SANS ISC: Port 559 and 65506 - SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Port 559

Based on two days ago diary on port 559, we received some packet captures from Timothy. Part of the logs is described as follows:

<Quote>
For every 256 bytes, I always responded with a standard response consisting of 256 bytes. I noticed two patterns: 16, 30, 31, or 39 X 256-byte packets consisting of 00 (this was every ip address but one); and, a 7-byte message consisting of the following (expressed as hexadecimal):
04 01 00 50 D9 6A E8 11
</Quote>

If you see any similarities or differences, do let us know.

Port 65506

We also received a submission that there is a spike on port 65506. Part of the packet capture is as follows:

Type: IP (0x0800)

Trailer: 0000000000

Internet Protocol, Src Addr: xx.xx.146.95 (xx.xx.146.95), Dst Addr:
xx.xx.0.31 (xx.xx.0.31)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

0000 00.. = Differentiated Services Codepoint: Default (0x00)

.... ..0. = ECN-Capable Transport (ECT): 0

.... ...0 = ECN-CE: 0

Total Length: 41

Identification: 0xc0ac (49324)

Flags: 0x04 (Don't Fragment)

0... = Reserved bit: Not set

.1.. = Don't fragment: Set

..0. = More fragments: Not set

Fragment offset: 0

Time to live: 117

Protocol: TCP (0x06)

Header checksum: 0x2211 (correct)

Source: xx.xx.146.95 (xx.xx.146.95)

Destination: xx.xx.0.31 (xx.xx.0.31)

Transmission Control Protocol, Src Port: 3769 (3769), Dst Port: 65506
(65506), Seq: 0, Ack: 0, Len: 1

Source port: 3769 (3769)

Destination port: 65506 (65506)

Sequence number: 0 (relative sequence number)

Next sequence number: 1 (relative sequence number)

Acknowledgement number: 0 (relative ack number)

Header length: 20 bytes

Flags: 0x0010 (ACK)

0... .... = Congestion Window Reduced (CWR): Not set

.0.. .... = ECN-Echo: Not set

..0. .... = Urgent: Not set

...1 .... = Acknowledgment: Set

.... 0... = Push: Not set

.... .0.. = Reset: Not set

.... ..0. = Syn: Not set

.... ...0 = Fin: Not set

Window size: 16616

Checksum: 0x483c (correct)

Data (1 byte)

0000 43

ISC data also shows that there is a huge increase of traffic on this port for the last two days:

http://isc.sans.org/port_details.php?port=65506

One of our handlers, Deb, pointed out that this pattern was seen in Mar and May about the same time each month lasting until around the end of the month:

http://isc.sans.org/port_details.php?port=65506&repax=1&tarax=2&srcax=2&percent=N&days=220&Redraw=Submit+Query

Could this be the same old bug, scanning for Phatbot SSL Proxy? Let us know if you have further information on this.