Honeypots mailing list archives
Re: ports 1025 and 1026
From: Mike Dundas <mike () dundas org>
Date: Mon, 24 Apr 2006 23:28:37 -0400
In my experience, it is typically 1025/udp, 1026/udp, 1027/udp, 1028/udp and 1029/udp. If you look at a tracefile of it, it is typically pop-up spam. Sent by as someone indicated the Windows Messenger Service. When Windows boots, the messenger service tries to bind to those ports in that order 1025, 1026,1027,1028,1029. It used to be you'd only see 1025/udp, then 1026/udp, now we are starting to see 1027 - 1029. Typically someone sending the pop-up spam appears on all these ports when we do an aggregate match at several points around the globe.
Regards --mike. Sushant Sinha wrote:
must be windows messenger service. I think it should be UDP. -Sushant. mat wrote:the most flows the destination ports has been to 1025 and 1026, but i cant figure out what that is all about. has anyone else seen this? or know of what these ports do? /etc/services says blackjack and calander.... there are no snort allerts, just seems to be lots of activity to those ports...thanks
Current thread:
- ports 1025 and 1026 mat (Apr 24)
- Re: ports 1025 and 1026 ilaiy (Apr 24)
- Re: ports 1025 and 1026 Krzysztof Cabaj (Apr 24)
- Re: ports 1025 and 1026 Sushant Sinha (Apr 24)
- Re: ports 1025 and 1026 Mike Dundas (Apr 25)