Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: 2222/tcp Probes - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
2222/tcp Probes

In yesterday's diary  Jim showed Dshield data pointing to a drastic increase in probes to tcp port 2222.

Today, the data drops back down to 'normal' levels

We did recieve quite a few e-mails listing applications that use tcp 2222 by default including, Allen-Bradley SLC-505 PLCs, Direct Admin, Ethernet connected Allen Bradley Programmable Logic Controllers, and the pubcookie key server among them.

That port is also a known to be used by a couple of trojans.

We've also received a few packets, and based on what we can see, it is a syn packet that may be crafted.  One of the handlers noticed some irregularities in the source port and sequence numbers.

I'll post the packets as soon as I can properly anonymize them to protect the innocent.  ;)

We'll keep an eye on this over the next few days.


140 Posts
Sep 21st 2006

Sign Up for Free or Log In to start participating in the conversation!