Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: DVRIP Port 34567 - Uptick - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DVRIP Port 34567 - Uptick

We are seeing a recent uptick in port 34567 for recent weeks. [1]   I was curious, so I poked around to learn a few things.  At this point, it appears it could be a century of some kind..  

Admittedly, I do not know much about this port.  After a little digging, I see a possible affinity to Fbot and Mirai or its variants.  We have a Diary from Dr. J. on Mirai  [2].   After some reading, I can not definitively tie this to Mirai or Fbot or something else just yet.  However, in early 2019 there was a well publicized uptick in Fbot activity. [3]    I went looking for data on ports that coincided with the early 2019 events from Fbot.   I did find some correlation, but nothing purely consistent.  By that I mean, all ports with ties to Fbot did not see a recent correlating spike.  Some well known ports that showed activity back then for Fbot are TCP: port 80,port 81,port 88, port 8000 and port 8080.  Some of these have correlating spikes of late.   See some pics below.




Looking at these three graphs only, one could infer there were less infected hosts in early 2019.   The recent uptick shows a more equal distribution of sources and targets.  This can mean there are more infected hosts and possibly a new campaign has begun.

I invite you all to comment and share what you may know of this observation.


ISC Handler on Duty

[2]  - JUllrich Diary on Mirai 09-05-2017

Kevin Shortt

85 Posts
ISC Handler
Jul 26th 2019
So I just looked this up on Shodan (port:34567) and port 34567 seems to correspond with nginx but mainly DHT: Shodan shows results from five countries and five organizations: Russian Federation (7), Greece (7), Hong Kong (3), Canada (3), and the US (2) Orgs = OTEnet S.A. (5), Ziggo (2), Vodafone DSL (1), Vetta Online (1) and UPC Magyarorszag (1) Also interesting is top products listed as Ubiquiti Networks Device (3)

8 Posts
Hi ,
just for curiosity !! may i know which tools you are using to see the port activity? is it snort or some other specialize customize tools ?

2 Posts

Sign Up for Free or Log In to start participating in the conversation!