Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: What is up on Port 62234? SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What is up on Port 62234?

Here at the ISC we provide access to a number of bits of data which can be used to dig into problems or even as an early warning system of unusual activity.  Well today's data has revealed a confounding one.  Port 62234, which traditionally has zero on near zero sources attempting to access it suddenly has hundreds of sources.

This port is not one I have seen as a target before, and none of my sources show any traffic on this port. A check of Shodan shows only 3 hits, and two of those appear to be BitTorrent related.  I am at a loss.  If any of you has further information,  firewall logs, or better yet, packet captures of this activity it would be appreciated if you could send it over for analysis.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Rick

311 Posts
ISC Handler
May 19th 2020
Question - what is the transport for this activity that you are seeing (tcp/udp)?
NightFalcon

1 Posts
I believe it is TCP. But still investigating...
Rick

311 Posts
ISC Handler
I see a few attempts a week to this destination port, TCP, I have 3 IPs on my server and they usually hit all three. Source IPs include 154.59.121.150, 154.59.121.132, 185.153.196.64 so far this month.
Anonymous
Curious if there's been any more info. I saw a large spike in activity on this port. Looks like scanning from a single Bangladesh IP with single hits to ranges of IPs.
Anonymous
I am curious about whether or not, you have more information about what is going on at these ports.
Also, Is it true that Bangladesh IPs are trying to hit these ports all the time?
Anonymous
I did not receive anything I could use to followup. All I can tell you for sure is that the scanning started around May 17th, and while the number of sources has tailed off a bit, we are still seeing more than 300 sources per day. If you look at the ports page (isc.sans.edu/…) it has the top 10 IPs that are scanning today. They are mostly Korea and Japan with some China and others thrown in.

I would still love a pcap. (-8
Rick

311 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!