[Intrusions] 2525/tcp anyone?

Kevin Timm (timmk) timmk at cisco.com
Tue May 17 13:34:29 GMT 2005 

No idea. Set up a listener to gather the data. 

Kevin  

-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of Jim Becher
Sent: Monday, May 16, 2005 10:22 PM
To: intrusions at lists.sans.org
Subject: [Intrusions] 2525/tcp anyone?

	Port 2525/tcp has recently broken in to my Top 10 Attacked ports
list a couple of times.  Google'ing hasn't turned up much -- several
references to running an SMTP server on an alternate port, one reference
to the suckit rootkit and references to a 2003 Backdoor.Rockse
(Symantec).  Destinations are only the corporate mailservers.  The
mailservers are located on completely different address space -- no
octets are the same.  The sources, which are mostly in the Asia-Pac
region, are sending SYNs to both mailservers within seconds of each
other.  I have had on occasion upwards of 200 sources generating 5000
SYNs per day.

	DShield shows a slight increase recently, but doesn't appear to
be anything dramatic.  Officially, 2525/tcp is listed as MS V-Worlds.

	Got Packets?  Why yes... ;)  But only from in front of one
mailserver at the moment:

05/16-21:35:28.618621 a.b.c.d:2027 -> our.mail.server:2525 TCP TTL:116
TOS:0x0 ID:55457 IpLen:20 DgmLen:60 DF
******S* Seq: 0xFAC8A3EB  Ack: 0x0  Win: 0xFAF0  TcpLen: 40 TCP Options
(7) => MSS: 1460 NOP NOP TS: 0 0 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

05/16-21:35:28.618800 our.mail.server:2525 -> a.b.c.d:2027 TCP TTL:116
TOS:0x0 ID:55457 IpLen:20 DgmLen:60 DF
***A*R** Seq: 0x0  Ack: 0xFAC8A3EC  Win: 0xFAF0  TcpLen: 40 TCP Options
(7) => MSS: 1460 NOP NOP TS: 0 0 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

	I don't see any stimulus traffic for the previous 5 hours (in
the case of the packets above).

	Anyone else seeing these and have an idea what this might be?
Could this just be some Asia-Pac spammers looking for open SMTP relays
on an alternate port?




-jim


_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions

More information about the Intrusions mailing list