:

It is possible to reach the Windows Messenger service via these ports. This
bypasses UDP 135, which is frequently blocked by firewalls.

However, most popup spam originates from a small number of sources

(2) Windows Messenger Worm/Bot

On October 15th, Microsoft released Bulletin MS03-043. This bulletin warns of a
buffer overflow for the Microsoft Messenger Service

http://www.microsoft.com/technet/security/bulletin/MS03-043.asp

This vulnerability could be used to gain access to a system, or to launch self replicating code. The malware comunity is actively working on related exploits.

RECOMMENDATIONS

Conintinue to be vigilant and please report related incidents. Note: MS03-043 was revised earlier this week regarding patching conflicts. If you put off patching
due to this conflict, please reevaluate.

Keywords:
0 comment(s)

Comments


Diary Archives