Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Sig 4003, firing on UDP ports 1026 - 1031

Hi, all

I started seeing strange traffic on Nov.25 with what appeared to be NMAP port scans of our network on ports 1026 - 1031 UDP coming from multiple external hosts.

Signature: 4003, Sub-Signature: 0 on 2003/11/27 at 21:17:40, GMT: 1069996660

Source Address:, Source Port: 2258, Destination Address:, Destination Port: 1031

Then SANS/DSheild released today:

Request for Packets: Port 1026-1031 (Johannes B. Ullrich)


Message: 1

Date: Tue, 25 Nov 2003 22:16:38 -0500

From: "Johannes B. Ullrich" <>

Subject: [Dshieldannounce] Request for Packets: Port 1026-1031


Message-ID: <1069816597.16842.774.camel@bart>

Content-Type: text/plain; charset="us-ascii"

We are currently tracking some increase in port 1025-1031 activity. The question is if this is a use of a new exploit or just a new version of popup spam.

For continuing updates, see:

We are currenlty looking for more data to investigtate this issue. One important hint is the change in source ports. As of Nov. 21st, most port 135 reports came from a source port of 666 or 4177, indicating that they where crafted. However, more recently (e.g. Nov. 25th), more reports originate from the default source ports (1024 and up). This is illustracted in this graphic:

Not shown in the graphic is a second peak for the Nov. 25th data around source port 60,000. This data may be associated with hosts behind NAT devices.

Current possibilities:

(1) Popup Spam:

It is possible to reach the Windows Messenger service via these ports. This bypasses UDP 135, which is frequently blocked by firewalls.

However, most popup spam originates from a small number of sources

(2) Windows Messenger Worm/Bot

On October 15th, Microsoft released Bulletin MS03-043. This bulletin warns of a buffer overflow for the Microsoft Messenger Service

This vulnerability could be used to gain access to a system, or to launch self replicating code. The malware comunity is actively working on related exploits.

My questions:

Has anyone seen this traffic?

If so has anyone analyzed this traffic?

CreatePlease to create content