DVRIP Port 34567

DVRIP Port 34567 - Uptick
We are seeing a recent uptick in port 34567 for recent weeks. [1] I was curious, so I poked around to learn a few things. At this point, it appears it could be a century of some kind.. Admittedly, I do not know much about this port. After a little digging, I see a possible affinity to Fbot and Mirai or its variants. We have a Diary from Dr. J. on Mirai [2]. After some reading, I can not definitively tie this to Mirai or Fbot or something else just yet. However, in early 2019 there was a well publicized uptick in Fbot activity. [3] I went looking for data on ports that coincided with the early 2019 events from Fbot. I did find some correlation, but nothing purely consistent. By that I mean, all ports with ties to Fbot did not see a recent correlating spike. Some well known ports that showed activity back then for Fbot are TCP: port 80,port 81,port 88, port 8000 and port 8080. Some of these have correlating spikes of late. See some pics below. [1] [4] [5] Looking at these three graphs only, one could infer there were less infected hosts in early 2019. The recent uptick shows a more equal distribution of sources and targets. This can mean there are more infected hosts and possibly a new campaign has begun. I invite you all to comment and share what you may know of this observation. -Kevin -- ISC Handler on Duty [1] https://isc.sans.edu/port.html?port=34567 [2] https://isc.sans.edu/diary/22786 - JUllrich Diary on Mirai 09-05-2017 [3] https://blog.netlab.360.com/the-new-developments-of-the-fbot-en/ [4] https://isc.sans.edu/port.html?port=8000 [5] https://isc.sans.edu/port.html?port=88	Kevin Shortt 85 Posts ISC Handler
Subscribe	Jul 26th 2019 7 months ago
So I just looked this up on Shodan (port:34567) and port 34567 seems to correspond with nginx but mainly DHT: https://en.wikipedia.org/wiki/Distributed_hash_table Shodan shows results from five countries and five organizations: Russian Federation (7), Greece (7), Hong Kong (3), Canada (3), and the US (2) Orgs = OTEnet S.A. (5), Ziggo (2), Vodafone DSL (1), Vetta Online (1) and UPC Magyarorszag (1) Also interesting is top products listed as Ubiquiti Networks Device (3)	rand0m 8 Posts
Quote	Jul 26th 2019 7 months ago
Hi , just for curiosity !! may i know which tools you are using to see the port activity? is it snort or some other specialize customize tools ?	arun 2 Posts
Quote	Jul 29th 2019 6 months ago

We are seeing a recent uptick in port 34567 for recent weeks. [1] I was curious, so I poked around to learn a few things. At this point, it appears it could be a century of some kind..

Admittedly, I do not know much about this port. After a little digging, I see a possible affinity to Fbot and Mirai or its variants. We have a Diary from Dr. J. on Mirai [2]. After some reading, I can not definitively tie this to Mirai or Fbot or something else just yet. However, in early 2019 there was a well publicized uptick in Fbot activity. [3] I went looking for data on ports that coincided with the early 2019 events from Fbot. I did find some correlation, but nothing purely consistent. By that I mean, all ports with ties to Fbot did not see a recent correlating spike. Some well known ports that showed activity back then for Fbot are TCP: port 80,port 81,port 88, port 8000 and port 8080. Some of these have correlating spikes of late. See some pics below.

[1]

[4]

[5]

Looking at these three graphs only, one could infer there were less infected hosts in early 2019. The recent uptick shows a more equal distribution of sources and targets. This can mean there are more infected hosts and possibly a new campaign has begun.

I invite you all to comment and share what you may know of this observation.

-Kevin

--
ISC Handler on Duty

[1] https://isc.sans.edu/port.html?port=34567
[2] https://isc.sans.edu/diary/22786 - JUllrich Diary on Mirai 09-05-2017
[3] https://blog.netlab.360.com/the-new-developments-of-the-fbot-en/
[4] https://isc.sans.edu/port.html?port=8000
[5] https://isc.sans.edu/port.html?port=88

Kevin Shortt

85 Posts
ISC Handler

So I just looked this up on Shodan (port:34567) and port 34567 seems to correspond with nginx but mainly DHT: https://en.wikipedia.org/wiki/Distributed_hash_table Shodan shows results from five countries and five organizations: Russian Federation (7), Greece (7), Hong Kong (3), Canada (3), and the US (2) Orgs = OTEnet S.A. (5), Ziggo (2), Vodafone DSL (1), Vetta Online (1) and UPC Magyarorszag (1) Also interesting is top products listed as Ubiquiti Networks Device (3)

rand0m

8 Posts

Hi ,
just for curiosity !! may i know which tools you are using to see the port activity? is it snort or some other specialize customize tools ?

arun

2 Posts