lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1070388327.13946.4.camel@milspec.uits.uconn.edu>
From: phil.rodrigues at uconn.edu (Rodrigues, Philip)
Subject: Increase probe on UDP port 1026

This is not that.  They do not have source ports of 6666 - they are
dynamically assigned source ports in "normal" ranges (1024+).  They do
not contain a meaningful payload.  Here is the ASCII cap of a few of
them:

802.1Q vlan#604 P0 137.99.175.80.3233 > 192.189.8.166.1026:  [udp sum
ok] udp 2 (ttl 126, id 28390, len 30)
0x0000   025c 0800 4500 001e 6ee6 0000 7e11 cbd1        .\..E...n...~...
0x0010   8963 af50 c0bd 08a6 0ca1 0402 000a ed1f        .c.P............
0x0020   0000 ffff ffff ffff ffff ffff ffff ffff        ................
0x0030   ffff                                           ..

802.1Q vlan#604 P0 137.99.175.80.3234 > 192.189.8.166.1030:  [udp sum
ok] udp 2 (ttl 126, id 28391, len 30)
0x0000   025c 0800 4500 001e 6ee7 0000 7e11 cbd0        .\..E...n...~...
0x0010   8963 af50 c0bd 08a6 0ca2 0406 000a ed1a        .c.P............
0x0020   0000 ffff ffff ffff ffff ffff ffff ffff        ................
0x0030   ffff                                           ..

802.1Q vlan#604 P0 137.99.175.80.3233 > 171.75.168.173.1026:  [udp sum
ok] udp 2 (ttl 126, id 28392, len 30)
0x0000   025c 0800 4500 001e 6ee8 0000 7e11 413a        .\..E...n...~.A:
0x0010   8963 af50 ab4b a8ad 0ca1 0402 000a 628a        .c.P.K........b.
0x0020   0000 ffff ffff ffff ffff ffff ffff ffff        ................
0x0030   ffff                                           ..

802.1Q vlan#604 P0 137.99.175.80.3234 > 171.75.168.173.1030:  [udp sum
ok] udp 2 (ttl 126, id 28393, len 30)
0x0000   025c 0800 4500 001e 6ee9 0000 7e11 4139        .\..E...n...~.A9
0x0010   8963 af50 ab4b a8ad 0ca2 0406 000a 6285        .c.P.K........b.
0x0020   0000 ffff ffff ffff ffff ffff ffff ffff        ................
0x0030   ffff                                           ..

On Tue, 2003-12-02 at 04:16, Nicob wrote:
> On Tue, 2003-12-02 at 03:10, Rodrigues, Philip wrote:
> > I'm sitting in front of two Class B's.  We saw a steady increase in the unique
> > external IPs scanning us for UDP 1026, 1030 today since 0700 EST.  This chart
> > shows the number of unique external IPs with incoming UDP 1026 traffic per hour
> > since noon.
> 
> This was discussed this month on some french security related
> newsgroups, and it seems that most of the scans have a source port of
> 666/UDP.
> 
> I captured some packets and it appears to be (only) a Windows Messenger
> "spam" for a "penis enlargement" product.
> 
> F*cking spammers ...
-- 

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues@...nn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ