Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Port 7212 spike - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port 7212 spike
A reader wrote in that he was seeing a large spike in port 7212.
I checked our port statistics and found we had had two spikes one on the 14th of November and
one on the 8th of December.
Nov 14th we saw 62k targets and 143k records with only 105 sources.
That is a 7x increase in records, a 15x increase in targets and the sources went down from the previous day.
On Dec 8th we saw 76k records against 27k targets with only 88 sources.
That is a 3x increase in records, 10x increase in targets and the sources went down from the previous day.

From the user comments on the SANS port statistics:
http://isc.sans.org/port_details.php?port=7212

"There are certain older versions of GhostSurf which fire up by default as a wide-open proxy,"
Lawrence Baldwin
Write-up on ghostsurf open proxy from November 23, 2005
http://www.tenebril.com/src/advisories/open-proxy-relay.php

But based on packets provided by Daniel F. it appears to be p2p related.
Here a write-up by Daniel and packet contents.

"Earlier today a significant increase of port 7212/TCP (unknown) scanning
against relatively large segments from networks in North America,
Sweden, and France was noted.

All probes analyzed thus far appear to be associated with a Peer-to-Peer
(P2P) application framework known as
"GnucDNA" (http://www.gnucleus.com/GnucDNA/).
-----------------------------
And two sanitized payloads:

GET /uri-res/N2R?urn:sha1:BJZCBU6KXKEWBY4MXFONNO3T6MYVF67H HTTP/1.1
Host: [targeted darknet address removed]:7212
User-Agent: Fildelarprogram 9.9.9.9 (GnucDNA 1.1.1.5)
Listen-IP: [.se host address removed]:17799
Connection: Keep-Alive
Range: bytes=0-524287
X-Queue: 0.1
X-Features: g2/1.0
Content-URN: urn:sha1:BJZCBU6KXKEWBY4MXFONNO3T6MYVF67H


GET /uri-res/N2R?urn:sha1:KONNXKWMSMHIJ7N63HLSPOHG7IPYVV25 HTTP/1.1
Host: [targeted darknet address removed]:7212
User-Agent: morph500 5.1.2.912 (GnucDNA 1.1.1.4)
Listen-IP: [.fr host address removed]:29168
Connection: Keep-Alive
Range: bytes=0-524287
X-Queue: 0.1
X-Features: g2/1.0
Content-URN: urn:sha1:KONNXKWMSMHIJ7N63HLSPOHG7IPYVV25"

 
So I did a google for GET /uri-res/N2R?urn:sha1 guess what its all bearshare, limewire and other p2p clients.

So this spike appears to be p2p related not open proxies. But the question on my mind is why so few sources but so many targets?
After a review of the top source IPs it appears most of this is coming from within china.

 
donald

206 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!