Thanks to Bjørn for noticing an increase in port 37777 TCP traffic. He wrote a blog with some of the payloads he found, and after he notified us, I was able to confirm his observations in our honeypot [1]. First 32 bytes of the payload: c1 00 00 00 00 14 00 00 63 6f 6e 66 69 67 00 00 ASCII representation of the payload (640 Bytes. The payload is followed by 0 padding for a total payload size of 5151 bytes. { "Enable" : 1, "MapTable" : [ The payload appears to attempt to configure port forwarding rules, which is typically done via UPNP (and UPNP has been heavily abused, but is typically not reachable from the "outside"). But the requests are different from UPNP in some ways:
Some newer versions of UPNP allow for REST/JSON instead of the older SOAP/XML format. But this still doesn't explain the missing headers. Port 37777 is typically used to stream video from CCTV DVRs, not for configuration. But then again, it is possible that some DVRs do accept configuration commands like the one shown above. But a request like this should probably be directed at the gateway/router, not the DVR. So there are still a lot of questions. Please let us know if you have any answers ;-) [1] https://bløgg.no/2017/01/probes-towards-tcp37777/ --- |
Johannes 4479 Posts ISC Handler Jan 10th 2017 |
Thread locked Subscribe |
Jan 10th 2017 5 years ago |
that is mirai, see our mirai-scanner page here, it actually first hit our mirai-honeypot in Dec 10.
http://data.netlab.360.com/mirai-scanner scroll down a little bit, you can see a clickable chart. |
Anonymous |
Quote |
Jan 11th 2017 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!