We always say how network security is changing every day. Take a long lunch, and you may miss a critical exploit. But sometimes, time appears to stand still. We just passed 1.6 Billion seconds in the Unix Epoch. Back when the Unix timestamp still had 9 digits, in the late 90s also known as "pre Y2K", one of the servers you may have used for backups was Amanda (Advanced Maryland Automatic Network Disk Archiver). Still active and alive today, back then Amanda V 2.3 was current.
Amanda typically listens on port port 10080, and while port 10080 is scanned, we see not a lot of scans for that port. Shodan also comes up with "not much" for port 10080.
So I was a bit surprised to see these strings in a recent Mirai type bot I captured:
This particular string is used by Nessus since July 14th 2000 (maybe longer). The version "2.3" is a bit misleading here. This is a request that is typically sent to the Amanda client (not server). Nessus uses this request to detect the client's version. So this may as well look for more recent Amanda client versions.
So is it looking for a 20-year-old version? Possibly not. Why is it looking for backup clients? There are many possibilities:
I am still trying to trigger the Amanda scan behavior. So far, I had no luck with it and all the bot did so far is scan for port 23 (this is why I call it "Mirai"). It also connects to a C2 server at 188.8.131.52. This IP address is hardcoded and no DNS lookup is performed.
Intrusion Detection In-Depth - SANS San Diego Fall 2020
Sep 16th 2020
Sep 16th 2020
1 month ago