Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: DVRIP Port 34567 - Uptick - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DVRIP Port 34567 - Uptick

We are seeing a recent uptick in port 34567 for recent weeks. [1]   I was curious, so I poked around to learn a few things.  At this point, it appears it could be a century of some kind..  

Admittedly, I do not know much about this port.  After a little digging, I see a possible affinity to Fbot and Mirai or its variants.  We have a Diary from Dr. J. on Mirai  [2].   After some reading, I can not definitively tie this to Mirai or Fbot or something else just yet.  However, in early 2019 there was a well publicized uptick in Fbot activity. [3]    I went looking for data on ports that coincided with the early 2019 events from Fbot.   I did find some correlation, but nothing purely consistent.  By that I mean, all ports with ties to Fbot did not see a recent correlating spike.  Some well known ports that showed activity back then for Fbot are TCP: port 80,port 81,port 88, port 8000 and port 8080.  Some of these have correlating spikes of late.   See some pics below.

[1]

[4]

[5]

Looking at these three graphs only, one could infer there were less infected hosts in early 2019.   The recent uptick shows a more equal distribution of sources and targets.  This can mean there are more infected hosts and possibly a new campaign has begun.

I invite you all to comment and share what you may know of this observation.

-Kevin

--
ISC Handler on Duty



[1] https://isc.sans.edu/port.html?port=34567
[2] https://isc.sans.edu/diary/22786  - JUllrich Diary on Mirai 09-05-2017
[3] https://blog.netlab.360.com/the-new-developments-of-the-fbot-en/
[4] 
https://isc.sans.edu/port.html?port=8000
[5] https://isc.sans.edu/port.html?port=88

Kevin Shortt

82 Posts
ISC Handler
So I just looked this up on Shodan (port:34567) and port 34567 seems to correspond with nginx but mainly DHT: https://en.wikipedia.org/wiki/Distributed_hash_table Shodan shows results from five countries and five organizations: Russian Federation (7), Greece (7), Hong Kong (3), Canada (3), and the US (2) Orgs = OTEnet S.A. (5), Ziggo (2), Vodafone DSL (1), Vetta Online (1) and UPC Magyarorszag (1) Also interesting is top products listed as Ubiquiti Networks Device (3)
rand0m

8 Posts
Hi ,
just for curiosity !! may i know which tools you are using to see the port activity? is it snort or some other specialize customize tools ?
arun

2 Posts

Sign Up for Free or Log In to start participating in the conversation!