tcp/2550 and the Chinese

While investigating an unrelated issue and digging through firewall logs I noticed a decent amount of traffic destined for tcp/2550 on one of my work servers.

The traffic mostly (82 of the 84 events today) originates from sequential IPs out of China.  This immediately raises alarms with me.

Upon further examination I discovered even stranger patterns.

  • destination port tcp/2550
  • source port is tcp/80
  • Over the last 24 hours 82 attempts had been made (and blocked) by Chinese
  • All Chinese IPs target 1 specific host
  • 2 attempts from US data centers to two other IPs
  • Further correlated searches on source IPs returns little else outside of what I normally see on the firewall
  • Digging back 30 days indicates that today was the first time such traffic has hit me

Port 2550 is associated with a protocol called ADS (Automation Device Specification) created by Beckhoff for use in their TwinCAT system.  This information meant absolutely nothing to me.  I have never heard of the protocol, company for product so I started digging.

It’s for embed systems.  Its billed as “PLC and Motion Control on the PC” meaning that it could be used for automating just about anything try this website.

“TwinCAT consists of run-time systems that execute control programs in real-time and the development environments for programming, diagnostics and configuration. Any Windows programs, for instance visualization programs or Office programs, can access TwinCAT data via Microsoft interfaces, or can execute commands”

According to the “Applications and Solutions” section of their website it can be used for Robotic Assembly automation, Building/HVAC Automation, Water Treatment and Management, Semiconductor Manufacturing, Medical engineering, the Energy Industry and so on.  These all seem like pretty tempting targets if I was interested taking over a countries infrastructure.

Odder still… I port scanned the target server and it does not have anything running on that port.  I also have historical port scans going back months (so I can detect when new listeners are launched) and it was never open.

Am I missing any known malware that operates on that port?

I think I’m going to send some of this output to the SANs internet storm center to see if they know anything about it.

Hey Mac Users… The Honeymoon is Over.

I know, its sad.  I too am a die hard mac user.

Today alone I have received 4 copies of an email with the subject line “2 Populaar Myths About Female Orgasms –  How to Become an Irresistible Lover” containing an attachment named “Preview.app Document”.

I haven’t had a chance to analyse the .app yet, but I think its safe to assume that its malware of some sort.

The good news is that OS X is still built well.  If I double click it thinking its a document its going to tell me “Hey stupid!  This is an app that was downloaded from the Internet.  Are you sure you want to run it?”.  Maybe not in those exact words.  At that point if I say – “I thought I was opening an document, but sure, lets run this app-like-document” – then I deserve to be infected.

For all the detail oriented folks here are the headers (bold are items changed to protect my info):

Return-path: <efflrescent@aperfectmix.com>
Envelope-to: MY_ADDRESS
Delivery-date: Fri, 01 May 2009 09:39:27 -0400
Received: from [87.18.181.177] (helo=ksecb.telecomitalia.it)
by myserver.mydomain.com with smtp (MyMail Dameon)
(envelope-from <efflrescent@aperfectmix.com>)
id 1LzsxZ-0000Ib-JG
for MY_ADDRESS; Fri, 01 May 2009 09:39:27 -0400
Message-ID: <49FAF79E.9745295@aperfectmix.com>
Date: Fri, 01 May 2009 13:39:25 -0100
From: Chesner <efflrescent@aperfectmix.com>
MIME-Version: 1.0
To: MY_ADDRESS
Subject: 2 Populaar Myths About Female Orgasms –  How to Become an Irresistible Lover
Content-Type: multipart/mixed;
boundary=”————32D524EA4E2E67F07C94899F”
X-Spam-Status: No, score=3.8
X-Spam-Score: 38
X-Spam-Bar: +++
X-Spam-Flag: NO

The body contains no data.