Whats goin' on?

Discuss Networking
Post Reply
User avatar
Basher52
guru
guru
Posts: 928
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Whats goin' on?

Post by Basher52 »

my last nights log was over 50Mbytes, due to all incoming crap on port 65535
Ive searched on it and found some older flaw in M$ keybd_event and it seems that it now has a new exploit.

it also looks this is a small version of DoS attack, since the net is way slow :(

have anyone heard any news of this?
i cant really find anything that im sure of tho :( the keydb_event is just a guess.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

What log? Not nearly enough information to compute. I hope this is not an MS question.

User avatar
Basher52
guru
guru
Posts: 928
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Post by Basher52 »

sorry :oops:

nope this is not an M$ question, but it sure may be M$ fault, as always.


this is a sample from my ulog(viewed thru fwfilter)

Sep 13 13:52:25 ALL - DROP IN=eth1 SRC=64.124.113.204 DST=xxxx.xxxx.xxxx.xxxx PROTO=TCP DPT=65535 SPT=52248 TTL=51 CE SEQ=3032250045 ACK=0 SYN
Sep 13 13:52:35 ALL - DROP IN=eth1 SRC=209.203.99.232 DST=xxxx.xxxx.xxxx.xxxx PROTO=TCP DPT=65535 SPT=41141 TTL=49 SEQ=3216952148 ACK=0 SYN
Sep 13 13:52:37 ALL - DROP IN=eth1 SRC=64.124.113.204 DST=xxxx.xxxx.xxxx.xxxx PROTO=TCP DPT=65535 SPT=52248 TTL=51 CE SEQ=3032250045 ACK=0 SYN
Sep 13 13:52:38 ALL - DROP IN=eth1 SRC=209.203.99.232 DST=xxxx.xxxx.xxxx.xxxx PROTO=TCP DPT=65535 SPT=41141 TTL=49 SEQ=3216952148 ACK=0 SYN
Sep 13 13:52:44 ALL - DROP IN=eth1 SRC=209.203.99.232 DST=xxxx.xxxx.xxxx.xxxx PROTO=TCP DPT=65535 SPT=41141 TTL=49 SEQ=3216952148 ACK=0 SYN

as you see there's alot of connection to port 65535 and these keeps going on, i get about 40-60 of these a minute

PS. and not just from these IP addresses either, its from all over :(

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Those are connection attempts, not actual connections. You have a DROP rule and have it set to log, those connection attempts were dropped. Now, I haven't seen anything recently regarding 65535 specifically and you are correct that there is a local privilege escalation exploit for Windows involving that port but I haven't seen anything regarding a remote exploit using that port. Obviously something is up. I'll keep looking.

EDIT, I see something here about an RC1 trojan involving that port:
http://www.sans.org/resources/idfaq/oddports.php
http://www.simovits.com/trojans/tr_data/y2724.html

User avatar
Basher52
guru
guru
Posts: 928
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Post by Basher52 »

yep, thats the name of it.
Ive seen this too by searching, but why now all of a sudden :(
it started yesterday, very fast too :(
the funny part is that another guy, on another subnet, dont get these.

well, i cant do much about it yet, just wait until there are any info of it or if it disapears.

thx mate :D

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

You could turn off logging for that port if it's filling up your logs.

Post Reply