Port 20000/TCP Activity

Published: 2007-01-17
Last Updated: 2007-01-19 10:58:23 UTC
by Robert Danford (Version: 3)
0 comment(s)
We've been noticing a fair amount of activity on port 20000/TCP over the last month or so.


A number of people wrote in with information about recent alerts for activity targeting the DNP protocol or systems running DNP services. DNP is used in SCADA systems in the electric and water utilities industry for process control.


DNP scanning activity was first reported in Oct 2006 with alerts in late Nov 2006. Significant scanning has been observed in late Dec. 2006 and is ongoing. A reader also contributed details of a system infection recently where port 1901/TCP and 20000/TCP were both used. Some reports have suggested a relationship between these DNP scans and scanning activity for port 10000/TCP (NDMP, Webmin).

Without more information on the scanning sources or full packet captures it is difficult to pinpoint/pigeonhole the current activity.

Anyone else seeing this activity or have any insight? Packet captures, shellcode, malicious binaries, whatever are always welcome.
Submit via the contact page.

Usermin info:
This port has been reported as the default port for Usermin servers and the National Vulnerability Database (NVD) at NIST does show several Usermin issues in the last year, but nothing obviously related to the current activity.

Published: 9/19/2006 CVSS Severity: 3.3 (Low)
Published: 9/5/2006 CVSS Severity: 7.0 (High)
CVE-2006-3392 (VU#999601)
Published: 7/6/2006 CVSS Severity: 2.3 (Low)

Chris just sent in a pcap of an exploit one of his honeypots just received on port 20000/TCP.

POST /unauthenticated//..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/
..%01/..%01/..%01/..%01/..%01/..%01/etc/psa/psa.conf HTTP/1.1
TE: deflate,gzip;q=0.3
Keep-Alive: 300
Connection: Keep-Alive, TE
Host: <honeypot_ip>:20000
User-Agent: Conf

Maarten a new handler (welcome) earned his stripes today.  He identified
http://www.securityfocus.com/bid/18744/info  as being a likely template for the code generating the traffic we have been seeing.  The base attack seems to be the same, extracting random files. The aim seems to be logon credentials.

The traffic tapered off on the 15th and 16th, but is currently increasing (graph)
0 comment(s)


Diary Archives