|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: udp and dst port 1026
From: Bill McCarty (bmccarty
pt-net.net)
Date: Tue Dec 02 2003 - 12:03:03 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Cedric,
Good work! Evidence trumps speculation any day of the week <g>.
But, even if you're right that this traffic is intended as pop-up spam, the
traffic volume is high enough to present annoyance to some folks. And,
recent DShield data shows that the traffic sources and targets are rising
exponentially. So, this spam may turn out to be far from harmless.
Moreover, recent changes in the scanning pattern suggest that the sources
are under central control. And there's this to consider: if I wrote a
scanner for the Windows Messenger vulnerability, I'd very likely disguise
my scans as Messenger pop-ups. Presumably, candidate authors of Windows
Messenger worms are no less sneaky than I <g>.
So, though your evidence is weighty, I myself can't say that it dismisses
the issue.
Cheers,
--On Tuesday, December 02, 2003 5:03 PM +0100 Cedric Foll
<cedric.follac-rouen.fr> wrote:
> When it see a udp paquet to 1026 (i use libpcap) with 0x0000 I response
> with hping (I spoof ip and i send the usual response of a windows
> station which receive 0x0000 on port 1026).
---------------------------------------------------
Bill McCarty
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]