What is up on Port 62234?

Published: 2020-05-19. Last Updated: 2020-05-19 14:56:29 UTC
by Rick Wanner (Version: 1)
6 comment(s)

Here at the ISC we provide access to a number of bits of data which can be used to dig into problems or even as an early warning system of unusual activity.  Well today's data has revealed a confounding one.  Port 62234, which traditionally has zero on near zero sources attempting to access it suddenly has hundreds of sources.

This port is not one I have seen as a target before, and none of my sources show any traffic on this port. A check of Shodan shows only 3 hits, and two of those appear to be BitTorrent related.  I am at a loss.  If any of you has further information,  firewall logs, or better yet, packet captures of this activity it would be appreciated if you could send it over for analysis.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords: 62234
6 comment(s)

Comments

Question - what is the transport for this activity that you are seeing (tcp/udp)?

Anonymous

May 19th 2020
4 years ago

I believe it is TCP. But still investigating...

Anonymous

May 19th 2020
4 years ago

I see a few attempts a week to this destination port, TCP, I have 3 IPs on my server and they usually hit all three. Source IPs include 154.59.121.150, 154.59.121.132, 185.153.196.64 so far this month.

Anonymous

May 21st 2020
4 years ago

Curious if there's been any more info. I saw a large spike in activity on this port. Looks like scanning from a single Bangladesh IP with single hits to ranges of IPs.

Anonymous

May 22nd 2020
4 years ago

I am curious about whether or not, you have more information about what is going on at these ports.
Also, Is it true that Bangladesh IPs are trying to hit these ports all the time?

Anonymous

May 25th 2020
4 years ago

I did not receive anything I could use to followup. All I can tell you for sure is that the scanning started around May 17th, and while the number of sources has tailed off a bit, we are still seeing more than 300 sources per day. If you look at the ports page (https://isc.sans.edu/port.html?port=62234) it has the top 10 IPs that are scanning today. They are mostly Korea and Japan with some China and others thrown in.

I would still love a pcap. (-8

Anonymous

May 25th 2020
4 years ago

Login here to join the discussion.


Top of page
Diary Archives