Increasing portknocks from UDP 53 to 1026

Discussion in 'other security issues & news' started by Jooske, Mar 29, 2004.

Thread Status:
Not open for further replies.
  1. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Are there more people seeing this?
    Is this a new proxy or part of one of the nasties?
    Seeing the IPs seldom resolve to a DNS, and belonging to very strange domains like domestic security etc.
    Department of Social Security of UK
    DoD Network Information Center
    Army National Guard Bureau
    Computer Sciences Corporation
    Prudential Securities Inc
    SITA-Societe Internationale de Telecommunications Aeronautiques
    Royal Signals and Radar Establishment
    etc, all kinds of sites i am not visiting.
     
  2. RedLobster

    RedLobster Guest

    Miss Josske

    Yes. Began last week. Prudential not noticed. Watch also ports in the 4300 range.
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    UDP 53 among others can have to do with Muska, an old backdoor code, UDP 1026 might have to do with windows messenger spam
    Best to disable the windows messenger service as described in several places to start with.
    4300 RAT.smokodoor ?
    seeing senders 666 (lots of names) and 10168 (lovgate) knocking in 1026 too.
     
  4. RedLobster

    RedLobster Guest

    Miss Jooske

    My first time here an was lurking to see if anyone here had notice this. If this is a case of all those agancies being compromised by trojans o_O?
    This is the first public mention of it that I have seen. Privately word of this has spread rapidly.
     
  5. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Checked Sygate log after reading this - I'm seeing them also; but seems to go up to port 1029 for me. Sygate assigns the scans a severity of 15 (most normal noise is 3) and some are accompanied by a buncha TCP from the same IP.
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Yep up to 1026-1029 now, senders are more 53, 666, 777, and various others like always, but most 53 still and all UDP.
     
Loading...
Thread Status:
Not open for further replies.