Handler on Duty: Guy Bruneau
contact us
contact us
Your session is about to expire. Please reload or submit to avoid getting logged out.
| Submitted By | Date |
|---|---|
| Comment | |
| alerter | 2009-10-04 18:45:22 |
| The vast majority of these probes on UDP 1026, post-MS-RPC-DCOM exploit ("MS Blaster"), are Windows Messaging Service using alternate ports (UDP 1025-1027) to transmit/blast WMS Desktop Pop-up SPAM. This is because several ISP-s have blocked and/or continue to block UDP 135 post-MS-Blaster. A few offensive and ongoing UDP 1026 WMS SPAMmer source IP-s are: 203.197.199.183 (VSNL-IN), 61.143.182.138 (CHINANET-GD), 200.210.170.10 (LACNIC-ARIN BR), 202.131.221.61 (EAGLE-CN), whose respective ISP-s have been entirely unresponsive and unreactive to ongoing net abuse complaints (check incidents logged with DeepSight Security Analyzer and DShield). | |
| 2009-10-04 18:45:22 | |
| I wonder if it is related to "new attack vectors for rpc vulnerabilities" http://www2.corest.com/common/showdoc.php?idx=393&;;idxseccion=10 | |
| Ken Hollis | 2004-01-30 19:53:56 |
| UDP Port 1026 (And as AFAIK ports 1027, 1028 and 1029) are the ports for Windows Messenger Popup Spam. See: http://www.lurhq.com/popup_spam.html | |
| Ken Hollis | 2003-12-23 21:09:04 |
| Greetings and Salutations: Since this is UDP, the spammers forge the source IP address to some unsuspecting party. Do not trust the source address, the packets would have to be traced hop by hop to actually find the perpetrator. Ken | |
| CVE # | Description |
|---|
