Threat Level: green Handler on Duty: Tom Webb

SANS ISC: TCP/UDP Port Activity - Internet Security | DShield TCP/UDP Port Activity


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Loading...
Port Information
Protocol Service Name
udp win-rpc Windows RPC
tcp nterm remote_login network_terminal
[get complete service list]
User Comments
Submitted By Date
Comment
alerter 2009-10-04 18:45:22
  The vast majority of these probes on UDP 1026, post-MS-RPC-DCOM exploit ("MS Blaster"), are Windows Messaging Service using alternate ports (UDP 1025-1027) to transmit/blast WMS Desktop Pop-up SPAM. This is because several ISP-s have blocked and/or continue to block UDP 135 post-MS-Blaster. A few offensive and ongoing UDP 1026 WMS SPAMmer source IP-s are: 203.197.199.183 (VSNL-IN), 61.143.182.138 (CHINANET-GD), 200.210.170.10 (LACNIC-ARIN BR), 202.131.221.61 (EAGLE-CN), whose respective ISP-s have been entirely unresponsive and unreactive to ongoing net abuse complaints (check incidents logged with DeepSight Security Analyzer and DShield).
2009-10-04 18:45:22
I wonder if it is related to "new attack vectors for rpc vulnerabilities" http://www2.corest.com/common/showdoc.php?idx=393&;;idxseccion=10
Ken Hollis 2004-01-30 19:53:56
UDP Port 1026 (And as AFAIK ports 1027, 1028 and 1029) are the ports for Windows Messenger Popup Spam. See: http://www.lurhq.com/popup_spam.html
Ken Hollis 2003-12-23 21:09:04
Greetings and Salutations: Since this is UDP, the spammers forge the source IP address to some unsuspecting party. Do not trust the source address, the packets would have to be traced hop by hop to actually find the perpetrator. Ken
Add a comment
CVE Links
CVE # Description