Or it could be something similar to the messenger service pop-up spam. Do a Google search for "udp 1026".
Since some ISP's are blocking TCP 135 to try to stop Blaster and variants, the pop-up spammer is using a spoofed udp 1026 to hawk their crap. Lee. -----Original Message----- From: Richard Ashley [mailto:[EMAIL PROTECTED] Sent: 26 September 2003 17:20 To: [EMAIL PROTECTED] Subject: RE: [gb-users] Spoofing IPs Looks like WORM_NACHI.A http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NACHI.A -----Original Message----- From: Christopher A. Congdon [mailto:[EMAIL PROTECTED] Sent: Friday, September 26, 2003 12:12 PM To: [EMAIL PROTECTED] Subject: [gb-users] Spoofing IPs How possible is it to spoof an IP address being given to GB firewall? I had the following messages come from my GB: Sep 24 10:26:33 pri=4 flt_type=RAF flt_action=block msg="Block RAF (46)" rule=46 proto=1026/udp src=66.52.249.70 srcport=666 dst=63.94.115.69 dstport=1026 interface=xl0 Sep 24 10:26:33 pri=4 flt_type=RAF flt_action=block msg="Block RAF (46)" rule=46 proto=135/udp src=66.52.249.70 srcport=666 dst=63.94.115.69 dstport=135 interface=xl0 Sep 24 10:26:33 pri=4 flt_type=RAF flt_action=block msg="Block RAF (46)" rule=46 proto=1026/udp src=66.52.249.70 srcport=666 dst=63.94.115.68 dstport=1026 interface=xl0 Well, I had a lot more than these, but this is just a sampling. The IP comes back as being owned by PacWest, which tells me they are re-allocated to NetZero. Well, NetZero claims this didn't come from their network because they don't show a user logged in at that time with that IP. Soooo, something odd is going on, and it seems to involve someone trying to access my network... Christopher Congdon Network Engineer Congdon.WEB [EMAIL PROTECTED] http://www.congdonweb.com 317-920-9601 ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://www.mail-archive.com/[EMAIL PROTECTED] ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://www.mail-archive.com/[EMAIL PROTECTED] ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://www.mail-archive.com/[EMAIL PROTECTED]
