Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: 2222/tcp Probe Increase - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
2222/tcp Probe Increase

Earlier today I detected some probes that caused me to investigate further.  My ipf logs on my handy little sparc logged hits on port 2222/tcp.  I might have glossed over it, except I have sometimes used port 2222 for secure shell daemon in the past.  This was primarily to keep people from constantly hitting my unix boxen trying to brute force passwords and giving me tons of logs to process daily.  (Yes, I know that security by obscurity doesn't work, but in this case it was more of a data reduction function for the overworked and underfunded security guy.)

Well in any case, it caught my attention a bit.  I investigated a bit further and looked at secure shell logs further to see if everyone else in the world had used the same "bright idea" which I had a few years back causing the hackers to look there as well.  Amazingly enough, no logs whatsoever in any of the systems I know are still listening on that port.

After I scratched my head a bit, I went over to the Dshield data and sure enough we are seeing the same type of probing there. 

As you can see, there has been no substational increase in sources. just records and targets.  Further investigation seems to indicate that a single IP is responsible for the majority of the records. But it doesn't clear up what were they trying to find.   Is it the old rootshell left behind by the circa 1999 linux amd exploit?  Is it something else?

So with that,  "anyone got packets?"   If you have a netcat or ssh listener and have captuered packets, or have other ideas, please contact us.


191 Posts
ISC Handler
Sep 20th 2006

Sign Up for Free or Log In to start participating in the conversation!