2222/tcp Probes
In yesterday's diary  Jim showed Dshield data pointing to a drastic increase in probes to tcp port 2222. Today, the data drops back down to 'normal' levels
Today, the data drops back down to 'normal' levels
We did recieve quite a few e-mails listing applications that use tcp 2222 by default including, Allen-Bradley SLC-505 PLCs, Direct Admin, Ethernet connected Allen Bradley Programmable Logic Controllers, and the pubcookie key server among them.
That port is also a known to be used by a couple of trojans.
We've also received a few packets, and based on what we can see, it is a syn packet that may be crafted.  One of the handlers noticed some irregularities in the source port and sequence numbers.
I'll post the packets as soon as I can properly anonymize them to protect the innocent.  ;)
We'll keep an eye on this over the next few days.
    
 
              
Comments