Seeing much more activity in portscans on TCP 65506
Does this belong to something going around these days in trojan/worm/bots country?

Interesting observation there Jooske. Scanning my logs for the last month the first occurrences of incoming to 65506/tcp were yesterday (almost exactly 24 hours ago from the time of this post).

All are basic SYN packets coming from all different IP addresses (no repeats) and random sources ports (no repeats or patterns there either). There are no related packets (packets just before or just after those from the same IP address).

http://isc.incidents.org/port_details.html?port=65506&repax=1&tarax=2&srcax=2&percent=N&days=40

The above link shows you are not alone, but no details yet on what it might be.

Regards,

CrazyM

Yes, it did not come back here either; googling around i saw somebody noticed it in his proxy list all of a sudden hundreds of them in december 2003, no explanations about that either, two days ago in the DSLR forums it was mentioned among other ports for a phatbot (?) and the port was mentiond SSL so i don't know really.
I've seen it mentioned as a voice port for Cisco ...router?
vague, memory doesn't serve me well enough.

Googling more i see it in proxy lists again, new proxy port?

Jooske,

Link Logger is tracking it at www.dslreports.com/forum/remark,9644670~mode=flat (http://www.dslreports.com/forum/remark,9644670~mode=flat) , complete with packet captures.


fixed link - Detox

For those who want to capture packets themselves when they see events like this, LinkLogger (mentioned above) provides a free tool for this. PortPeeker (http://www.linklogger.com/portpeeker.htm) allows you to setup a capture on any port you like, it has many features for reviewing and saving the data. It can be downloaded from this mirror (http://ct7security.com/linklogger/portpeeker/download.html), as well.

Looks like what we have in TDS Port Listen and the traffic bridge and UDP broadccast all together, fortunately -- hadn't thought a moment of using the Port listen.
If we wouldn't block that port in the firewall Port Explorer can help sniffing the packets too!
Thanks for the link to this!

Portpeeker only listens to ICMP . Windows NT and 2000 comes default with security to inhibit the use of ICMP. The Portpeeker sites shows how to disable the Raw Socket check in NT and 2000 so you can use porpeeker but how is it done in Windows XP?
I know Portpeeker is freeware but there should be a tick mark in the program to do this without having to edit the registry.
I do not have this key on my XP box.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Afd\Parameters\DisableRawSecurity

Jooske, Can TDS-3 listen for ICMP traffic?

Thanks

controler

-{ Quote: " quoting: controler link=board=18;threadid=24161;start=0#msg143474 date=1079181758]Portpeeker only listens to ICMP." }-

You actually mean the opposite of that, right? That the website says that PortPeeker can't capture ICMP on those versions of Windows, except for Windows NT itself for which there is a registry tweak.

-{ Quote: "Windows NT and 2000 comes default with security to inhibit the use of ICMP. The Portpeeker sites shows how to disable the Raw Socket check in NT and 2000 so you can use porpeeker but how is it done in Windows XP?" }-

I don't think you can bypass it for XP, so you can't capture ICMP traffic on XP systems using PortPeeker. (I looked into it brieffly when PortPeeker first came out and didn't find any easy tweak that worked for XP. But then, I didn't try researching it very hard so I'm not sure if it might be possible with a little more effort. PortPeeker does handle TCP and UDP very well though on XP, which is what I was really interested in anyway.)

This is all I could find on MS

it is over my head ;)

http://support.microsoft.com/default.aspx?scid=kb;en-us;314053&Product=winxp

URL tags added to the link - paul

I put a write up on the 65506 adventure here http://www.linklogger.com/65506SpamRelay.htm

As far as capturing ICMP messages with PortPeeker, Windows is rather funny about ICMP messages as when I wrote that part of PortPeeker I was really thinking about capturing Nachi pings which were unique in their message contents. However AFIK the only way to capture Windows pings is to go to the socket level, so I had to write a separate application from PortPeeker to do what I wanted at the time. So in short PortPeeker has limited ICMP capture functionality because of some of the nuances within Windows ICMP handling.

Blake

Welcome, Blake ;)

It's good to see you over here 8)

regards.

paul

So i can be less frustrated with this error message all time i configure port peeker to look at ICMP pings on either my modem or netcard level or public IP address
Error Code: 10022 Winsock error in recv()

To answer Controler: i tried the TDS Port listen but it does not listen on port 0, (is that not the ICMP port?)
other ports to try?

In Port Explorer statistics for ICMP i do see lots of errors now both outgoing and incoming pings. Some 68 in those few minutes to write this message.

-{ Quote: " quoting: Jooske link=board=18;threadid=24161;start=0#msg143988 date=1079253440]
... i tried the TDS Port listen but it does not listen on port 0, (is that not the ICMP port?)
other ports to try?" }-

ICMP does not use ports like TCP or UDP, but message Types and Codes. This link (http://www.iana.org/assignments/icmp-parameters) will give you a break down of those.

If you are interested in capturing ICMP packets, you will likely have to use something like Ethereal (http://www.ethereal.com/).

Regards,

CrazyM

CrazyM

I tried Ethereal a few years ago but it sure seemed complicated to use.
I have even less time now to figure that stuff out.
Maybe i will give it a try again. I know it is a good program in the right hands ;D

controler

The Washingtonpost.com has a fairly comprehensive writeup of this Phatbot trojan, which apparently has spread to hundreds of thousands of computers worldwide

http://www.washingtonpost.com/wp-dyn/articles/A444-2004Mar17.html