TCP port 65506

Discussion in 'other security issues & news' started by Jooske, Mar 10, 2004.

Thread Status:
Not open for further replies.
  1. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Seeing much more activity in portscans on TCP 65506
    Does this belong to something going around these days in trojan/worm/bots country?
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    Interesting observation there Jooske. Scanning my logs for the last month the first occurrences of incoming to 65506/tcp were yesterday (almost exactly 24 hours ago from the time of this post).

    All are basic SYN packets coming from all different IP addresses (no repeats) and random sources ports (no repeats or patterns there either). There are no related packets (packets just before or just after those from the same IP address).
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Yes, it did not come back here either; googling around i saw somebody noticed it in his proxy list all of a sudden hundreds of them in december 2003, no explanations about that either, two days ago in the DSLR forums it was mentioned among other ports for a phatbot (?) and the port was mentiond SSL so i don't know really.
    I've seen it mentioned as a voice port for Cisco ...router?
    vague, memory doesn't serve me well enough.

    Googling more i see it in proxy lists again, new proxy port?
     
  5. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    For those who want to capture packets themselves when they see events like this, LinkLogger (mentioned above) provides a free tool for this. PortPeeker allows you to setup a capture on any port you like, it has many features for reviewing and saving the data. It can be downloaded from this mirror, as well.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Looks like what we have in TDS Port Listen and the traffic bridge and UDP broadccast all together, fortunately -- hadn't thought a moment of using the Port listen.
    If we wouldn't block that port in the firewall Port Explorer can help sniffing the packets too!
    Thanks for the link to this!
     
  8. controler

    controler Guest

    Portpeeker only listens to ICMP . Windows NT and 2000 comes default with security to inhibit the use of ICMP. The Portpeeker sites shows how to disable the Raw Socket check in NT and 2000 so you can use porpeeker but how is it done in Windows XP?
    I know Portpeeker is freeware but there should be a tick mark in the program to do this without having to edit the registry.
    I do not have this key on my XP box.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Afd\Parameters\DisableRawSecurity

    Jooske, Can TDS-3 listen for ICMP traffic?

    Thanks

    controler
     
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    You actually mean the opposite of that, right? That the website says that PortPeeker can't capture ICMP on those versions of Windows, except for Windows NT itself for which there is a registry tweak.

    I don't think you can bypass it for XP, so you can't capture ICMP traffic on XP systems using PortPeeker. (I looked into it brieffly when PortPeeker first came out and didn't find any easy tweak that worked for XP. But then, I didn't try researching it very hard so I'm not sure if it might be possible with a little more effort. PortPeeker does handle TCP and UDP very well though on XP, which is what I was really interested in anyway.)
     
  10. controler

    controler Guest

  11. Link Logger

    Link Logger Security Expert

    Joined:
    Mar 13, 2004
    Posts:
    3
    I put a write up on the 65506 adventure here http://www.linklogger.com/65506SpamRelay.htm

    As far as capturing ICMP messages with PortPeeker, Windows is rather funny about ICMP messages as when I wrote that part of PortPeeker I was really thinking about capturing Nachi pings which were unique in their message contents. However AFIK the only way to capture Windows pings is to go to the socket level, so I had to write a separate application from PortPeeker to do what I wanted at the time. So in short PortPeeker has limited ICMP capture functionality because of some of the nuances within Windows ICMP handling.

    Blake
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Welcome, Blake ;)

    It's good to see you over here :cool:

    regards.

    paul
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    So i can be less frustrated with this error message all time i configure port peeker to look at ICMP pings on either my modem or netcard level or public IP address
    Error Code: 10022 Winsock error in recv()

    To answer Controler: i tried the TDS Port listen but it does not listen on port 0, (is that not the ICMP port?)
    other ports to try?

    In Port Explorer statistics for ICMP i do see lots of errors now both outgoing and incoming pings. Some 68 in those few minutes to write this message.
     
  14. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    ICMP does not use ports like TCP or UDP, but message Types and Codes. This link will give you a break down of those.

    If you are interested in capturing ICMP packets, you will likely have to use something like Ethereal.

    Regards,

    CrazyM
     
  15. controler

    controler Guest

    CrazyM

    I tried Ethereal a few years ago but it sure seemed complicated to use.
    I have even less time now to figure that stuff out.
    Maybe i will give it a try again. I know it is a good program in the right hands :D

    controler
     
  16. Dirker

    Dirker Guest

    The Washingtonpost.com has a fairly comprehensive writeup of this Phatbot trojan, which apparently has spread to hundreds of thousands of computers worldwide

    http://www.washingtonpost.com/wp-dyn/articles/A444-2004Mar17.html
     
Loading...
Thread Status:
Not open for further replies.