Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Got packets? Interested in TCP/8909, TCP/6666, TCP/9415, TCP/27977 and UDP/7 - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Got packets? Interested in TCP/8909, TCP/6666, TCP/9415, TCP/27977 and UDP/7

We have noticed an increase in scanning activity to ports TCP/8909, TCP/6666, TCP/9415, TCP/27977 and UDP/7 and would love some packets if you have them. 

  • TCP/8909 - No idea what it is a new one for me. A new one and starting to trend.
  • TCP/6666 - this is probably going to be IRC, but it would be nice to confirm and see what is being scanned for.
  • TCP/9415 - this used to be associated with open proxies, but again be good to get some packets to check.
  • TCP/27977 - My first thought was gaming port, but that is just a guess.
  • UDP/7 - echo, a blast from the past.  maybe they are looking  for misconfigured or old routers and *nix boxes.

If you have any packets to the above please submit them through the contact form or email them to handlers -at- sans.edu or directly to me markh.isc -at- gmail.com

Thanks in advance.

 

Mark H

Mark

391 Posts
ISC Handler
27977 is Tidserv
James

34 Posts
It looks like a proxy software that is trying to connect to his server through these ports... and the Data transmission from a system to another is made possible by the Datagram Protocol used through port 7.
James
8 Posts
We've been seeing thousands of attempted inbound connections to TCP 27977 for over a month from IP addresses around the world. That does not sound like the behavior of a backdoor. It might listen on 27977 but I would not expect it to be scanning other computers looking for that listening port. 27977 seems to be used by KeePass and I was wondering if people are looking for some kind of vulnerability in it.
Anonymous
We have been hit on 27977 for months, all from source port 12200. Ports 6666, 8909, 9415 almost all come from source port 6000. Other ports hit include 6667, 8089, 1080, 2967, 3306, 3389 and especially 1433 (from source port 6000). Addresses are from all over the place.
Phoenix

1 Posts

Sign Up for Free or Log In to start participating in the conversation!