[Dshield] Port 2500
stephane.nasdrovisky at paradigmo.com
Fri Mar 18 14:36:39 GMT 2005
Ryan McConigley wrote:
> Anyone come across anything of note on port 2500 recently?
There are some advises across the web advocating the use of this port
for smtp (in order to avoid spam). If this is what the compromised
system looks for, setup a fake mta on this port, if you see valid smtp
traffic, you may learn more about this thing activity. A simple netcat
(http://netcat.sourceforge.net/ nc -l -p 2500 -o dumpfile <banner) may
do the job.
with a file banner containing something like this line:
220 SMTP ready to roll
> I've just noticed we've got a machine attempting to make a lot
> (200k+) of outgoing requests on that port as well as quite a few
> external machines trying to contact that machine on the same port.
> The outgoing attempts don't seem to be following any sort of pattern,
> some 'real' IPs, some non-routable IPs.
Looks like a compromised system looking for vulnerable peers or its 0wner.
I would check this host for suspicious files and network listeners with
rootkit revealer (www.sysinternals.com)
netstat -ano|grep LIST|grep 2500
Submit your suspicious files to http://sandbox.norman.no/live_4.html &
http://virusscan.jotti.org/ or http://www.virustotal.com for malicious
activity & virus report.
> I'm trying to get my hands on the machine in question at the
> moment, about all I know is its a Windows box.
> I did manage to capture some packets, but they're meaningless to
> me -->
> 0000 00 0a b7 d6 7c 80 00 e0 4c 5b 03 52 08 00 45 00
> 0010 00 30 38 80 40 00 80 06 7d af 82 5f 01 5a c0 a8
> 0020 00 37 07 02 09 c4 f8 b2 77 cc 00 00 00 00 70 02
> 0030 ff ff bd 41 00 00 02 04 05 b4 01 01 04 02
It looks like a tcp syn packet :
source port:0702 (1794)
destination port 09c4 (2500)
source ip: 82 5f 01 5a (184.108.40.206)
destination ip: c0 a8 00 37 (192.168.0.55)
The following tcpdump filter will only show non syn packets (not sure
tcpdump -r mycapturedtraffic -x '! tcp&2==2 and port 2500'
snoop -i mycapturedtraffic -x 40 '! tcp&2=2 and port 2500'
> As far as I can tell they don't have any meanful data.
It's a syn packet, so yes, there is no usefull data in it. If you want
to grab data, allow this traffic on your firewalls/routers for a while
and record the traffic with
tcpdump -w mycapturedtraffic port 2500
or snoop -o mycapturedtraffic port 2500
> I also discovered that just before the machine in question started
> to go hunting on port 2500 it made a conncetion to 220.127.116.11 on
> port 6348.
> Interestingly, according to SANS, port 2500 has just had a big
> spike, which is why I'm curious.
Port 6348 is gnutella (p2p app), some virus are spreading using p2p
apps, 18.104.22.168 is probably a chinese dialup or dsl user (based on
reverse dns, I don't think so anymore).
Port 2500 could be a backdoor installed by this virus/worm.
inetnum: 22.214.171.124 - 126.96.36.199
descr: shenzhen branch, china netcom corp
changed: cncipaddr at china-netcom.com 20031208
person: yumei sun
e-mail: sz-ipaddress at china-netcom.com
Contact E-mail: toivo at ucs.uwa.edu.au
AS Contact: steve.maddocks at aarnet.edu.au
188.8.131.52 : pc-90.csse.uwa.edu.au
184.108.40.206 : sunym.gdsz.cncnet.net
More information about the list