Port 559
Based on two days ago diary on port 559, we received some packet captures from Timothy. Part of the logs is described as follows: <Quote> For every 256 bytes, I always responded with a standard response consisting of 256 bytes. I noticed two patterns: 16, 30, 31, or 39 X 256-byte packets consisting of 00 (this was every ip address but one); and, a 7-byte message consisting of the following (expressed as hexadecimal): 04 01 00 50 D9 6A E8 11 </Quote> If you see any similarities or differences, do let us know. Port 65506 We also received a submission that there is a spike on port 65506. Part of the packet capture is as follows: Type: IP (0x0800) Trailer: 0000000000 Internet Protocol, Src Addr: xx.xx.146.95 (xx.xx.146.95), Dst Addr: xx.xx.0.31 (xx.xx.0.31) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 41 Identification: 0xc0ac (49324) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 117 Protocol: TCP (0x06) Header checksum: 0x2211 (correct) Source: xx.xx.146.95 (xx.xx.146.95) Destination: xx.xx.0.31 (xx.xx.0.31) Transmission Control Protocol, Src Port: 3769 (3769), Dst Port: 65506 (65506), Seq: 0, Ack: 0, Len: 1 Source port: 3769 (3769) Destination port: 65506 (65506) Sequence number: 0 (relative sequence number) Next sequence number: 1 (relative sequence number) Acknowledgement number: 0 (relative ack number) Header length: 20 bytes Flags: 0x0010 (ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 16616 Checksum: 0x483c (correct) Data (1 byte) 0000 43 ISC data also shows that there is a huge increase of traffic on this port for the last two days: http://isc.sans.org/port_details.php?port=65506 One of our handlers, Deb, pointed out that this pattern was seen in Mar and May about the same time each month lasting until around the end of the month: http://isc.sans.org/port_details.php?port=65506&repax=1&tarax=2&srcax=2&percent=N&days=220&Redraw=Submit+Query Could this be the same old bug, scanning for Phatbot SSL Proxy? Let us know if you have further information on this. |
Kevin 32 Posts Aug 22nd 2004 |
Thread locked Subscribe |
Aug 22nd 2004 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!