[65543] in North American Network Operators' Group
port 1026-1031 traffic
daemon@ATHENA.MIT.EDU (Johannes B. Ullrich)
Mon Dec 1 23:19:26 2003
From: "Johannes B. Ullrich" <jullrich@sans.org>
Reply-To: jullrich@sans.org
To: nanog@merit.org
Date: Mon, 01 Dec 2003 23:18:45 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--=-k6MLy02a9+Qim9fhwa8p
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Well, for the last week there has been an odd increase in port
1026-1031 traffic. While everything points to popup spam, there
are a few issues that are 'odd':
- increase in sources that cause this traffic.
- "natural" source ports vs. crafted source port which is typical
for popup spam
- 2-byte '00 00' payload
(more details: http://isc.sans.org/diary.html )
As it very much looks like that the origin are compromised
Windows systems (some appear to be behind NAT routers), I posted
a list with IPs at
http://feeds.dshield.org/port1026.dat
The list is sorted by IP. If any of these systems live on your network,
your help in tracking down the root cause of all this traffic is
appreciated. Its (not yet) a big deal. But maybe its one of the few
times we can stay ahead of the problem. Also, at this point it shouldn't
be too hard to track these systems (its only about 5,000 unique sources)
the columns of the data file:
- ip address
- first time seen on this day (GMT)
- last time seen on this day (GMT)
- number of packets detected
- date
The filter applied to the list:
- the hosts sent traffic to port 1026-1031
- the source port was not 666 or 4177
- it happened today or yesterday (today: Dec. 2nd).
--=20
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 786 1563 =20
fax: (617) 786 1550 jullrich@sans.org
--=-k6MLy02a9+Qim9fhwa8p
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQA/zBKlR1p7hYJvB/wRAmIWAKCwbB6xBEZwPzTe3WTMAE3Kl8tCywCff2TZ
wgGrcpdrdjX27Y/bfEwPWWA=
=GDN3
-----END PGP SIGNATURE-----
--=-k6MLy02a9+Qim9fhwa8p--
