Security Incidents mailing list archives
RE: UDP port 1026 probe?
From: "James C Slora Jr" <Jim.Slora () phra com>
Date: Mon, 18 Apr 2005 11:59:43 -0400
Kero-Chan III wrote Sunday, April 17, 2005 10:08 PM
I saw a big increase in UDP packets sent to port 1026 (and 1027
occasionally)...
$ nc -l -p 1026 -u -v listening on [any] 1026 ... 61.235.154.90: inverse host lookup failed: Unknown host connect to
[my.ip.addr] from
(UNKNOWN) [61.235.154.90] 36240 (ø{ZÿÐ(c)²ÀO¶æüÿÿÿÿ{STOPALERT77STOP!
WINDOWS REQUIRES
IMMEDIATE ATTENTION.
Windows has found 47 Critical Errors.
To fix the errors please do the following: 1. Download Registry Repair from: www.reg-patch.com 2. Install Registry
Repair 3. Run > Registry Repair 4. Reboot your computer FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND > CORRUPTION!
What is this? ICQ buffer overflow? Or something totally different?
This looks like just Messenger spam. It is designed to pop up a message on the target's Windows desktop. The messages commonly promote malware disguised as legitimate utilities. They send commonly these to any or all of 1025 through 1029, since Windows creates a listener on one of the low dynamic ports. Usually I see an accompanying attempt against UDP 137 with the same content. -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- UDP port 1026 probe? Kero-Chan III (Apr 18)
- RE: UDP port 1026 probe? James C Slora Jr (Apr 18)