Hi, allI started seeing strange traffic on Nov.25 with what appeared to be NMAP port scans of our network on ports 1026 - 1031 UDP coming from multiple external hosts. Signature: 4003, Sub-Signature: 0 on 2003/11/27 at 21:17:40, GMT: 1069996660Source Address: xxx.xxx.xxx.249, Source Port: 2258, Destination Address: xxx.xxx.xxx.88, Destination Port: 1031Then SANS/DSheild released today:Request for Packets: Port 1026-1031 (Johannes B. Ullrich)----------------------------------------------------------------------Message: 1Date: Tue, 25 Nov 2003 22:16:38 -0500From: "Johannes B. Ullrich" <email@example.com>Subject: [Dshieldannounce] Request for Packets: Port 1026-1031To: firstname.lastname@example.orgMessage-ID: <1069816597.16842.774.camel@bart>Content-Type: text/plain; charset="us-ascii"We are currently tracking some increase in port 1025-1031 activity. The question is if this is a use of a new exploit or just a new version of popup spam.For continuing updates, see:http://isc.sans.org/diary.html?date=2003-11-25We are currenlty looking for more data to investigtate this issue. One important hint is the change in source ports. As of Nov. 21st, most port 135 reports came from a source port of 666 or 4177, indicating that they where crafted. However, more recently (e.g. Nov. 25th), more reports originate from the default source ports (1024 and up). This is illustracted in this graphic:http://isc.sans.org/images/1026spdistribution.gif Not shown in the graphic is a second peak for the Nov. 25th data around source port 60,000. This data may be associated with hosts behind NAT devices. Current possibilities: (1) Popup Spam: It is possible to reach the Windows Messenger service via these ports. This bypasses UDP 135, which is frequently blocked by firewalls. However, most popup spam originates from a small number of sources (2) Windows Messenger Worm/Bot On October 15th, Microsoft released Bulletin MS03-043. This bulletin warns of a buffer overflow for the Microsoft Messenger Service http://www.microsoft.com/technet/security/bulletin/MS03-043.asp This vulnerability could be used to gain access to a system, or to launch self replicating code. The malware comunity is actively working on related exploits. My questions:Has anyone seen this traffic? If so has anyone analyzed this traffic?