Security Incidents mailing list archives
Re: udp and dst port 1026
From: Cedric Foll <cedric.foll () ac-rouen fr>
Date: 02 Dec 2003 17:03:08 +0100
I still see no payloads other than 0x0000. I speculate that I'm monitoring the scanning phase of a soon-to-be worm or worms, and that some more interesting payload will soon arrive. My guess is that the payload will target the Windows Messenger service, which is generally available on the ports being probed.
I think that it's just SPAM. I've wrote a script on a server behind our firewall. When it see a udp paquet to 1026 (i use libpcap) with 0x0000 I response with hping (I spoof ip and i send the usual response of a windows station which receive 0x0000 on port 1026). This is what i get: U 2003/12/02 16:11:30.339601 80.39.177.73:1133 -> 194.167.110.64:1026 00 00 .. # U 2003/12/02 16:11:30.359611 194.167.110.64:1026 -> 80.39.177.73:1133 04 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 59 b8 c3 3f 00 00 00 00 ........Y..?.... 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 ................ 08 00 00 1c .... # U 2003/12/02 16:11:31.443237 80.39.177.73:1147 -> 194.167.110.64:1026 04 00 08 00 10 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 f8 91 7b 5a 00 ff d0 11 ..........{Z.... a9 b2 00 c0 4f b6 e6 fc b4 38 d5 70 74 61 66 e1 ....O....8.ptaf. f9 7d 41 07 b5 15 5e 42 00 00 00 00 01 00 00 00 .}A...^B........ 00 00 00 00 00 00 ff ff ff ff b7 01 00 00 00 00 ................ 14 00 00 00 00 00 00 00 14 00 00 00 57 57 57 2e ............WWW. 50 4f 50 41 44 53 54 4f 50 2e 43 4f 4d 00 00 00 POPADSTOP.COM... 14 00 00 00 00 00 00 00 14 00 00 00 55 4e 53 45 ............UNSE 43 55 52 45 44 20 43 4f 4d 50 55 54 45 52 00 00 CURED COMPUTER.. 6b 01 00 00 00 00 00 00 6b 01 00 00 50 55 42 4c k.......k...PUBL 49 43 20 53 45 52 56 49 43 45 20 41 4e 4e 4f 55 IC SERVICE ANNOU 4e 43 45 4d 45 4e 54 3a 0d 0a 0d 0a 0d 0a 59 4f NCEMENT:......YO 55 52 20 43 4f 4d 50 55 54 45 52 20 49 53 20 4e UR COMPUTER IS N 4f 54 20 53 45 43 55 52 45 44 20 41 47 41 49 4e OT SECURED AGAIN 53 54 20 50 4f 50 2d 55 50 53 21 21 21 0d 0a 0d ST POP-UPS!!!... 0a 0d 0a 44 4f 4e 27 54 20 53 50 45 4e 44 20 41 ...DON'T SPEND A 4e 59 20 4d 4f 4e 45 59 20 46 4f 52 20 41 4e 59 NY MONEY FOR ANY 20 50 4f 50 2d 55 50 20 42 4c 4f 43 4b 45 52 21 POP-UP BLOCKER! 0d 0a 0d 0a 47 65 74 20 6f 75 72 73 20 66 6f 72 ....Get ours for 20 46 52 45 45 21 21 21 0d 0a 0d 0a 59 65 73 20 FREE!!!....Yes 74 68 61 74 27 73 20 72 69 67 68 74 2c 20 53 54 that's right, ST 4f 50 20 50 6f 70 2d 55 70 20 61 64 73 20 66 6f OP Pop-Up ads fo 72 20 46 52 45 45 21 21 21 0d 0a 0d 0a 0d 0a 0d r FREE!!!....... 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 2a 20 . * 2a 20 2a 20 20 20 20 20 44 4f 20 4e 4f 54 20 43 * * DO NOT C 4c 49 43 4b 20 22 4f 4b 22 20 42 45 46 4f 52 45 LICK "OK" BEFORE 20 47 4f 49 4e 47 20 54 4f 20 4f 55 52 20 57 45 GOING TO OUR WE 42 53 49 54 45 20 20 20 20 20 2a 20 2a 20 2a 0d BSITE * * *. 0a 0d 0a 4f 6e 20 79 6f 75 72 20 77 65 62 20 62 ...On your web b 72 6f 77 73 65 72 27 73 20 61 64 64 72 65 73 73 rowser's address 20 62 61 72 2c 20 54 59 50 45 20 49 4e 3a 20 20 bar, TYPE IN: 20 20 20 77 77 77 2e 50 6f 70 41 64 53 74 6f 70 www.PopAdStop 2e 63 6f 6d 0d 0a 00 .com... # So i think that this 0x0000 is just a kind of 'ping'. -- ================== Cedric Foll Ingénieur réseaux, Rectorat de Rouen mèl: cedric.foll () ac-rouen fr tèl: 02 35 14 77 51 "L'orgueil a plus de part que la bonté aux remontrances que nous faisons à ceux qui commettent des fautes; et nous ne les reprenons pas tant pour les en corriger que pour leur persuader que nous en sommes exempts." La rochefoucauld ===================
Attachment:
signature.asc
Description: Ceci est une partie de message numériquement signée
Current thread:
- udp and dst port 1026 Jens Hektor (Dec 01)
- Re: udp and dst port 1026 Bill McCarty (Dec 01)
- Re: udp and dst port 1026 Cedric Foll (Dec 02)
- Re: udp and dst port 1026 Bill McCarty (Dec 02)
- Re: udp and dst port 1026 Bill McCarty (Dec 02)
- Re: udp and dst port 1026 Thomas Preissler (Dec 03)
- Re: udp and dst port 1026 Ockey (Dec 03)
- RE: udp and dst port 1026 Lawrence Baldwin (Dec 04)
- RE: udp and dst port 1026 Jeff Bryner (Dec 05)
- RE: udp and dst port 1026 jamesworld (Dec 07)
- Re: udp and dst port 1026 Cedric Foll (Dec 02)
- Re: udp and dst port 1026 Bill McCarty (Dec 01)