Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: Port 37777 "MapTable" Requests - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port 37777 "MapTable" Requests

Thanks to Bjørn for noticing an increase in port 37777 TCP traffic. He wrote a blog with some of the payloads he found, and after he notified us, I was able to confirm his observations in our honeypot [1].

First 32 bytes of the payload:

c1 00 00 00 00 14 00 00  63 6f 6e 66 69 67 00 00
                          c. o. n. f. i. g
31 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

ASCII representation of the payload (640 Bytes. The payload is followed by 0 padding for a total payload size of 5151 bytes.

{ "Enable" : 1, "MapTable" : [
{ "Enable" : 1, "InnerPort" : 85, "OuterPort" : 85, "Protocol" : "TCP", "ServiceName" : "HTTP" },
{ "Enable" : 1, "InnerPort" : 37777, "OuterPort" : 37777, "Protocol" : "TCP", "ServiceName" : "TCP" },
{ "Enable" : 1, "InnerPort" : 37778, "OuterPort" : 37778, "Protocol" : "UDP", "ServiceName" : "UDP" },
{ "Enable" : 1, "InnerPort" : 554, "OuterPort" : 554, "Protocol" : "TCP", "ServiceName" : "RTSP" },
{ "Enable" : 1, "InnerPort" : 23, "OuterPort" : 23231, "Protocol" : "TCP", "ServiceName" : "TELNET" },
{ "Enable" : 1, "InnerPort" : 23, "OuterPort" : 23123, "Protocol" : "TCP", "ServiceName" : "NEW" } ] }

The payload appears to attempt to configure port forwarding rules, which is typically done via UPNP (and UPNP has been heavily abused, but is typically not reachable from the "outside"). But the requests are different from UPNP in some ways:

  • UPNP usually uses HTTP like headers. These requests do not use any readable headers, just a brief binary pre-ample.
  • UPNP is typically using UDP. These requests arrive over TCP
  • UPNP uses XML/SOAP for its payload. These requests use what looks like JSON

Some newer versions of UPNP allow for REST/JSON instead of the older SOAP/XML format. But this still doesn't explain the missing headers. Port 37777 is typically used to stream video from CCTV DVRs, not for configuration. But then again, it is possible that some DVRs do accept configuration commands like the one shown above. But a request like this should probably be directed at the gateway/router, not the DVR. 

So there are still a lot of questions. Please let us know if you have any answers ;-)

[1] https://bløgg.no/2017/01/probes-towards-tcp37777/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Johannes

3005 Posts
ISC Handler
that is mirai, see our mirai-scanner page here, it actually first hit our mirai-honeypot in Dec 10.

http://data.netlab.360.com/mirai-scanner

scroll down a little bit, you can see a clickable chart.
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!