Help - Search - Members - Calendar
Full Version: Packets Directed To Udp Ports
The Other Side forums - suitable for mature readers! > The Other Side forums > Tips and tricks
synCsil
Looking over some logged packets, just monitoring i guess..Ive noticed quite a slew of these packets
directed to UDP ports which basically resemble advertisements. Running a Linux OS but these appear to be directed to Windows machines , so it may just be indiscriminate blasting. Here's the legible bits of the actual packet :::
........ALERT...
....YOUR COMPUTE
IS INFECTED WI
TH DANGEROUS SPY
WARE .Your Anti-
virus and Firewa
ll software CAN'
T stop it ! .Vis
it: www.win-fix.
com for FREE rem
oval software an
d information...
.
Has anyone else seen these? WHOIS lookups show (nearly) the same ones coming from China,
Colorado, and Korea. Not really worried or anything, just curious to see if anyone else has noticed
these....for those of you who may be using any sort of (N)IDS or sniffer software????

And yes. These are logged as UDP, not TCP as one might naturally think.
Sir Psycho Sexy
are those the ones that pop-up in a windows alert box and have an ok button? I've had problems with those in the past...
mooooooooooopo
Are they directed to a specific port number (which would possibly give information on what program they are targetted at) or just randomly?

Are the dots in you message actually dots or just undecipherable characters (translated to dots for readability) which may make up a header to tell the targetted program what to do with the data?
DarkInferno
it is just win messenger service spam... ignore it...

its on UDP 1026 I think. and unfortunatly is getting more prevailant
synCsil
QUOTE (DarkInferno @ Oct 31 2004, 08:14 AM)
its on UDP 1026 I think.
*


Exactly. 1026 & 1027 are the specific ports. Just to be more clear about it, I've put an example online
for anyone interested.... >>> example packet
The only thing I have changed is my IP address (replaced w/ xxx.xx etc; )

Its a bit humorous to me though because these, if they are indeed intended to open a popup box,
have no effect on my particular machine. Nonetheless, Ive added a rule to my input firewall chain
so it drops them forthright but logs them first.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.