Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: More weirdness on TCP port 26 SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
More weirdness on TCP port 26

A little over a year ago, I wrote a diary asking what was going on with traffic on TCP port 26. So, last week when I noticed another spike on port 26, I decided to take another look.

Update: In the original version of this diary, I accidentally left out the graph below.

This time around, again based on looking at my honeypot traffic, it looks like a possible new variant of Satori. I'm still not sure why they are expecting to find telnet on port 26, but this is what I'm seeing in the honeypot.

It looks like it might be slowing down a little since the initial spike in the middle of last week, but this is still more traffic than we've seen on port 26 since the the big increase I wrote about last time. If anyone has anymore insight into this one, please let us know via our contact page, e-mail, or comment below.

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Live Online Europe February 2022 Volume 1

Jim

423 Posts
ISC Handler
Feb 16th 2021
Jim, thanks for the post. I will be on the lookout for this traffic. Have you seen this? http://codegrazer.com/blog/rsftp-to-command-injection.html
Anonymous
Jim, thanks for the post. I will be on the lookout for this traffic. Have you seen this? http://codegrazer.com/blog/rsftp-to-command-injection.html
Anonymous

Sign Up for Free or Log In to start participating in the conversation!