2222/tcp Probes

Published: 2006-09-21
Last Updated: 2006-09-21 21:12:28 UTC
by Chris Carboni (Version: 1)
0 comment(s)

In yesterday's diary  Jim showed Dshield data pointing to a drastic increase in probes to tcp port 2222.

Today, the data drops back down to 'normal' levels

We did recieve quite a few e-mails listing applications that use tcp 2222 by default including, Allen-Bradley SLC-505 PLCs, Direct Admin, Ethernet connected Allen Bradley Programmable Logic Controllers, and the pubcookie key server among them.

That port is also a known to be used by a couple of trojans.

We've also received a few packets, and based on what we can see, it is a syn packet that may be crafted.  One of the handlers noticed some irregularities in the source port and sequence numbers.

I'll post the packets as soon as I can properly anonymize them to protect the innocent.  ;)

We'll keep an eye on this over the next few days.

0 comment(s)


Diary Archives