While investigating an unrelated issue and digging through firewall logs I noticed a decent amount of traffic destined for tcp/2550 on one of my work servers.
The traffic mostly (82 of the 84 events today) originates from sequential IPs out of China. This immediately raises alarms with me.
Upon further examination I discovered even stranger patterns.
- destination port tcp/2550
- source port is tcp/80
- Over the last 24 hours 82 attempts had been made (and blocked) by Chinese
- All Chinese IPs target 1 specific host
- 2 attempts from US data centers to two other IPs
- Further correlated searches on source IPs returns little else outside of what I normally see on the firewall
- Digging back 30 days indicates that today was the first time such traffic has hit me
Port 2550 is associated with a protocol called ADS (Automation Device Specification) created by Beckhoff for use in their TwinCAT system. This information meant absolutely nothing to me. I have never heard of the protocol, company for product so I started digging.
It’s for embed systems. Its billed as “PLC and Motion Control on the PC” meaning that it could be used for automating just about anything try this website.
“TwinCAT consists of run-time systems that execute control programs in real-time and the development environments for programming, diagnostics and configuration. Any Windows programs, for instance visualization programs or Office programs, can access TwinCAT data via Microsoft interfaces, or can execute commands”
According to the “Applications and Solutions” section of their website it can be used for Robotic Assembly automation, Building/HVAC Automation, Water Treatment and Management, Semiconductor Manufacturing, Medical engineering, the Energy Industry and so on. These all seem like pretty tempting targets if I was interested taking over a countries infrastructure.
Odder still… I port scanned the target server and it does not have anything running on that port. I also have historical port scans going back months (so I can detect when new listeners are launched) and it was never open.
Am I missing any known malware that operates on that port?
I think I’m going to send some of this output to the SANs internet storm center to see if they know anything about it.