[Dshield] Port 2500

stephane nasdrovisky stephane.nasdrovisky at paradigmo.com
Fri Mar 18 14:36:39 GMT 2005


Ryan McConigley wrote:

>     Anyone come across anything of note on port 2500 recently?

There are some advises across the web advocating the use of this port 
for smtp (in order to avoid spam). If this is what the compromised 
system looks for, setup a fake mta on this port, if you see valid smtp 
traffic, you may learn more about this thing activity. A simple netcat 
(http://netcat.sourceforge.net/ nc -l -p 2500 -o dumpfile <banner) may 
do the job.
with a file banner containing something like this line:
220 SMTP ready to roll

>     I've just noticed we've got a machine attempting to make a lot 
> (200k+) of outgoing requests on that port as well as quite a few 
> external machines trying to contact that machine on the same port.  
> The outgoing attempts don't seem to be following any sort of pattern, 
> some 'real' IPs, some non-routable IPs.

Looks like a compromised system looking for vulnerable peers or its 0wner.

I would check this host for suspicious files and network listeners with
rootkit revealer (www.sysinternals.com)
netstat -ano|grep LIST|grep 2500

Submit your suspicious files to http://sandbox.norman.no/live_4.html & 
http://virusscan.jotti.org/ or http://www.virustotal.com for malicious 
activity & virus report.

>     I'm trying to get my hands on the machine in question at the 
> moment, about all I know is its a Windows box.
>
>     I did manage to capture some packets, but they're meaningless to 
> me -->
> 0000   00 0a b7 d6 7c 80 00 e0 4c 5b 03 52 08 00 45 00
> 0010   00 30 38 80 40 00 80 06 7d af 82 5f 01 5a c0 a8
> 0020   00 37 07 02 09 c4 f8 b2 77 cc 00 00 00 00 70 02
> 0030   ff ff bd 41 00 00 02 04 05 b4 01 01 04 02

It looks like a tcp syn packet :
source port:0702 (1794)
destination port 09c4 (2500)
source ip: 82 5f 01 5a (130.95.1.90)
destination ip: c0 a8 00 37 (192.168.0.55)

The following tcpdump filter will only show non syn packets (not sure 
for snoop):
tcpdump -r mycapturedtraffic -x '! tcp[13]&2==2 and port 2500'
snoop -i mycapturedtraffic -x 40 '! tcp[13]&2=2 and port 2500'

>     As far as I can tell they don't have any meanful data.

It's a syn packet, so yes, there is no usefull data in it. If you want 
to grab data, allow this traffic on your firewalls/routers for a while 
and record the traffic with
tcpdump -w mycapturedtraffic port 2500
or snoop -o mycapturedtraffic port 2500

>     I also discovered that just before the machine in question started 
> to go hunting on port 2500 it made a conncetion to 210.22.12.245 on 
> port 6348.
>
>     Interestingly, according to SANS, port 2500 has just had a big 
> spike, which is why I'm curious.


Port 6348 is gnutella (p2p app), some virus are spreading using p2p 
apps, 210.22.12.245 is probably a chinese dialup or dsl user (based on 
reverse dns, I don't think so anymore).
Port 2500 could be a backdoor installed by this virus/worm.

http://www.apnic.net/apnic-bin/whois.pl :
inetnum:      210.22.0.0 - 210.22.35.255
country:      CN
descr:        shenzhen branch, china netcom corp
changed:      cncipaddr at china-netcom.com 20031208

person:       yumei sun
nic-hdl:      YS224-AP
e-mail:       sz-ipaddress at china-netcom.com

http://www.dshield.org/ipinfo.php?ip=130.95.1.90&Submit=Submit :
Country:        AU
Contact E-mail:     toivo at ucs.uwa.edu.au
AS Contact:    steve.maddocks at aarnet.edu.au

130.95.1.90 : pc-90.csse.uwa.edu.au
210.22.12.245 : sunym.gdsz.cncnet.net
 





More information about the list mailing list