Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Port 559 and 65506 - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port 559 and 65506
Port 559

Based on two days ago diary on port 559, we received some packet captures from Timothy. Part of the logs is described as follows:

For every 256 bytes, I always responded with a standard response consisting of 256 bytes. I noticed two patterns: 16, 30, 31, or 39 X 256-byte packets consisting of 00 (this was every ip address but one); and, a 7-byte message consisting of the following (expressed as hexadecimal):
04 01 00 50 D9 6A E8 11

If you see any similarities or differences, do let us know.

Port 65506

We also received a submission that there is a spike on port 65506. Part of the packet capture is as follows:

Type: IP (0x0800)

Trailer: 0000000000

Internet Protocol, Src Addr: xx.xx.146.95 (xx.xx.146.95), Dst Addr:
xx.xx.0.31 (xx.xx.0.31)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

0000 00.. = Differentiated Services Codepoint: Default (0x00)

.... ..0. = ECN-Capable Transport (ECT): 0

.... ...0 = ECN-CE: 0

Total Length: 41

Identification: 0xc0ac (49324)

Flags: 0x04 (Don't Fragment)

0... = Reserved bit: Not set

.1.. = Don't fragment: Set

..0. = More fragments: Not set

Fragment offset: 0

Time to live: 117

Protocol: TCP (0x06)

Header checksum: 0x2211 (correct)

Source: xx.xx.146.95 (xx.xx.146.95)

Destination: xx.xx.0.31 (xx.xx.0.31)

Transmission Control Protocol, Src Port: 3769 (3769), Dst Port: 65506
(65506), Seq: 0, Ack: 0, Len: 1

Source port: 3769 (3769)

Destination port: 65506 (65506)

Sequence number: 0 (relative sequence number)

Next sequence number: 1 (relative sequence number)

Acknowledgement number: 0 (relative ack number)

Header length: 20 bytes

Flags: 0x0010 (ACK)

0... .... = Congestion Window Reduced (CWR): Not set

.0.. .... = ECN-Echo: Not set

..0. .... = Urgent: Not set

...1 .... = Acknowledgment: Set

.... 0... = Push: Not set

.... .0.. = Reset: Not set

.... ..0. = Syn: Not set

.... ...0 = Fin: Not set

Window size: 16616

Checksum: 0x483c (correct)

Data (1 byte)

0000 43

ISC data also shows that there is a huge increase of traffic on this port for the last two days:

One of our handlers, Deb, pointed out that this pattern was seen in Mar and May about the same time each month lasting until around the end of the month:

Could this be the same old bug, scanning for Phatbot SSL Proxy? Let us know if you have further information on this.

32 Posts
Aug 22nd 2004

Sign Up for Free or Log In to start participating in the conversation!