Security Incidents mailing list archives

Re: udp and dst port 1026

From: Cedric Foll <cedric.foll () ac-rouen fr>
Date: 02 Dec 2003 17:03:08 +0100

I still see no payloads other than 0x0000. I speculate that I'm monitoring 
the scanning phase of a soon-to-be worm or worms, and that some more 
interesting payload will soon arrive. My guess is that the payload will 
target the Windows Messenger service, which is generally available on the 
ports being probed.


I think that it's just SPAM.
I've wrote a script on a server behind our firewall.

When it see a udp paquet to 1026 (i use libpcap) with 0x0000 I response
with hping (I spoof ip and i send the usual response of a windows
station which receive 0x0000 on port 1026).

This is what i get:
U 2003/12/02 16:11:30.339601 80.39.177.73:1133 -> 194.167.110.64:1026
  00 00                                                 ..
#
U 2003/12/02 16:11:30.359611 194.167.110.64:1026 -> 80.39.177.73:1133
  04 06 00 00 10 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    59 b8 c3 3f 00 00 00 00    ........Y..?....
  00 00 00 00 00 00 00 00    00 00 04 00 00 00 00 00    ................
  08 00 00 1c                                           ....
#
U 2003/12/02 16:11:31.443237 80.39.177.73:1147 -> 194.167.110.64:1026
  04 00 08 00 10 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    f8 91 7b 5a 00 ff d0 11    ..........{Z....
  a9 b2 00 c0 4f b6 e6 fc    b4 38 d5 70 74 61 66 e1    ....O....8.ptaf.
  f9 7d 41 07 b5 15 5e 42    00 00 00 00 01 00 00 00    .}A...^B........
  00 00 00 00 00 00 ff ff    ff ff b7 01 00 00 00 00    ................
  14 00 00 00 00 00 00 00    14 00 00 00 57 57 57 2e    ............WWW.
  50 4f 50 41 44 53 54 4f    50 2e 43 4f 4d 00 00 00    POPADSTOP.COM...
  14 00 00 00 00 00 00 00    14 00 00 00 55 4e 53 45    ............UNSE
  43 55 52 45 44 20 43 4f    4d 50 55 54 45 52 00 00    CURED COMPUTER..
  6b 01 00 00 00 00 00 00    6b 01 00 00 50 55 42 4c    k.......k...PUBL
  49 43 20 53 45 52 56 49    43 45 20 41 4e 4e 4f 55    IC SERVICE ANNOU
  4e 43 45 4d 45 4e 54 3a    0d 0a 0d 0a 0d 0a 59 4f    NCEMENT:......YO
  55 52 20 43 4f 4d 50 55    54 45 52 20 49 53 20 4e    UR COMPUTER IS N
  4f 54 20 53 45 43 55 52    45 44 20 41 47 41 49 4e    OT SECURED AGAIN
  53 54 20 50 4f 50 2d 55    50 53 21 21 21 0d 0a 0d    ST POP-UPS!!!...
  0a 0d 0a 44 4f 4e 27 54    20 53 50 45 4e 44 20 41    ...DON'T SPEND A
  4e 59 20 4d 4f 4e 45 59    20 46 4f 52 20 41 4e 59    NY MONEY FOR ANY
  20 50 4f 50 2d 55 50 20    42 4c 4f 43 4b 45 52 21     POP-UP BLOCKER!
  0d 0a 0d 0a 47 65 74 20    6f 75 72 73 20 66 6f 72    ....Get ours for
  20 46 52 45 45 21 21 21    0d 0a 0d 0a 59 65 73 20     FREE!!!....Yes
  74 68 61 74 27 73 20 72    69 67 68 74 2c 20 53 54    that's right, ST
  4f 50 20 50 6f 70 2d 55    70 20 61 64 73 20 66 6f    OP Pop-Up ads fo
  72 20 46 52 45 45 21 21    21 0d 0a 0d 0a 0d 0a 0d    r FREE!!!.......
  0a 20 20 20 20 20 20 20    20 20 20 20 20 20 2a 20    .             *
  2a 20 2a 20 20 20 20 20    44 4f 20 4e 4f 54 20 43    * *     DO NOT C
  4c 49 43 4b 20 22 4f 4b    22 20 42 45 46 4f 52 45    LICK "OK" BEFORE
  20 47 4f 49 4e 47 20 54    4f 20 4f 55 52 20 57 45     GOING TO OUR WE
  42 53 49 54 45 20 20 20    20 20 2a 20 2a 20 2a 0d    BSITE     * * *.
  0a 0d 0a 4f 6e 20 79 6f    75 72 20 77 65 62 20 62    ...On your web b
  72 6f 77 73 65 72 27 73    20 61 64 64 72 65 73 73    rowser's address
  20 62 61 72 2c 20 54 59    50 45 20 49 4e 3a 20 20     bar, TYPE IN:
  20 20 20 77 77 77 2e 50    6f 70 41 64 53 74 6f 70       www.PopAdStop
  2e 63 6f 6d 0d 0a 00                                  .com...
#

So i think that this 0x0000 is just a kind of 'ping'.


-- 
==================
Cedric Foll
Ingénieur réseaux, Rectorat de Rouen
mèl: cedric.foll () ac-rouen fr
tèl: 02 35 14 77 51

"L'orgueil a plus de part que la bonté 
aux remontrances que nous faisons à 
ceux qui commettent des fautes; et nous 
ne les reprenons pas tant pour les en 
corriger que pour leur persuader que 
nous en sommes exempts."
La rochefoucauld
===================

Attachment: signature.asc
Description: Ceci est une partie de message numériquement signée

Current thread:

udp and dst port 1026 Jens Hektor (Dec 01)
- Re: udp and dst port 1026 Bill McCarty (Dec 01)
  - Re: udp and dst port 1026 Cedric Foll (Dec 02)
    - Re: udp and dst port 1026 Bill McCarty (Dec 02)
    - Re: udp and dst port 1026 Bill McCarty (Dec 02)
    - Re: udp and dst port 1026 Thomas Preissler (Dec 03)
    - Re: udp and dst port 1026 Ockey (Dec 03)
    - RE: udp and dst port 1026 Lawrence Baldwin (Dec 04)
    - RE: udp and dst port 1026 Jeff Bryner (Dec 05)
    - RE: udp and dst port 1026 jamesworld (Dec 07)