My next class:

WTF tcp port 81

Published: 2017-04-22. Last Updated: 2017-04-23 13:35:40 UTC
by Jim Clausing (Version: 1)
6 comment(s)

I don't know what of our tools you, our readers, use on a regular basis, but one of the things, I like to look at first when I login to isc.sans.edu is the Top 10 Ports by Unique Sources chart. This suggests coordinated (think botnets) scanning. So, I was really shocked to see port 81 had jumped up to 2nd position just behind all the Mirai-ish port 23 scanning. Take a look at the port 81 chart. If any of our readers have any insight into what is going on here since 16 Apr, plase let us know.

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

I'll be teaching FOR610 in June, Sept, and Oct. See my schedule here: https://www.sans.org/instructors/jim-clausing

6 comment(s)
My next class:

Comments

Some kind of error in software coding perhaps, where zero being 1 has been overlooked?
We can confirm at our organization that we're also seeing a spike in port 81 access attempts since April 15th.

- Joel Hilke
The only thing I have seen is public IP checksfrom checkip.synology.com via user agent "uTorrent/347". Maybe a new technique in peering?
we have a blog about this here, http://blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/
Hi Jim,

It is a new IOT botnet reported by netlab from 360 company.

More info below.
http://blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/
360's NetLab has some details on this activity: http://blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/

Diary Archives