[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] New Blaster variant using UDP port 1038?

To: Jeremiah Cornelius <jeremiah@nur.net>, "Stahlkrantz, Mats (Mats)" <mstahlkrantz@lucent.com>, full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] New Blaster variant using UDP port 1038?
From: w g <xillwillx@yahoo.com>
Date: Thu, 14 Aug 2003 16:45:22 -0700 (PDT)

<DIV>maybe this is a way of detecting which machine is running XP as messenger is installed by default.. im not sure if its always listening on that port if the user has not signed up with msn. ill have to look into it.</DIV>
<DIV>-illwill<BR><BR><B><I>Jeremiah Cornelius &lt;jeremiah@nur.net&gt;</I></B> wrote:</DIV>
<DIV>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid; WIDTH: 100%"><BR>&gt; We're starting to see exploit attempts that are followed by probes from<BR>the infected host on tcp/4444,<BR>&gt; and then UDP/1038. Has anyone else seen this?<BR><BR>Yeah. And UDP/1026.<BR><BR>I mailed this yesterday:<BR><BR><BR>Interesting phenomenon emerging:<BR><BR>We have noticed in our log aggregators that some of the same hosts yesterday<BR>that were doing port 135 scans... today seem to be doing some port 1026<BR>scans. This is a listener port for MS Messenger. List follwers will<BR>remember that this has been used as an avenue for spammers to send "pop-up"<BR>alerts on users desktops.<BR><BR>farm9 (the InfoSec group I work for) is keeping an eye on this - we<BR>correlate syslog, winlog, IDS and firewall data from a dozen or so<BR>enterprises.<BR><BR>Has anybody spotted similar activity? It would be interesting to see if<BR>this is a new worm iteration. Maybe!
  sombody
 clever has figured they can<BR>deliver MSSBlast.exe or phallus32.exe via Messenger.<BR><BR>I have already noticed curious folks that find that they can bind to a shell<BR>on 4444, and are now fiddling around here - for a minute or so... ;-)<BR><BR>-- <BR>Jeremiah Cornelius, CISSP, CCNA, MCSE, Debianaut<BR>farm9 Security<BR>email: jc@farm9.com - mobile: 415.235.7689<BR><BR>"What would be the use of immortality to a person who cannot use well a half<BR>hour?"<BR>--Ralph Waldo Emerson<BR><BR>_______________________________________________<BR>Full-Disclosure - We believe in it.<BR>Charter: http://lists.netsys.com/full-disclosure-charter.html</BLOCKQUOTE></DIV><p><hr SIZE=1>
Do you Yahoo!?<br>
<a href="http://us.rd.yahoo.com/evt=10469/*http://sitebuilder.yahoo.com";>Yahoo! SiteBuilder</a> - Free, easy-to-use web site design software

Follow-Ups:
- Re: [Full-Disclosure] New Blaster variant using UDP port 1038?
  - From: Nick FitzGerald <nick@virus-l.demon.co.uk>

References:
- Re: [Full-Disclosure] New Blaster variant using UDP port 1038?
  - From: "Jeremiah Cornelius" <jeremiah@nur.net>

Prev by Date: Re: [Full-Disclosure] DDos counter measures
Next by Date: RE: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1
Prev by thread: Re: [Full-Disclosure] New Blaster variant using UDP port 1038?
Next by thread: Re: [Full-Disclosure] New Blaster variant using UDP port 1038?
Index(es):
- Date
- Thread