Well, for the last week there has been an odd increase in port 1026-1031 traffic. While everything points to popup spam, there are a few issues that are 'odd': - increase in sources that cause this traffic. - "natural" source ports vs. crafted source port which is typical for popup spam - 2-byte '00 00' payload (more details: http://isc.sans.org/diary.html ) As it very much looks like that the origin are compromised Windows systems (some appear to be behind NAT routers), I posted a list with IPs at http://feeds.dshield.org/port1026.dat The list is sorted by IP. If any of these systems live on your network, your help in tracking down the root cause of all this traffic is appreciated. Its (not yet) a big deal. But maybe its one of the few times we can stay ahead of the problem. Also, at this point it shouldn't be too hard to track these systems (its only about 5,000 unique sources) the columns of the data file: - ip address - first time seen on this day (GMT) - last time seen on this day (GMT) - number of packets detected - date The filter applied to the list: - the hosts sent traffic to port 1026-1031 - the source port was not 666 or 4177 - it happened today or yesterday (today: Dec. 2nd). -- CTO SANS Internet Storm Center http://isc.sans.org phone: (617) 786 1563 fax: (617) 786 1550 jullrich@sans.org
participants (1)
-
Johannes B. Ullrich