Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC Port Details:


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Graph

[show ascii data]
Graph Criteria
  • Start Date:
  • End Date:
  • Port:
  • Left Y Axis:
  • Right Y Axis:

Port Information

Protocol Service Name
tcp AnalogX AnalogX Proxy Server
[get complete service list]

User Comment

Submitted By Date
Comment
2009-10-04 18:45:22
i got some firewall logs that associate port 6588 with other ports used by subseven trojan ... [18/Feb/2003 01:16:55] Packet filter: ACL 2:13 cable: deny packet in id=29711 : TCP 81.49.250.171:15888 -> 81.67.23.28:1080 [18/Feb/2003 01:16:55] Packet filter: ACL 2:13 cable: deny packet in id=29713 : TCP 81.49.250.171:15889 -> 81.67.23.28:6588 [18/Feb/2003 01:16:55] Packet filter: ACL 2:13 cable: deny packet in id=29714 : TCP 81.49.250.171:15890 -> 81.67.23.28:27374 [18/Feb/2003 01:16:56] Packet filter: ACL 2:13 cable: deny packet in id=29715 : TCP 81.49.250.171:15890 -> 81.67.23.28:27374 [18/Feb/2003 01:16:56] Packet filter: ACL 2:13 cable: deny packet in id=29717 : TCP 81.49.250.171:15889 -> 81.67.23.28:6588 [18/Feb/2003 01:16:56] Packet filter: ACL 2:13 cable: deny packet in id=29718 : TCP 81.49.250.171:15888 -> 81.67.23.28:1080 [18/Feb/2003 01:16:56] Packet filter: ACL 2:13 cable: deny packet in id=29719 : TCP 81.49.250.171:15890 -> 81.67.23.28:27374 and i also saw a server infected by subseven, using 1080 and 6588 with a modified version of proxy analogX the exe was prx.exe , and there was also a light remote admin tool called "DameWare Mini Remote Control" using port 6129, which is not detected as a virus, because of its status of official administration software, but seems to be installable through some "holes" in a win2k server with IIS 5 ...
Jack McCarthy 2004-09-24 00:23:00
Buffer Overflow In Analogx Proxy 4.13 Bugtraq ID 7681 http://www.securityfocus.com/archive/1/322861 http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0082.html Buffer Overflow In Analogx Proxy 4.13 Vendor: Analogx Versions affected: Proxy 4.13 Date: 26th May 2003 Type of Vulnerability: Remotely Exploitable Buffer Overflow Severity: High By: Network Intelligence India www.nii.co.in More links: http://xforce.iss.net/xforce/xfdb/12068 http://www.securitytracker.com/alerts/2002/Jul/1004675.html http://www.osvdb.org/displayvuln.php?osvdb_id=3667&print http://www.nii.co.in/vuln/analogx.html
A K Bressen 2004-02-24 17:23:59
There is something out there that tries ports 1075, 3128, 4588, 6588, and 8080 and uses a tcp sequence number of 666666. I've found this signature in my logs a few times during Fall 2003 and Winter 2004, and someone else mentioned it at http://seclists.org/lists/security-basics/2003/Jun/0877.html but a quick websearch showed no positive id. I've seen other attempted connects to this port that do not match the above description; ie, they have more typical sequence numbers, and do not attempt the other ports mentioned from the same source machine.
2003-02-25 18:59:30
CAN-2000-0656 AnalogX Proxy is a simple proxy server that allows a user to connect a network of computers to the internet through the proxy gateway. Many of the services provided contain buffer overrun vulnerabilities that can allow an attacker to crash the proxy server remotely. The FTP, SMTP, POP3 and SOCKS services are vulnerable to a denial of service attack by sending especially long arguments to certain commands.
Add a comment

CVE Links

CVE # Description