Last Updated: 2006-09-21 21:12:28 UTC
by Chris Carboni (Version: 1)
In yesterday's diary Jim showed Dshield data pointing to a drastic increase in probes to tcp port 2222.
Today, the data drops back down to 'normal' levels
We did recieve quite a few e-mails listing applications that use tcp 2222 by default including, Allen-Bradley SLC-505 PLCs, Direct Admin, Ethernet connected Allen Bradley Programmable Logic Controllers, and the pubcookie key server among them.
That port is also a known to be used by a couple of trojans.
We've also received a few packets, and based on what we can see, it is a syn packet that may be crafted. One of the handlers noticed some irregularities in the source port and sequence numbers.
I'll post the packets as soon as I can properly anonymize them to protect the innocent. ;)
We'll keep an eye on this over the next few days.