What is going on with Port 83?
When I'm on shift, I really like to look at the port trends and see what the changes are. Looking at shifts in the network traffic is a great way to provide early warning that something new is out there. So today, port 83 caught my eye because it's just not a common port you run into. The climb in traffic has been subtle, but there were a couple of steep upticks along the way with the latest being in the last 24 hours.
First step, what normally lives as a service on this port? Well, IANA has the following:
However, I can't find any documentation about this. This step can sometimes be one of the most frustrating. It's not the research part, but finding GOOD documentation that lays out the service or protocol that normally listens on a port. Its finding sample traffic, logs etc. that can help you understand what you are seeing. That, however, is a completely different topic, but might be a fun rabbit hole to go down later.
Now, the fun part...getting packets to see what we can figure out what is going here. Normally that helps, but today, not so much. It actually has made it a little more confusing only because there are a lot of disparate items (so it seems) in the traffic and some very curious. Johannes got a sample of traffic off our honeypot by setting up a netcat listener. Here are a few of the interesting tidbits from the packets, but I haven't figured out how to put it all together or if any of it even fits together.
- There was a successful three-way handshake, then one packet with the PSH and ACK flags set and that was followed by a graceful teardown. Here is what data was pushed:
- Now for some interesting UDP traffic (HTTP/UDP):
- Here is another one over UDP which looks like a regular UPNP search:
- UDP with just one recognizable word:
- These two UDP packets seem related to TeamSpeak:
Who knew there was so much action on a port that I really hadn't looked at till today. If you have any packet captures for this or any ideas how this fits together or if it's just random, please let us know!!
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago