Security Incidents mailing list archives
Re: udp and dst port 1026
From: Bill McCarty <bmccarty () pt-net net>
Date: Tue, 02 Dec 2003 10:03:03 -0800
Hi Cedric, Good work! Evidence trumps speculation any day of the week <g>.But, even if you're right that this traffic is intended as pop-up spam, the traffic volume is high enough to present annoyance to some folks. And, recent DShield data shows that the traffic sources and targets are rising exponentially. So, this spam may turn out to be far from harmless.
Moreover, recent changes in the scanning pattern suggest that the sources are under central control. And there's this to consider: if I wrote a scanner for the Windows Messenger vulnerability, I'd very likely disguise my scans as Messenger pop-ups. Presumably, candidate authors of Windows Messenger worms are no less sneaky than I <g>.
So, though your evidence is weighty, I myself can't say that it dismisses the issue.
Cheers,--On Tuesday, December 02, 2003 5:03 PM +0100 Cedric Foll <cedric.foll () ac-rouen fr> wrote:
When it see a udp paquet to 1026 (i use libpcap) with 0x0000 I response with hping (I spoof ip and i send the usual response of a windows station which receive 0x0000 on port 1026).
--------------------------------------------------- Bill McCarty --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- udp and dst port 1026 Jens Hektor (Dec 01)
- Re: udp and dst port 1026 Bill McCarty (Dec 01)
- Re: udp and dst port 1026 Cedric Foll (Dec 02)
- Re: udp and dst port 1026 Bill McCarty (Dec 02)
- Re: udp and dst port 1026 Bill McCarty (Dec 02)
- Re: udp and dst port 1026 Thomas Preissler (Dec 03)
- Re: udp and dst port 1026 Ockey (Dec 03)
- RE: udp and dst port 1026 Lawrence Baldwin (Dec 04)
- RE: udp and dst port 1026 Jeff Bryner (Dec 05)
- RE: udp and dst port 1026 jamesworld (Dec 07)
- Re: udp and dst port 1026 Cedric Foll (Dec 02)
- Re: udp and dst port 1026 Bill McCarty (Dec 01)