[Intrusions] 2525/tcp anyone?
Jim Becher
jim at becher.net
Tue May 17 03:22:01 GMT 2005
Port 2525/tcp has recently broken in to my Top 10 Attacked ports list a
couple of times. Google'ing hasn't turned up much -- several references to
running an SMTP server on an alternate port, one reference to the suckit
rootkit and references to a 2003 Backdoor.Rockse (Symantec). Destinations
are only the corporate mailservers. The mailservers are located on
completely different address space -- no octets are the same. The sources,
which are mostly in the Asia-Pac region, are sending SYNs to both
mailservers within seconds of each other. I have had on occasion upwards of
200 sources generating 5000 SYNs per day.
DShield shows a slight increase recently, but doesn't appear to be anything
dramatic. Officially, 2525/tcp is listed as MS V-Worlds.
Got Packets? Why yes... ;) But only from in front of one mailserver at
the moment:
05/16-21:35:28.618621 a.b.c.d:2027 -> our.mail.server:2525
TCP TTL:116 TOS:0x0 ID:55457 IpLen:20 DgmLen:60 DF
******S* Seq: 0xFAC8A3EB Ack: 0x0 Win: 0xFAF0 TcpLen: 40
TCP Options (7) => MSS: 1460 NOP NOP TS: 0 0 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
05/16-21:35:28.618800 our.mail.server:2525 -> a.b.c.d:2027
TCP TTL:116 TOS:0x0 ID:55457 IpLen:20 DgmLen:60 DF
***A*R** Seq: 0x0 Ack: 0xFAC8A3EC Win: 0xFAF0 TcpLen: 40
TCP Options (7) => MSS: 1460 NOP NOP TS: 0 0 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
I don't see any stimulus traffic for the previous 5 hours (in the case of
the packets above).
Anyone else seeing these and have an idea what this might be? Could this
just be some Asia-Pac spammers looking for open SMTP relays on an alternate
port?
-jim
More information about the Intrusions
mailing list