Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: WTF tcp port 81 - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
WTF tcp port 81

I don't know what of our tools you, our readers, use on a regular basis, but one of the things, I like to look at first when I login to is the Top 10 Ports by Unique Sources chart. This suggests coordinated (think botnets) scanning. So, I was really shocked to see port 81 had jumped up to 2nd position just behind all the Mirai-ish port 23 scanning. Take a look at the port 81 chart. If any of our readers have any insight into what is going on here since 16 Apr, plase let us know.

Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

I'll be teaching FOR610 in June, Sept, and Oct. See my schedule here:

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS DFIR Summit & Training 2022


423 Posts
ISC Handler
Apr 23rd 2017
Some kind of error in software coding perhaps, where zero being 1 has been overlooked?
We can confirm at our organization that we're also seeing a spike in port 81 access attempts since April 15th.

- Joel Hilke

1 Posts
The only thing I have seen is public IP checksfrom via user agent "uTorrent/347". Maybe a new technique in peering?

1 Posts
we have a blog about this here,
Hi Jim,

It is a new IOT botnet reported by netlab from 360 company.

More info below.
360's NetLab has some details on this activity:
Catalin Cimpanu

3 Posts

Sign Up for Free or Log In to start participating in the conversation!