Increasing portknocks from UDP 53 to 1026

Are there more people seeing this?
Is this a new proxy or part of one of the nasties?
Seeing the IPs seldom resolve to a DNS, and belonging to very strange domains like domestic security etc.
Department of Social Security of UK
DoD Network Information Center
Army National Guard Bureau
Computer Sciences Corporation
Prudential Securities Inc
SITA-Societe Internationale de Telecommunications Aeronautiques
Royal Signals and Radar Establishment
etc, all kinds of sites i am not visiting.

 

Miss Josske

Yes. Began last week. Prudential not noticed. Watch also ports in the 4300 range.

 

UDP 53 among others can have to do with Muska, an old backdoor code, UDP 1026 might have to do with windows messenger spam
Best to disable the windows messenger service as described in several places to start with.
4300 RAT.smokodoor ?
seeing senders 666 (lots of names) and 10168 (lovgate) knocking in 1026 too.

 

Miss Jooske

My first time here an was lurking to see if anyone here had notice this. If this is a case of all those agancies being compromised by trojans ?
This is the first public mention of it that I have seen. Privately word of this has spread rapidly.

 

Checked Sygate log after reading this - I'm seeing them also; but seems to go up to port 1029 for me. Sygate assigns the scans a severity of 15 (most normal noise is 3) and some are accompanied by a buncha TCP from the same IP.

 

Yep up to 1026-1029 now, senders are more 53, 666, 777, and various others like always, but most 53 still and all UDP.