[Dshield] Weird Unknown Traffic Directed @ tcp/6588

Johannes B. Ullrich jullrich at sans.org
Mon Mar 25 13:51:42 GMT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> Any assistance would be greatly appreciated... Mostly concerned with the
> attempts @ 6588 since I have NO idea what that could be ..

I think its a scan for 'Analog X' proxies. It has SMTP/POP3/FTP buffer
overflows (port 21,35,110), and the http proxy listens on port 6588.

Also, it had some open relay problems (port 25) 

So my guess is that this is a spammer looking for open relays or 
web proxies (which sometimes can be used to relay mail)

> 
> Mar 22 07:07:03 65.16.184.131:2061 -> 216.XXX.XXX.165:21 SYN ******S*
> Mar 22 07:07:03 65.16.184.131:2062 -> 216.XXX.XXX.165:25 SYN ******S*
> Mar 22 07:07:03 65.16.184.131:2063 -> 216.XXX.XXX.165:80 SYN ******S*
> Mar 22 07:07:03 65.16.184.131:2064 -> 216.XXX.XXX.165:110 SYN ******S*
> Mar 22 07:07:04 65.16.184.131:2051 -> 216.XXX.XXX.163:119 SYN ******S*
> Mar 22 07:07:04 65.16.184.131:2052 -> 216.XXX.XXX.163:1080 SYN ******S*
> Mar 22 07:07:04 65.16.184.131:2053 -> 216.XXX.XXX.163:6588 SYN ******S*

- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8nytwwWQP+4im9DYRAttfAKCh2BDY1zaP30MVc5OiQs0aFdoy5ACePMxR
D6O46NbygBTZf4XvOaCJcCA=
=zjFB
-----END PGP SIGNATURE-----




More information about the list mailing list