Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Increase in port 2580 probe sources - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Increase in port 2580 probe sources

Reviewing the dashboards at the ISC today revealed an anomaly on port 2580.  Over the last couple days the number of sources probing for port 2580 has increased by nearly 600x from near none historically. 

While this port is officially allocated to a service called Tributary, development software created by Bristol Technology, I can't find any sign that Bristol or the Tributary software are still in existence (Bristol was purchased by HP in 2007).  

 Shodan shows a number of different services listening on this port.  The most common one is a free Universal Plug and Play (UPnP) server called redsonic which looks like it may be used in Google Chromecast, but is also commonly used in torrent applications.

If anybody has any more information, or packet traces that would enlighten me on what may be going on here please contact us through the ISC contact page

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - - Twitter:namedeplume (Protected)


286 Posts
ISC Handler
They may be looking for smart TVs to exploit. Some Visios have that redsonic User-Agent.

1 Posts
A quick search on Censys for "redsonic" reveals about 400 results:

The UPnP results from the above search also include a "gatedesc.xml" in the Location header and returns many more results:

Sign Up for Free or Log In to start participating in the conversation!