WTF tcp port 81

Published: 2017-04-22
Last Updated: 2017-04-23 13:35:40 UTC
by Jim Clausing (Version: 1)
6 comment(s)

I don't know what of our tools you, our readers, use on a regular basis, but one of the things, I like to look at first when I login to is the Top 10 Ports by Unique Sources chart. This suggests coordinated (think botnets) scanning. So, I was really shocked to see port 81 had jumped up to 2nd position just behind all the Mirai-ish port 23 scanning. Take a look at the port 81 chart. If any of our readers have any insight into what is going on here since 16 Apr, plase let us know.

Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

I'll be teaching FOR610 in June, Sept, and Oct. See my schedule here:

6 comment(s)


Some kind of error in software coding perhaps, where zero being 1 has been overlooked?
We can confirm at our organization that we're also seeing a spike in port 81 access attempts since April 15th.

- Joel Hilke
The only thing I have seen is public IP checksfrom via user agent "uTorrent/347". Maybe a new technique in peering?
we have a blog about this here,
Hi Jim,

It is a new IOT botnet reported by netlab from 360 company.

More info below.
360's NetLab has some details on this activity:

Diary Archives