Link Logger Home ZyXel Banner Binary Visions
Netgear
LinkSYS
Router

TCP 5554
Link Logger for Windows
Home Home Product Info Product Info Download Download/Purchase Support Support  
Link Logger for Windows

NewsLatest News

Screen ShotsScreenshots

Customer CommentsFeedback

Common ScansScans

Additional ResourcesResources

TCP Port 5554

Common Use

Used as the FTP server for older versions of the Sasser worm.  Sasser was a worm which exploited a buffer overflow in Windows LSA service.  The worm attacked TCP port 445 with the exploit and then if successful then opened a remote command shell on TCP port 9996 and a ftp service on 5554.  The ftp service however is itself exploitable and the Dabber worm attempt to exploit this vulnerability.

Inbound Traffic

Likely Dabber or similar worms scanning for an exploitable Sasser ftp service.

Outbound Traffic

Outbound scans especially if occurring in volume should be considered an indication of a possible infection or compromise on the source computer and should be investigated immediately.

Additional Information

Analysis of Dabber by LURHQ

eEye Analysis of the Sasser Worm

 

We have seen a couple of different scans for Sasser FTP servers.  First is a login attempt.

 

TCP Connection Request
---- 21/07/2004 15:57:55.041

221.170.132.134 : 1113 TCP Connected ID = 2
---- 21/07/2004 15:57:55.051
Status Code: 0 OK
---- Data Sent
0000 32 32 30 20 4F 4B 10 220 OK.

221.170.132.134 : 1113 TCP Data In Length 1 bytes
MD5 = F623E75AF30E62BBD73D6DF5B50BB7B5
---- 21/07/2004 15:57:55.622
0000 44 D
 

Interesting response of 'D'



TCP Error
---- 21/07/2004 15:57:55.642
Error Code: 10054 Winsock error in recv()

TCP Error
---- 21/07/2004 15:57:55.652
Error Code: 10054 Winsock error in recv()

221.170.132.134 : 1113 TCP Disconnected ID = 2
---- 21/07/2004 15:57:55.662
Status Code: 10053 [10053] Software caused connection abort

 

Half open scan so our reply raise an error as the connection is broken



TCP Connection Request
---- 21/07/2004 15:57:55.952

221.170.132.134 : 1568 TCP Connected ID = 2
---- 21/07/2004 15:57:55.962
Status Code: 0 OK
---- Data Sent
0000 32 32 30 20 4F 4B 10 220 OK.

221.170.132.134 : 1568 TCP Data In Length 7 bytes
MD5 = E5502DDB7CE4A7FF2176E6455732601C
---- 21/07/2004 15:57:55.972
0000 55 53 45 52 20 78 0A USER x.


221.170.132.134 : 1568 TCP Data In Length 7 bytes
MD5 = 2AA3C75518403DDD1D0410E3AEFB11DC
---- 21/07/2004 15:57:56.242
0000 50 41 53 53 20 78 0A PASS x.

Login attempt to the ftp server.
 

 

The second attempt we have seen attempts a buffer overflow on the ftp server.

TCP Connection Request
---- 21/07/2004 19:37:08.595

68.144.229.149 : 4667 TCP Connected ID = 5
---- 21/07/2004 19:37:08.605
Status Code: 0 OK
---- Data Sent
0000 32 32 30 20 4F 4B 10 220 OK.

68.144.229.149 : 4667 TCP Data In Length 7 bytes
MD5 = E5502DDB7CE4A7FF2176E6455732601C
---- 21/07/2004 19:37:09.396
0000 55 53 45 52 20 78 0A USER x.


68.144.229.149 : 4667 TCP Data In Length 1460 bytes
MD5 = 58D864188AEFA3FFF5F8FF8A010C2FB4
---- 21/07/2004 19:37:09.416
0000 50 41 53 53 20 78 0A 50 4F 52 54 20 90 90 90 90 PASS x.PORT ....
0010 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0020 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0030 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0040 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0050 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0060 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0070 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0080 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
00A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
00B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
00C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
00D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
00E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
00F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0100 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0110 90 90 90 90 90 90 90 EB 06 90 90 23 EB BE 77 E9 ...........#..w.
0120 13 FC FF FF 90 90 90 90 90 90 90 90 90 90 90 90 ................
0130 90 90 90 EB 0F 8B 34 24 33 C9 80 C1 DD 80 36 DE ......4$3.....6.
0140 46 E2 FA C3 E8 EC FF FF FF BA B9 51 D8 DE DE 60 F..........Q...`
0150 12 CE 60 A9 B6 ED EC DE DE B6 A9 AD EC 81 8A 21 ..`............!
0160 CB 0E CE 60 A9 49 47 8C 8C 8C 8C 9C 8C 9C 8C 36 ...`.IG........6
0170 D5 DE DE DE 89 8D 9F 8D B1 BD B5 BB AA 9F DE 89 ................
0180 21 C8 21 0E 4D B4 DE B6 DC DE CA 6A 55 1A B4 CE !.!.M......jU...
0190 8E 8D 36 DB DE DE DE BC B7 B0 BA DE 89 21 C8 21 ..6..........!.!
01A0 0E B4 DF 8D 36 D9 DE DE DE B2 B7 AD AA BB B0 DE ....6...........
01B0 89 21 C8 21 0E B4 DE 8A 8D 36 D9 DE DE DE BF BD .!.!.....6......
01C0 BD BB AE AA DE 89 21 C8 21 0E 55 06 ED 1E B4 CE ......!.!.U.....
01D0 87 55 22 89 DD 27 89 2D 75 55 E2 FA 8E 8E 8E B4 .U"..'.-uU......
01E0 DF 8E 8E 36 DA DE DE DE BD B3 BA DE 8E 36 D1 DE ...6.........6..
01F0 DE DE 9D AC BB BF AA BB 8E AC B1 BD BB AD AD 9F ................
0200 DE 18 D9 9A 19 99 F2 DF DF DE DE 5D 19 E6 4D 75 ...........]..Mu
0210 75 75 BA B9 7F EE DE 55 9E D2 55 9E C2 55 DE 21 uu....U..U..U.!
0220 AE D6 21 C8 21 0E 90 90 90 90 90 90 90 90 90 90 ..!.!...........
0230 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0240 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0250 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0260 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0270 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0280 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0290 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
02A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
02B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
02C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
02D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
02E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
02F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0300 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0310 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0320 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0330 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0340 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0350 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0360 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0370 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0380 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0390 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
03A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
03B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
03C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
03D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
03E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
03F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0400 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0410 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0420 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0430 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0440 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0450 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0460 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0470 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0480 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0490 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
04A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
04B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
04C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
04D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
04E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
04F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0500 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0510 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0520 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0530 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0540 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0550 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0560 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0570 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0580 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0590 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
05A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
05B0 90 90 90 90                                     ....


68.144.229.149 : 4667 TCP Data In Length 548 bytes
MD5 = 4A5017B98BA654C8B8AC6A0E4BC43343
---- 21/07/2004 19:37:09.466
0000 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0010 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0020 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0030 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0040 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0050 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0060 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0070 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0080 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
00A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
00B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
00C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
00D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
00E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
00F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0100 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0110 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0120 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0130 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0140 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0150 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0160 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0170 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0180 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0190 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
01A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
01B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
01C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
01D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
01E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
01F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0200 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0210 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0220 90 90 90 0A                                     ....
 

NOTE this was part of a much larger scan and likely the result of a newer version of the AGOBOT worm.

Jul 21, 2004 19:34:01.902 - (TCP) 68.144.229.149 : 4651 >>> 68.144.239.109 : 1025
Jul 21, 2004 19:34:01.942 - (TCP) 68.144.229.149 : 4650 >>> 68.144.239.109 : 135
Jul 21, 2004 19:34:01.962 - (TCP) 68.144.229.149 : 4652 >>> 68.144.239.109 : 445
Jul 21, 2004 19:34:01.992 - (TCP) 68.144.229.149 : 4653 >>> 68.144.239.109 : 6129
Jul 21, 2004 19:34:02.012 - (TCP) 68.144.229.149 : 4654 >>> 68.144.239.109 : 139
Jul 21, 2004 19:34:02.032 - (TCP) 68.144.229.149 : 4664 >>> 68.144.239.109 : 3410
Jul 21, 2004 19:34:02.082 - (TCP) 68.144.229.149 : 4667 >>> 192.168.1.35 : 5554  <<-- capture above
Jul 21, 2004 19:34:02.113 - (TCP) 68.144.229.149 : 4668 >>> 68.144.239.109 : 1433
Jul 21, 2004 19:34:02.133 - (TCP) 68.144.229.149 : 4669 >>> 68.144.239.109 : 5000
Jul 21, 2004 19:34:02.163 - (TCP) 68.144.229.149 : 4670 >>> 68.144.239.109 : 80
Jul 21, 2004 19:34:04.876 - (TCP) 68.144.229.149 : 4654 >>> 68.144.239.109 : 139
Jul 21, 2004 19:34:04.897 - (TCP) 68.144.229.149 : 4652 >>> 68.144.239.109 : 445
Jul 21, 2004 19:34:04.927 - (TCP) 68.144.229.149 : 4664 >>> 68.144.239.109 : 3410
Jul 21, 2004 19:34:04.947 - (TCP) 68.144.229.149 : 4651 >>> 68.144.239.109 : 1025
Jul 21, 2004 19:34:04.967 - (TCP) 68.144.229.149 : 4653 >>> 68.144.239.109 : 6129
Jul 21, 2004 19:34:04.997 - (TCP) 68.144.229.149 : 4650 >>> 68.144.239.109 : 135
Jul 21, 2004 19:34:05.087 - (TCP) 68.144.229.149 : 4670 >>> 68.144.239.109 : 80
Jul 21, 2004 19:34:05.107 - (TCP) 68.144.229.149 : 4668 >>> 68.144.239.109 : 1433
Jul 21, 2004 19:34:05.137 - (TCP) 68.144.229.149 : 4669 >>> 68.144.239.109 : 5000
Jul 21, 2004 19:34:10.905 - (TCP) 68.144.229.149 : 4654 >>> 68.144.239.109 : 139
Jul 21, 2004 19:34:10.925 - (TCP) 68.144.229.149 : 4652 >>> 68.144.239.109 : 445
Jul 21, 2004 19:34:10.955 - (TCP) 68.144.229.149 : 4664 >>> 68.144.239.109 : 3410
Jul 21, 2004 19:34:10.975 - (TCP) 68.144.229.149 : 4651 >>> 68.144.239.109 : 1025
Jul 21, 2004 19:34:10.995 - (TCP) 68.144.229.149 : 4653 >>> 68.144.239.109 : 6129
Jul 21, 2004 19:34:11.025 - (TCP) 68.144.229.149 : 4650 >>> 68.144.239.109 : 135
Jul 21, 2004 19:34:11.166 - (TCP) 68.144.229.149 : 4670 >>> 68.144.239.109 : 80
Jul 21, 2004 19:34:11.196 - (TCP) 68.144.229.149 : 4668 >>> 68.144.239.109 : 1433
Jul 21, 2004 19:34:11.216 - (TCP) 68.144.229.149 : 4669 >>> 68.144.239.109 : 5000
Jul 21, 2004 19:34:13.239 - (TCP) 68.144.229.149 : 1994 >>> 68.144.239.109 : 5300
Jul 21, 2004 19:34:16.293 - (TCP) 68.144.229.149 : 1994 >>> 68.144.239.109 : 5300
Jul 21, 2004 19:34:22.572 - (TCP) 68.144.229.149 : 1994 >>> 68.144.239.109 : 5300
 

TCP Port 5554 Traffic History from Link Logger

Sasser was released on May 1st and Dabber shortly after, but recently you can see that frequency of scans to TCP port 5554 have increased.

 

Page last updated on July 22, 2004