Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: DVRIP Port 34567 - Uptick - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DVRIP Port 34567 - Uptick

We are seeing a recent uptick in port 34567 for recent weeks. [1]   I was curious, so I poked around to learn a few things.  At this point, it appears it could be a century of some kind..  

Admittedly, I do not know much about this port.  After a little digging, I see a possible affinity to Fbot and Mirai or its variants.  We have a Diary from Dr. J. on Mirai  [2].   After some reading, I can not definitively tie this to Mirai or Fbot or something else just yet.  However, in early 2019 there was a well publicized uptick in Fbot activity. [3]    I went looking for data on ports that coincided with the early 2019 events from Fbot.   I did find some correlation, but nothing purely consistent.  By that I mean, all ports with ties to Fbot did not see a recent correlating spike.  Some well known ports that showed activity back then for Fbot are TCP: port 80,port 81,port 88, port 8000 and port 8080.  Some of these have correlating spikes of late.   See some pics below.

[1]

[4]

[5]

Looking at these three graphs only, one could infer there were less infected hosts in early 2019.   The recent uptick shows a more equal distribution of sources and targets.  This can mean there are more infected hosts and possibly a new campaign has begun.

I invite you all to comment and share what you may know of this observation.

-Kevin

--
ISC Handler on Duty


[1] https://isc.sans.edu/port.html?port=34567
[2] https://isc.sans.edu/diary/22786  - JUllrich Diary on Mirai 09-05-2017
[3] https://blog.netlab.360.com/the-new-developments-of-the-fbot-en/
[4] https://isc.sans.edu/port.html?port=8000
[5] https://isc.sans.edu/port.html?port=88

 Kevin Shortt

85 Posts
ISC Handler
Jul 26th 2019
Thread locked Subscribe Jul 26th 2019
2 years ago
So I just looked this up on Shodan (port:34567) and port 34567 seems to correspond with nginx but mainly DHT: https://en.wikipedia.org/wiki/Distributed_hash_table Shodan shows results from five countries and five organizations: Russian Federation (7), Greece (7), Hong Kong (3), Canada (3), and the US (2) Orgs = OTEnet S.A. (5), Ziggo (2), Vodafone DSL (1), Vetta Online (1) and UPC Magyarorszag (1) Also interesting is top products listed as Ubiquiti Networks Device (3)
 rand0m

8 Posts
Quote Jul 26th 2019
2 years ago
Hi ,
just for curiosity !! may i know which tools you are using to see the port activity? is it snort or some other specialize customize tools ?
 arun

2 Posts
Quote Jul 29th 2019
2 years ago

Sign Up for Free or Log In to start participating in the conversation!