Security Incidents mailing list archives
Re: DOD Inside
From: "Jamie Riden" <jamesr () europe com>
Date: Tue, 11 Apr 2006 09:33:20 +1200
On 11/04/06, Frank Knobbe <frank () knobbe us> wrote:
On Sat, 2006-04-08 at 02:18 +0000, mailcentre2 () gmail com wrote:Having read about the DoD IP issues in here, I thought I might add my 0.02: My router logs from the 28-03-2006 show a very strange sequence of port attempts. Tue, 2006-03-28 05:20:52 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1035 - [DOS] Tue, 2006-03-28 11:22:41 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1033 - [DOS] Tue, 2006-03-28 11:22:41 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1035 - [DOS] Tue, 2006-03-28 17:25:53 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1033 - [DOS] [...]These look like MS messenger pop-up spam (starting at port 1025 and now going into the mid/high-30s). The source address is likely spoofed. If you take a look at these packets with ngrep or tcpdump, I'm sure you find either advertising or a message saying your computer is infected and you need to visit a certain web site. I doubt the source is real, and wouldn't worry about it. That's the stuff firewalls are supposed to filter :)
Something like this perhaps? Someone's using source port 0 for the
ones I'm getting for some reason.
14:01:13.108084 IP xxx.yyy.196.38.0 > example.com.1025: UDP, length: 482
0x0000: 4500 01fe 5972 0000 3611 7129 8cfb c426 E...Yr..6.q)...&
0x0010: 48e8 1e4a 0000 0401 01ea 0000 0400 7800 H..J..........x.
0x0020: 1000 0000 0000 0000 0000 0000 0000 0000 ................
0x0030: 0000 0000 f891 7b5a 00ff d011 a9b2 00c0 ......{Z........
0x0040: 4fb6 e6fc 0000 0000 0000 0000 0000 0000 O...............
0x0050: 0000 0000 0000 0000 0100 0000 0000 0000 ................
0x0060: 0000 ffff ffff 8f01 0000 0000 0a00 0000 ................
0x0070: 0000 0000 0a00 0000 4d69 6372 6f73 6f66 ........Microsof
0x0080: 7400 0000 2300 0000 0000 0000 2300 0000 t...#.......#...
0x0090: 696e 666f 726d 2079 6f75 2061 626f 7574 inform.you.about
0x00a0: 2061 2076 6972 7573 2064 6574 6563 7469 .a.virus.detecti
0x00b0: 6f6e 0000 3901 0000 0000 0000 3901 0000 on..9.......9...
0x00c0: 5741 524e 494e 4721 2120 5265 6769 7374 WARNING!!.Regist
0x00d0: 7279 2045 7272 6f72 7320 6d61 7920 6465 ry.Errors.may.de
0x00e0: 7465 6374 206f 6e20 796f 7572 2050 4321 tect.on.your.PC!
0x00f0: 0a0a 5265 6769 7374 7279 2065 7272 6f72 ..Registry.error
0x0100: 7320 6361 6e20 6361 7573 6520 6672 6571 s.can.cause.freq
0x0110: 7565 6e74 2061 7070 6c69 6361 7469 6f6e uent.application
0x0120: 2063 7261 7368 6573 2c20 6465 6772 6164 .crashes,.degrad
0x0130: 650a 7065 7266 6f72 6d61 6e63 6520 616e e.performance.an
0x0140: 6420 696e 7374 6162 696c 6974 792e 0a0a d.instability...
0x0150: 546f 2066 6978 2072 6567 6973 7472 7920 To.fix.registry.
0x0160: 6572 726f 7273 2064 6f20 7468 6520 666f errors.do.the.fo
0x0170: 6c6c 6f77 696e 673a 2020 2020 2020 200a llowing:........
0x0180: 2d2d 2044 6f77 6e6c 6f61 6420 5265 6769 --.Download.Regi
0x0190: 7374 7279 2043 6c65 616e 6572 2066 726f stry.Cleaner.fro
0x01a0: 6d3a 2020 6874 7470 3a2f 2f77 7777 2e72 m:..http://www.r
0x01b0: 6567 7375 7064 6174 652e 636f 6d20 200a egsupdate.com...
0x01c0: 090a 4641 494c 5552 4520 544f 2041 4354 ..FAILURE.TO.ACT
0x01d0: 204d 4159 204c 4541 4420 544f 2044 4154 .MAY.LEAD.TO.DAT
0x01e0: 4120 4c4f 5353 2041 4e44 2043 4f52 5255 A.LOSS.AND.CORRU
0x01f0: 5054 494f 4e21 0a0a 0000 0000 0000 PTION!........
cheers,
Jamie
--
Jamie Riden / jamesr () europe com / jamie.riden () computer org
"Microsoft: Bringing the world to your desktop - and your desktop to
the world." -- Peter Gutmann
Current thread:
- Re: DOD Inside mailcentre2 (Apr 07)
- Re: DOD Inside Valdis . Kletnieks (Apr 07)
- Re: DOD Inside Peter Kosinar (Apr 09)
- Re: DOD Inside Frank Knobbe (Apr 10)
- Re: DOD Inside Jamie Riden (Apr 10)
- Re: DOD Inside Valdis . Kletnieks (Apr 07)