Port 559 and 65506
Port 559
Based on two days ago diary on port 559, we received some packet captures from Timothy. Part of the logs is described as follows:
<Quote>
For every 256 bytes, I always responded with a standard response consisting of 256 bytes. I noticed two patterns: 16, 30, 31, or 39 X 256-byte packets consisting of 00 (this was every ip address but one); and, a 7-byte message consisting of the following (expressed as hexadecimal):
04 01 00 50 D9 6A E8 11
</Quote>
If you see any similarities or differences, do let us know.
Port 65506
We also received a submission that there is a spike on port 65506. Part of the packet capture is as follows:
Type: IP (0x0800)
Trailer: 0000000000
Internet Protocol, Src Addr: xx.xx.146.95 (xx.xx.146.95), Dst Addr:
xx.xx.0.31 (xx.xx.0.31)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 41
Identification: 0xc0ac (49324)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 117
Protocol: TCP (0x06)
Header checksum: 0x2211 (correct)
Source: xx.xx.146.95 (xx.xx.146.95)
Destination: xx.xx.0.31 (xx.xx.0.31)
Transmission Control Protocol, Src Port: 3769 (3769), Dst Port: 65506
(65506), Seq: 0, Ack: 0, Len: 1
Source port: 3769 (3769)
Destination port: 65506 (65506)
Sequence number: 0 (relative sequence number)
Next sequence number: 1 (relative sequence number)
Acknowledgement number: 0 (relative ack number)
Header length: 20 bytes
Flags: 0x0010 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16616
Checksum: 0x483c (correct)
Data (1 byte)
0000 43
ISC data also shows that there is a huge increase of traffic on this port for the last two days:
http://isc.sans.org/port_details.php?port=65506
One of our handlers, Deb, pointed out that this pattern was seen in Mar and May about the same time each month lasting until around the end of the month:
http://isc.sans.org/port_details.php?port=65506&repax=1&tarax=2&srcax=2&percent=N&days=220&Redraw=Submit+Query
Could this be the same old bug, scanning for Phatbot SSL Proxy? Let us know if you have further information on this.
Based on two days ago diary on port 559, we received some packet captures from Timothy. Part of the logs is described as follows:
<Quote>
For every 256 bytes, I always responded with a standard response consisting of 256 bytes. I noticed two patterns: 16, 30, 31, or 39 X 256-byte packets consisting of 00 (this was every ip address but one); and, a 7-byte message consisting of the following (expressed as hexadecimal):
04 01 00 50 D9 6A E8 11
</Quote>
If you see any similarities or differences, do let us know.
Port 65506
We also received a submission that there is a spike on port 65506. Part of the packet capture is as follows:
Type: IP (0x0800)
Trailer: 0000000000
Internet Protocol, Src Addr: xx.xx.146.95 (xx.xx.146.95), Dst Addr:
xx.xx.0.31 (xx.xx.0.31)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 41
Identification: 0xc0ac (49324)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 117
Protocol: TCP (0x06)
Header checksum: 0x2211 (correct)
Source: xx.xx.146.95 (xx.xx.146.95)
Destination: xx.xx.0.31 (xx.xx.0.31)
Transmission Control Protocol, Src Port: 3769 (3769), Dst Port: 65506
(65506), Seq: 0, Ack: 0, Len: 1
Source port: 3769 (3769)
Destination port: 65506 (65506)
Sequence number: 0 (relative sequence number)
Next sequence number: 1 (relative sequence number)
Acknowledgement number: 0 (relative ack number)
Header length: 20 bytes
Flags: 0x0010 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16616
Checksum: 0x483c (correct)
Data (1 byte)
0000 43
ISC data also shows that there is a huge increase of traffic on this port for the last two days:
http://isc.sans.org/port_details.php?port=65506
One of our handlers, Deb, pointed out that this pattern was seen in Mar and May about the same time each month lasting until around the end of the month:
http://isc.sans.org/port_details.php?port=65506&repax=1&tarax=2&srcax=2&percent=N&days=220&Redraw=Submit+Query
Could this be the same old bug, scanning for Phatbot SSL Proxy? Let us know if you have further information on this.
Keywords:
0 comment(s)
×
Diary Archives
Comments