[Dshield] Port 2500

Ryan McConigley ryan at csse.uwa.edu.au
Fri Mar 18 06:28:29 GMT 2005


	Anyone come across anything of note on port 2500 recently?

	I've just noticed we've got a machine attempting to make a lot (200k+) of 
outgoing requests on that port as well as quite a few external machines 
trying to contact that machine on the same port.  The outgoing attempts 
don't seem to be following any sort of pattern, some 'real' IPs, some 
non-routable IPs.

	I'm trying to get my hands on the machine in question at the moment, about 
all I know is its a Windows box.

	I did manage to capture some packets, but they're meaningless to me -->
0000   00 0a b7 d6 7c 80 00 e0 4c 5b 03 52 08 00 45 00  ....|...L[.R..E.
0010   00 30 38 80 40 00 80 06 7d af 82 5f 01 5a c0 a8  .08. at ...}.._.Z..
0020   00 37 07 02 09 c4 f8 b2 77 cc 00 00 00 00 70 02  .7......w.....p.
0030   ff ff bd 41 00 00 02 04 05 b4 01 01 04 02        ...A..........

	As far as I can tell they don't have any meanful data.

	I also discovered that just before the machine in question started to go 
hunting on port 2500 it made a conncetion to 210.22.12.245 on port 6348.

	Interestingly, according to SANS, port 2500 has just had a big spike, 
which is why I'm curious.

	Cheers,
		Ryan.
--
           Ryan McConigley - Systems Administrator                  _.-,
      Computer Science   University of Western Australia        .--'  '-._
        Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089       _/`-  _      '.
Ryan[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ryan  '----'._`.----. \
                                                                      `     \;
  "You're just jealous because the voices are talking to me"                ;_\






More information about the list mailing list