port 1026-1031 traffic

["Johannes B. Ullrich" <jullrich () sans org>]

Well, for the last week there has been an odd increase in port
1026-1031 traffic. While everything points to popup spam, there
are a few issues that are 'odd':

- increase in sources that cause this traffic.
- "natural" source ports vs. crafted source port which is typical
  for popup spam
- 2-byte '00 00' payload

(more details: http://isc.sans.org/diary.html )

As it very much looks like that the origin are compromised
Windows systems (some appear to be behind NAT routers), I posted
a list with IPs at
http://feeds.dshield.org/port1026.dat

The list is sorted by IP. If any of these systems live on your network,
your help in tracking down the root cause of all this traffic is
appreciated. Its (not yet) a big deal. But maybe its one of the few
times we can stay ahead of the problem. Also, at this point it shouldn't
be too hard to track these systems (its only about 5,000 unique sources)

the columns of the data file:
- ip address
- first time seen on this day (GMT)
- last time seen on this day (GMT)
- number of packets detected
- date

The filter applied to the list:
- the hosts sent traffic to port 1026-1031
- the source port was not 666 or 4177
- it happened today or yesterday (today: Dec. 2nd).

-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 786 1563            
  fax: (617) 786 1550                          jullrich () sans org

Attachment: signature.asc
Description: This is a digitally signed message part