[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    RE: UDP port 1026 probe?
From:       "James C Slora Jr" <Jim.Slora () phra ! com>
Date:       2005-04-18 15:59:43
Message-ID: 20050418160303.DC81970E616 () mail49-ash ! bigfish ! com
[Download RAW message or body]

Kero-Chan III wrote Sunday, April 17, 2005 10:08 PM

> I saw a big increase in UDP packets sent to port 1026 (and 1027
occasionally)...

> $ nc -l -p 1026 -u -v
> listening on [any] 1026 ...
> 61.235.154.90: inverse host lookup failed: Unknown host connect to
[my.ip.addr] from
> (UNKNOWN) [61.235.154.90] 36240 (ø{ZÿÐ(c)²ÀO¶æüÿÿÿÿ{STOPALERT77STOP!
WINDOWS REQUIRES 
> IMMEDIATE ATTENTION.

> Windows has found 47 Critical Errors.

> To fix the errors please do the following:
> 1. Download Registry Repair from: www.reg-patch.com 2. Install Registry
Repair 3. Run > Registry Repair 4. Reboot your computer FAILURE TO ACT NOW
MAY LEAD TO DATA LOSS AND > CORRUPTION!

> What is this? ICQ buffer overflow? Or something totally different?

This looks like just Messenger spam. It is designed to pop up a message on
the target's Windows desktop. The messages commonly promote malware
disguised as legitimate utilities. They send commonly these to any or all of
1025 through 1029, since Windows creates a listener on one of the low
dynamic ports. Usually I see an accompanying attempt against UDP 137 with
the same content.



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread]