In yesterday's diary  Jim showed Dshield data pointing to a drastic increase in probes to tcp port 2222.

Today, the data drops back down to 'normal' levels



We did recieve quite a few e-mails listing applications that use tcp 2222 by default including, Allen-Bradley SLC-505 PLCs, Direct Admin, Ethernet connected Allen Bradley Programmable Logic Controllers, and the pubcookie key server among them.

That port is also a known to be used by a couple of trojans.

We've also received a few packets, and based on what we can see, it is a syn packet that may be crafted.  One of the handlers noticed some irregularities in the source port and sequence numbers.

I'll post the packets as soon as I can properly anonymize them to protect the innocent.  ;)

We'll keep an eye on this over the next few days.