Security Incidents mailing list archives
Re: udp and dst port 1026
From: Bill McCarty <bmccarty () pt-net net>
Date: Mon, 01 Dec 2003 19:54:55 -0800
Hi Hektor and all,--On Tuesday, December 02, 2003 12:20 AM +0100 Jens Hektor <hektor () rz rwth-aachen de> wrote:
starting around Nov 22 and increasing from Nov 24 until today I see packets floating around from various sources to almost any IP of our networks. Payload are two bytes with value zero. Any idea what this could be?
I've been tracking apparently identical traffic for several days and there's been discussion of it on the DShield email list. In particular, I'm seeing 0x0000 payloads delivered to UDP 135 and UDP 1026-1031. The same sources sometimes also send a standard, 50-byte NetBIOS probe to UDP 137.
Over each of the last several days, I've seen scans by several hundred hosts of one host on my Class C. That host, a Red Hat Linux honeypot, has provided little encouragement to the scanners, since it responds with ICMP Port Unreachable to all the related traffic. About midday today, additional hosts on my network were targeted and the scans began to strongly favor UDP 1026 and UDP 1030, whereas they'd earlier generally included all ports in the UDP 1026-1031 range. DShield graphs of the number of UDP 1026 and UDP 1030 targets went vertical today, so this is apparently an Internet-wide phenomenon.
I still see no payloads other than 0x0000. I speculate that I'm monitoring the scanning phase of a soon-to-be worm or worms, and that some more interesting payload will soon arrive. My guess is that the payload will target the Windows Messenger service, which is generally available on the ports being probed.
One participant on the DShield list has a pair of local hosts that today began emitting UDP 1026-1031 traffic from his .edu network. He plans to obtain and analyze them tomorrow. Perhaps his efforts will shed light on the traffic.
Cheers, --------------------------------------------------- Bill McCarty --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- udp and dst port 1026 Jens Hektor (Dec 01)
- Re: udp and dst port 1026 Bill McCarty (Dec 01)
- Re: udp and dst port 1026 Cedric Foll (Dec 02)
- Re: udp and dst port 1026 Bill McCarty (Dec 02)
- Re: udp and dst port 1026 Bill McCarty (Dec 02)
- Re: udp and dst port 1026 Thomas Preissler (Dec 03)
- Re: udp and dst port 1026 Ockey (Dec 03)
- RE: udp and dst port 1026 Lawrence Baldwin (Dec 04)
- RE: udp and dst port 1026 Jeff Bryner (Dec 05)
- RE: udp and dst port 1026 jamesworld (Dec 07)
- Re: udp and dst port 1026 Cedric Foll (Dec 02)
- Re: udp and dst port 1026 Bill McCarty (Dec 01)