Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

PopAdStop.com Scanning Component

Dec 5, 2003 2:07AM PST

For over a week, we had been tracking an increase in port 1026-1031 UDP traffic. More detailed investigation revealed a component in this traffic with the following characteristics:

(*) The payload consisted of two zero bytes
(*) A large number of sources participated in these scans
(*) the scans came from valid IPs, and the source port did not appear
to be crafted.

This is different from most popup spam sent to this port. Most popup spam is sent by only a small number of sources. And usually uses a fixed source port.

While popup spam in itself is not any more dangerous then e-mail spam, and more of an annoyance, the large number of sources hinted to the fact that it is likely sent from unsuspecting exploited systems ("Zombies")

http://isc.sans.org/diary.html?date=2003-12-04

Discussion is locked