bsdjunkie
February 23rd, 2005, 14:54
Well, being bored i decided to go through my firewall logs this afternoon again, and noticed a large increase in these popup spam messages recently. Figured it would be a fun idea to post all the stuff we are blocking and see just how many different popups are out there. Heres a couple from the last few hours after log rolled over that i have multiple hits on. Feel free to add more as you get them =) Look for UDP packets destined for ports 1026, 1027, 1028.


11:19:34.368602 rule 3/0(match): block in on fxp0: 206.194.141.178.2819 > 68.85.141.224.1026: [no cksum] udp 880 (ttl 115, id 1269)
0000: 4500 038c 04f5 0000 7311 10c2 cec2 8db2 E......s...
0010: 4455 8de0 0b03 0402 0378 0000 0400 2800 DU......x....(.
0020: 1000 0000 0000 0000 0000 0000 0000 0000 ................
0030: 0000 0000 f891 7b5a 00ff d011 a9b2 00c0 .....{Z...
0040: 4fb6 e6fc 0407 978a fb15 7a91 da5e d562 O.....z.^b
0050: 1182 ca65 0000 0000 0100 0000 0000 0000 ..e............
0060: 0000 ffff ffff 2003 0000 0000 1100 0000 .. .........
0070: 0000 0000 1100 0000 5345 4355 5249 5459 ........SECURITY
0080: 204d 4f4e 4954 4f52 0000 0000 1100 0000 MONITOR........
0090: 0000 0000 1100 0000 5749 4e44 4f57 5320 ........WINDOWS
00a0: 5553 4552 0000 0000 0000 0000 d402 0000 USER...........
00b0: 0000 0000 d402 0000 496d 706f 7274 616e .......Importan
00c0: 7420 5769 6e64 6f77 7320 5365 6375 7269 t Windows Securi
00d0: 7479 2042 756c 6c65 7469 6e0d 0a3d 3d3d ty Bulletin..===
00e0: 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d ================
00f0: 3d3d 3d0d 0a42 7566 6665 7220 4f76 6572 ===..Buffer Over
0100: 7275 6e20 696e 204d 6573 7365 6e67 6572 run in Messenger
0110: 2053 6572 7669 6365 2041 6c6c 6f77 7320 Service Allows
0120: 5265 6d6f 7465 2043 6f64 6520 4578 6563 Remote Code Exec
0130: 7574 696f 6e2c 0d0a 5669 7275 7320 496e ution,..Virus In
0140: 6665 6374 696f 6e20 616e 6420 556e 6578 fection and Unex
0150: 7065 6374 6564 2043 6f6d 7075 7465 7220 pected Computer
0160: 5368 7574 646f 776e 730d 0a0d 0a41 6666 Shutdowns....Aff
0170: 6563 7465 6420 536f 6674 7761 7265 3a20 ected Software:
0180: 0d0a 0d0a 4d69 6372 6f73 6f66 7420 5769 ....Microsoft Wi
0190: 6e64 6f77 7320 4e54 2057 6f72 6b73 7461 ndows NT Worksta
01a0: 7469 6f6e 200d 0a4d 6963 726f 736f 6674 tion ..Microsoft
01b0: 2057 696e 646f 7773 204e 5420 5365 7276 Windows NT Serv
01c0: 6572 2034 2e30 200d 0a4d 6963 726f 736f er 4.0 ..Microso
01d0: 6674 2057 696e 646f 7773 2032 3030 3020 ft Windows 2000
01e0: 2020 0d0a 4d69 6372 6f73 6f66 7420 5769 ..Microsoft Wi
01f0: 6e64 6f77 7320 5850 2020 0d0a 4d69 6372 ndows XP ..Micr
0200: 6f73 6f66 7420 5769 6e64 6f77 7320 5769 osoft Windows Wi
0210: 6e39 3820 2020 0d0a 4d69 6372 6f73 6f66 n98 ..Microsof
0220: 7420 5769 6e64 6f77 7320 5365 7276 6572 t Windows Server
0230: 2032 3030 330d 0a0d 0a4e 6f6e 2041 6666 2003....Non Aff
0240: 6563 7465 6420 536f 6674 7761 7265 3a20 ected Software:
0250: 0d0a 0d0a 4d69 6372 6f73 6f66 7420 5769 ....Microsoft Wi
0260: 6e64 6f77 7320 4d69 6c6c 656e 6e69 756d ndows Millennium
0270: 2045 6469 7469 6f6e 0d0a 0d0a 596f 7572 Edition....Your
0280: 2073 7973 7465 6d20 6973 2061 6666 6563 system is affec
0290: 7465 642c 2064 6f77 6e6c 6f61 6420 7468 ted, download th
02a0: 6520 7061 7463 6820 6672 6f6d 2074 6865 e patch from the
02b0: 2061 6464 7265 7373 2062 656c 6f77 2021 address below !
02c0: 200d 0a46 4952 5354 2054 5950 4520 5448 ..FIRST TYPE TH
02d0: 4520 4144 4452 4553 5320 4245 4c4f 5720 E ADDRESS BELOW
02e0: 494e 544f 2059 4f55 5220 494e 5445 524e INTO YOUR INTERN
02f0: 4554 2042 524f 5753 4552 2c20 5448 454e ET BROWSER, THEN
0300: 2043 4c49 434b 2027 4f4b 272e 0d0a 5448 CLICK 'OK'...TH
0310: 4520 4144 4452 4553 5320 5749 4c4c 2044 E ADDRESS WILL D
0320: 4953 4150 5045 4152 204f 4e43 4520 594f ISAPPEAR ONCE YO
0330: 5520 434c 4943 4b20 274f 4b27 2e0d 0a0d U CLICK 'OK'....
0340: 0a20 2020 2020 2020 2020 2020 2020 2020 .
0350: 2020 2020 2020 2020 2020 2020 2020 2020
0360: 2020 2020 2020 2020 2020 2020 2020 2020
0370: 2020 2020 2077 7777 2e75 7064 6174 6570 www.updatep
0380: 6174 6368 2e69 6e66 6f0d 0a00 atch.info...




11:21:02.314569 rule 3/0(match): block in on fxp0: 222.233.52.32.52059 > 68.85.141.224.1026: [udp sum ok] udp 423 (DF) (ttl 48, id 0)
0000: 4500 01c3 0000 4000 3011 63eb dee9 3420 E....@.0.c4
0010: 4455 8de0 cb5b 0402 01af f6bf 0400 2800 DU.[.....(.
0020: 1000 0000 0000 0000 0000 0000 0000 0000 ................
0030: 0000 0000 f891 7b5a 00ff d011 a9b2 00c0 .....{Z...
0040: 4fb6 e6fc 0000 0000 0000 0000 0000 0000 O............
0050: 0000 0000 0000 0000 0100 0000 0000 0000 ................
0060: 0000 ffff ffff 5701 0000 0000 1000 0000 ..W.........
0070: 0000 0000 1000 0000 5345 4355 5249 5459 ........SECURITY
0080: 0000 0000 0000 0000 1000 0000 0000 0000 ................
0090: 1000 0000 414c 4552 5400 0000 0000 0000 ....ALERT.......
00a0: 0000 0000 1301 0000 0000 0000 1301 0000 ................
00b0: 5359 5354 454d 2045 5252 4f52 3a20 5769 SYSTEM ERROR: Wi
00c0: 6e64 6f77 7320 6861 7320 6465 7465 6374 ndows has detect
00d0: 6564 2053 7079 7761 7265 2072 756e 6e69 ed Spyware runni
00e0: 6e67 206f 6e20 796f 7572 2063 6f6d 7075 ng on your compu
00f0: 7465 722e 0a0a 5370 7977 6172 6520 6361 ter...Spyware ca
0100: 6e20 6461 6d61 6765 2063 7269 7469 6361 n damage critica
0110: 6c20 7379 7374 656d 2066 696c 6573 202c l system files ,
0120: 2074 7261 636b 2079 6f75 7220 6f6e 6c69 track your onli
0130: 6e65 2061 6374 6976 6974 6965 7320 616e ne activities an
0140: 6420 6469 7370 6c61 7920 706f 702d 7570 d display pop-up
0150: 732e 0a0a 416e 7469 2d56 6972 7573 2061 s...Anti-Virus a
0160: 6e64 2046 6972 6577 616c 6c20 736f 6674 nd Firewall soft
0170: 7761 7265 2063 616e 206e 6f74 2070 726f ware can not pro
0180: 7465 6374 2079 6f75 2e0a 0a56 6973 6974 tect you...Visit
0190: 3a20 2077 7777 2e77 696e 2d66 6978 2e63 : www.win-fix.c
01a0: 6f6d 2020 666f 7220 6672 6565 2072 656d om for free rem
01b0: 6f76 616c 2069 6e66 6f72 6d61 7469 6f6e oval information
01c0: 210a 00 !..