lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20030814234522.14173.qmail@web11401.mail.yahoo.com>
From: xillwillx at yahoo.com (w g)
Subject: New Blaster variant using UDP port 1038?

maybe this is a way of detecting which machine is running XP as messenger is installed by default.. im not sure if its always listening on that port if the user has not signed up with msn. ill have to look into it.
-illwill

Jeremiah Cornelius <jeremiah@....net> wrote:

> We're starting to see exploit attempts that are followed by probes from
the infected host on tcp/4444,
> and then UDP/1038. Has anyone else seen this?

Yeah. And UDP/1026.

I mailed this yesterday:


Interesting phenomenon emerging:

We have noticed in our log aggregators that some of the same hosts yesterday
that were doing port 135 scans... today seem to be doing some port 1026
scans. This is a listener port for MS Messenger. List follwers will
remember that this has been used as an avenue for spammers to send "pop-up"
alerts on users desktops.

farm9 (the InfoSec group I work for) is keeping an eye on this - we
correlate syslog, winlog, IDS and firewall data from a dozen or so
enterprises.

Has anybody spotted similar activity? It would be interesting to see if
this is a new worm iteration. Maybe sombody clever has figured they can
deliver MSSBlast.exe or phallus32.exe via Messenger.

I have already noticed curious folks that find that they can bind to a shell
on 4444, and are now fiddling around here - for a minute or so... ;-)

-- 
Jeremiah Cornelius, CISSP, CCNA, MCSE, Debianaut
farm9 Security
email: jc@...m9.com - mobile: 415.235.7689

"What would be the use of immortality to a person who cannot use well a half
hour?"
--Ralph Waldo Emerson

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030814/e2752faf/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ