Security Incidents mailing list archives

udp and dst port 1026

From: Jens Hektor <hektor () rz rwth-aachen de>
Date: Tue, 02 Dec 2003 00:20:38 +0100

-----BEGIN PGP SIGNED MESSAGE-----

Hi,

[original posting]

starting around Nov 22 and increasing from Nov 24
until today I see packets floating around from
various sources to almost any IP of our networks.
Payload are two bytes with value zero.
Any idea what this could be?

[as the moderator requested more info, here it comes]

Actually the whole thing started at November 19th
and it has an exponential increase in the logs of our
Cisco-ACL'd networks (about the equivilance of 40-60
Class-C's).

A short packet dump reveales a netbios query for
the netbios name of the machine followed by a
"miniportscan" towards ports 1026-1031:

~  0.000000 92 A.248.165.142 1041 B.226.246.145 137 NBNS Name query NBSTAT
~  <00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
~  0.000375 60 A.248.165.142 1042 B.226.246.145 1026 UDP Source port: 1042  Destination port: 1026
~  0.001249 60 A.248.165.142 1043 B.226.246.145 1027 UDP Source port: 1043  Destination port: 1027
~  0.001250 60 A.248.165.142 1044 B.226.246.145 1028 UDP Source port: 1044  Destination port: 1028
~  0.001373 60 A.248.165.142 1045 B.226.246.145 1029 UDP Source port: 1045  Destination port: 1029
~  0.001750 60 A.248.165.142 1046 B.226.246.145 1030 UDP Source port: 1046  Destination port: 1030
~  0.002373 60 A.248.165.142 1047 B.226.246.145 1031 UDP Source port: 1047  Destination port: 1031

At the moment the traffic is not very high but it's
really noticable in pour packet filter logs. We have
now there about 3000 denied accesses/h spread over
various lists.

It should be easily detectable in your packet filter logs, too.

And: if it keeps increasing with the same rate, we here
will have a real problem in some days.

Bye, Jens Hektor

P.S. It's already tracked at the DFN-CERT #44733
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBP8vMxRsVN+J7zzuXAQGD5QgAkKLb7Ssn/c/KBnMuliyVXG2h4R+iqDox
O7pzZ1+KXsVKrj+WY+PIwK7fAdX2hoWPkgU6/Md7UJI7MI2ue0e4nBz6SADG82Sl
oyB4+VTLxo5rmSrhjSFI30ujDz4Py6SuQuZQuyAT/czNEKDG6PG4n6FZS7j0Axm8
Zkcm6h4WOy/+h/SOr7nPdxs6GLu4Z+eJv7RGXUpQ7xZ/KUWsuQ2/HKDxaY9Xk07r
0JZS9i1G7FTMoYd46q9u1qn8lOMs0TQAfvQXMWZoqIidUNnCLHFuvKpHrTYK4p8t
c4MmUC7rd8oXL0OElVBpdidk5TeyL32Aj4je8TQCnUEaWMoNEq6wPw==
=wxNi
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

udp and dst port 1026 Jens Hektor (Dec 01)
- Re: udp and dst port 1026 Bill McCarty (Dec 01)
  - Re: udp and dst port 1026 Cedric Foll (Dec 02)
    - Re: udp and dst port 1026 Bill McCarty (Dec 02)
    - Re: udp and dst port 1026 Bill McCarty (Dec 02)
    - Re: udp and dst port 1026 Thomas Preissler (Dec 03)
    - Re: udp and dst port 1026 Ockey (Dec 03)
    - RE: udp and dst port 1026 Lawrence Baldwin (Dec 04)
    - RE: udp and dst port 1026 Jeff Bryner (Dec 05)
    - RE: udp and dst port 1026 jamesworld (Dec 07)