[Dshield] Port 2500

Jason Brooks brooksje at longwood.edu
Fri Mar 18 14:39:53 GMT 2005


Ryan,
	I've been looking at the capture for a  while.  Is there any more
data in you capture?  How did you capture it?  As it stands right now,
reading it how I think it should go, it makes no sense.  If it is an IP
packet, which from you description, it sounds as if it should be, it is
malformed.  There's no IP version in the first byte offset from 0.  The
header length is set to 0.  The source address looks like a network address:
08 00 45 00 = 008.000.069.000.  The dest address is just as odd: 00 30 38
80: 000.048.056.128.  Granted, from your message, I'm looking at this as a
malformed IP packet, which it may not be.  
	Additionally, if it is IP, the header is longer than the default of
20.  It's more like 33 bytes.  That's based on converting the d-port of 2500
to 0x09c4, found at the 35th-byte offset from 0.  That means the source port
was 1794 (0x0702).  This is also banking on imbedded TCP since you were
discussing ports.  If not, it's actually announcing itself as protocol 0x5b
= 91, the Locus Address Resolution Protocol.

Not much, but as of right now, that's all I see.

HTH,
Jason

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Ryan McConigley
Sent: Friday, March 18, 2005 1:28 AM
To: list at lists.dshield.org
Subject: [Dshield] Port 2500


	Anyone come across anything of note on port 2500 recently?

	I've just noticed we've got a machine attempting to make a lot
(200k+) of 
outgoing requests on that port as well as quite a few external machines 
trying to contact that machine on the same port.  The outgoing attempts 
don't seem to be following any sort of pattern, some 'real' IPs, some 
non-routable IPs.

	I'm trying to get my hands on the machine in question at the moment,
about 
all I know is its a Windows box.

	I did manage to capture some packets, but they're meaningless to me
-->
0000   00 0a b7 d6 7c 80 00 e0 4c 5b 03 52 08 00 45 00  ....|...L[.R..E.
0010   00 30 38 80 40 00 80 06 7d af 82 5f 01 5a c0 a8  .08. at ...}.._.Z..
0020   00 37 07 02 09 c4 f8 b2 77 cc 00 00 00 00 70 02  .7......w.....p.
0030   ff ff bd 41 00 00 02 04 05 b4 01 01 04 02        ...A..........

	As far as I can tell they don't have any meanful data.

	I also discovered that just before the machine in question started
to go 
hunting on port 2500 it made a conncetion to 210.22.12.245 on port 6348.

	Interestingly, according to SANS, port 2500 has just had a big
spike, 
which is why I'm curious.

	Cheers,
		Ryan.
--
           Ryan McConigley - Systems Administrator                  _.-,
      Computer Science   University of Western Australia        .--'  '-._
        Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089       _/`-  _
'.
Ryan[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ryan  '----'._`.----. \
                                                                      `
\;
  "You're just jealous because the voices are talking to me"
;_\



-------------- Sponsor Message ------------------------------------
Join us at SANSFIRE 2005 in Atlanta!
The Internet Storm Center Conference.
Details: http://www.sans.org/sansfire2005

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list