Full Disclosure mailing list archives

Re: Increase probe on UDP port 1026

From: <srenna () vdbmusic com>
Date: Tue, 02 Dec 2003 00:18:49 -0500

Have you also seen an increase in UDP port 1030 scans
coupled with the 1026 scan?

I've been seeing a good deal of it and notice that scans
are originating from Universities in the US, broadband
connections and some external to the US.

Interesting traffic to say the least.



On Mon, 1 Dec 2003 16:40:29 -0700
 Irwan Hadi <irwanhadi () phxby com> wrote:

During the last a few hours, I've seen a huge jump in
traffic to UDP
port 1026 (Windows Messaging).
I know that the exploit for MS03-043 has been released
since around 2
weeks ago, but that exploit as far as I know only works
by using UDP
port 135.
One interesting pattern that I found out from the packet
that Snort
captured are:
1. One attacker host only send one packet to target host.
2. The attackers come from all over the world (which
indicates a rapid
infection)
3. The packet always contains (00 00 00 00 00) for the
message part.

Below is the Snort rule that I put in my IDS box
alert udp !$USU_NET any -> any 1026 (msg:"MS03-043
PROBE??";
classtype:bad-unknown;) 

And these are some of the packet that Snort capture:

[**] MS03-043 PROBE?? [**]
12/01-15:45:08.986417 0:D0:4:F2:4C:A -> 0:B0:D0:29:D5:40
type:0x800
len:0x3C
200.176.192.151:1042 -> 129.123.x.x:1026 UDP TTL:111
TOS:0x0 ID:33601
IpLen:20 DgmLen:30
Len: 2
0x0000: 00 B0 D0 29 D5 40 00 D0 04 F2 4C 0A 08 00 45 00
...).@....L...E.
0x0010: 00 1E 83 41 00 00 6F 11 AA 4C C8 B0 C0 97 81 7B
...A..o..L.....{
0x0020: 13 7E 04 12 04 02 00 0A D9 84 00 00 00 00 00 00
.~..............
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00
             ............

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


[**] MS03-043 PROBE?? [**]
12/01-14:01:19.788400 0:D0:4:F2:4C:A -> 0:2:B3:C9:36:64
type:0x800
len:0x3C
81.74.106.18:26246 -> 129.123.x.x:1026 UDP TTL:106
TOS:0x0 ID:7877
IpLen:20 DgmLen:30
Len: 2
0x0000: 00 02 B3 C9 36 64 00 D0 04 F2 4C 0A 08 00 45 00
....6d....L...E.
0x0010: 00 1E 1E C5 00 00 6A 11 C8 EA 51 4A 6A 12 81 7B
......j...QJj..{
0x0020: 2C 48 66 86 04 02 00 0A 2C 32 00 00 00 00 00 00
,Hf.....,2......
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00
             ............

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


[**] MS03-043 PROBE?? [**]
12/01-09:28:06.146677 0:D0:4:F2:4C:A -> 0:2:B3:E7:49:84
type:0x800
len:0x3C
62.243.125.82:1194 -> 129.123.x.x:1026 UDP TTL:114
TOS:0x0 ID:6633
IpLen:20 DgmLen:30
Len: 2
0x0000: 00 02 B3 E7 49 84 00 D0 04 F2 4C 0A 08 00 45 00
....I.....L...E.
0x0010: 00 1E 19 E9 00 00 72 11 DD 95 3E F3 7D 52 81 7B
......r...>.}R.{
0x0020: 13 90 04 AA 04 02 00 0A A5 DD 00 00 00 00 00 00
................
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00
             ............

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


[**] MS03-043 PROBE?? [**]
12/01-15:47:16.721798 0:D0:4:F2:4C:A -> 0:8:A1:21:91:D8
type:0x800
len:0x3C
140.228.112.8:1478 -> 129.123.x.x:1026 UDP TTL:118
TOS:0x0 ID:43359
IpLen:20 DgmLen:30
Len: 2
0x0000: 00 08 A1 21 91 D8 00 D0 04 F2 4C 0A 08 00 45 00
...!......L...E.
0x0010: 00 1E A9 5F 00 00 76 11 09 69 8C E4 70 08 81 7B
..._..v..i..p..{
0x0020: 13 9F 05 C6 04 02 00 0A 64 0B 00 00 00 00 00 00
........d.......
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00
             ............

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


[**] MS03-043 PROBE?? [**]
12/01-13:46:34.522088 0:D0:4:F2:4C:A -> 0:8:A1:B:6F:6A
type:0x800
len:0x3C
24.157.247.137:1076 -> 129.123.x.x:1026 UDP TTL:109
TOS:0x0 ID:30415
IpLen:20 DgmLen:30
Len: 2
0x0000: 00 08 A1 0B 6F 6A 00 D0 04 F2 4C 0A 08 00 45 00
....oj....L...E.
0x0010: 00 1E 76 CF 00 00 6D 11 31 80 18 9D F7 89 81 7B
..v...m.1......{
0x0020: 13 DE 04 34 04 02 00 0A 52 24 00 00 00 00 00 00
...4....R$......
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00
             ............

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



Any idea?

_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Increase probe on UDP port 1026 Irwan Hadi (Dec 01)
- Re: Increase probe on UDP port 1026 srenna (Dec 01)
- Re: Increase probe on UDP port 1026 bowwow (Dec 03)
- <Possible follow-ups>
- RE: Increase probe on UDP port 1026 Rodrigues, Philip (Dec 01)
  - RE: Increase probe on UDP port 1026 Nicob (Dec 02)
    - RE: Increase probe on UDP port 1026 Rodrigues, Philip (Dec 02)
    - Re: Increase probe on UDP port 1026 Paul Dokas (Dec 02)
    - Re: Increase probe on UDP port 1026 George Capehart (Dec 02)
    - Re: Increase probe on UDP port 1026 Nick FitzGerald (Dec 02)
    - RE: Increase probe on UDP port 1026 Bill Royds (Dec 02)
    - Re: Increase probe on UDP port 1026 Brian Eckman (Dec 03)
- RE: Increase probe on UDP port 1026 Richard Maudsley (Dec 03)