Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-01-23 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Further Review of Port 2525 Activity; K-OTik.com reveals new English version of Website

Published: 2005-01-23
Last Updated: 2005-01-23 23:26:58 UTC
by Tony Carothers (Version: 1)
0 comment(s)
Activity and analysis of port 2525 continues, while the France-based K-OTik Security reveals an English version of their website.

Update on Port 2525 Increase

Earlier today, one of our readers submitted that SBC has closed outbound Port 25 to their DSL customers. The reader also submitted that 2525 is indeed their alternative SMTP port.
Another note on messaging alternative, submitted by fellow Handler Erik Fichtner, is that port 587 is setup exactly for the purpose of alternative message submission port. http://www.faqs.org/rfcs/rfc2476.html paragraph 3.1 states, ?Port 587 is reserved for email message submission as specified in this document.?
In addition, another observation is the increase of port activity in the 2500-2600 range. A random sample, shown in the links below, indicates an increase in both records and sources submitted. Beginning on 17 Jan. 2005, continuing through today, is an increase of activity, across the board, in the ranges specified above. In contrast, a look at two samples outside the range shows normal activity for the same period.

http://isc.sans.org/port_details.php?port=2587&repax=1&tarax=2&srcax=2&percent=N&days=40

http://isc.sans.org/port_details.php?port=2508&repax=1&tarax=2&srcax=2&percent=N&days=40

http://isc.sans.org/port_details.php?port=2543&repax=1&tarax=2&srcax=2&percent=N&days=40

http://isc.sans.org/port_details.php?port=5714&repax=1&tarax=2&srcax=2&percent=N&days=40

http://isc.sans.org/port_details.php?port=7726&repax=1&tarax=2&srcax=2&percent=N&days=40

The possibility exists that we are currently seeing two separate activities, with related ports, or port ranges. We will continue to post updates as they come in. As always, any information, logs, captures, or thoughts regarding this activity is welcome.
K-OTik.com now available in English

K-OTik Security Research, a security research/monitoring firm in Montpellier, France, has launched an English version of its website. According to the K-OTik site, it is currently in beta; the site is stable, very well done, and worth a look for Internet security-related information.

Thank you to my co-Handlers Erik, Mike Poor, Koon Yaw Tan, and Swa Frantzen, Another thank you, to Gilles Fabienni of K-OTik Security, for the note regarding the new English K-OTik.com website.

Tony Carothers

Handler on Duty

tony dot carothers at geemail dot com
Keywords:
0 comment(s)
Diary Archives