Wednesday, August 10, 2005

Cottin' Pickin' Spammers!

I've been chasing spammers today. I came in and found attached to port 4805 on my machine. The actual IP is and is the same clown or clowns that crashed the gatekeeper here a while back.

See these guys send out Net Send commands that hammer port 1026 on a range of addresses. Our Video Gatekeeper has a little task that monitors the gatekeeper software on, you guessed it, port 1026. So when the monitoring task fires up and finds port 1026 in use, it freaks out and thinks the gatekeeper has lost connection and reboots the computer!. When the server (Win2K) reboots, all of the video calls are disconnected and cannot be re-connected until the gatekeeper is back up and running. It appears to be entirely random to the casual observer. We blocked incomming UDP traffic on port 1026 and everything has been smooth ever since.

The way I found it was, I turned on trace logging on the server. I logged everything: every TCP packet, UDP packet, file open, file close, process start, and process end. The file was absolutely HUGE. I only created 10 minute segments, but still had a whale of a time trying to find something that would read these enormous files.

Once I found something to open the log, I went to the end where all of the processes were closing just prior to re-boot. I then backtracked until I found the offending UDP transaction and voila! It was the clown with IP trying to send some stupid advertisement to a computer that doesn't even have a monitor and has Messenger disabled. Why does Windows even keep the port open if Messenger is disabled? Arghh.

This guy caused a lot of grief on state-owned systems trying to advertise in a way that is at the very least unethical. He waisted a lot of my tax dollars with his stupidity. So ... I port scanned him in the most invasive way I could think of for quite a number of hours. He disappeared of the net, at least for a while. I guess now he's back.

Cottin' Pickin' spammers!

0 Rant In Reply:

Post a Comment

<< Home