Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Request for Packets and Logs - TCP 5358 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Request for Packets and Logs - TCP 5358

Starting Sunday (22 Jan 17), there was a huge spike this week against TCP 5358. If anyone has logs o r packets (traffic) that might help identify what it is can submit them via our contact page would be appreciated. This is a snapshot as to what was reported so far this week in DShield.

 

TCP Port 5358

Update 1

We received information this port could be use by Web Service on Devices API (WSDAPI)[2] or potentially various version of DVR's and NVR's.

[1] https://isc.sans.edu/contact.html
[2] https://msdn.microsoft.com/en-us/library/windows/desktop/aa823078(v=vs.85).aspx
[3] https://msdn.microsoft.com/en-us/library/windows/desktop/aa385800(v=vs.85).aspx

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Guy

402 Posts
ISC Handler
We have received numerous logs and packets and the common thing noticed in the SYN packets and rejected traffic (logs) is a common TCP Window size value of 14600 in 99% of the traffic. Thank you everyone for the logs and packets
Guy

402 Posts Posts
ISC Handler
Posted already in the threat "Ongoing Scans Below the Radar" (Dec 31st 2016)
that this is attributable to the hajime worm, a cousin of mirai.

Looks like lots of DVR devices have been hit.

Devices have a random high port open (usually >40k) where you can get the malware with netcat.

Looks like this in nmap:

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port49648-TCP:V=6.47%I=7%D=2/7%Time=58999875%P=x86_64-redhat-linux-gnu%
SF:r(NULL,1104,"\x7fELF\x01\x01\x01\x03\0\0\0\0\0\0\0\0\x02\0\(\0\x01\0\0\
SF:0\x90&\x02\x004\0\0\0\0\0\0\0\x02\x02\0\x054\0\x20\0\x02\0\(\0\0\0\0\0\
SF:x01\0\0\0\0\0\0\0\0\0\x01\0\0\0\x01\0a7\x01\0a7\x01\0\x05\0\0\0\0\0\x01
SF:\0\x01\0\0\0\xfc\x06\0\0\xfc\x06\x05\0\xfc\x06\x05\0\0\0\0\0\0\0\0\0\x0
SF:6\0\0\0\0\0\x01\0\xef\x8c\xc4c\xf5\x96\xa4\xb5\xf0\x10\r\x17\0\0\0\0\xd
SF:0\xa6\x02\0\xd0\xa6\x02\0\xd4\0\0\0i\0\0\0\x0e\0\0\0\x1a\x03\0\?\x91E\x
SF:84h;\xde\xde\xa6\x0f#\xf0\xd4\$\x19u\xd8FO\xb5\xdd\xea\xce\xe0J\xbeHz!\
SF:xaeZ\t\xa1\0\xf1\xa1\+\x89~K\x0c6,\x9b\?/\]\x8aTd\x04D\x07V:\xa8\xe1\xb
SF:c\x20\xc6\x93qw&\xc1\xa4\xe2\.\xae\xb2\x0f\xd7\t\xfe\xa2\xa3\xc4\x0c\x8
SF:a\rK\xc9&0=\^J;\xbbZ\x8cb#\xe3\xce;\xc7XTN\xc0\x20\x0c\x99\x02\0\xdb#\x
SF:01\0\x0eP\0\0\x1a\x03\0\x06\xb0\x8fm\xa7\x01\xaat\x15O\xe8&\x11e\xf9\xd
SF:1\xf7\xb7A\xf6,\xa8\xd7\xbb:4\xf4\xc8\x94\x0eS\\\xd6\x10\xad\x99\xf3i!\
SF:xf9\xe4\xa7\xa1\xa5\xbd#\xdd\x90\x0e\xcdT\x87\xcb\x18\xb1@\xe1\]\r\xdc\
SF:x04\xf0\xe8cx\x833\x90f\xc2\\r\xa9\x8c\x08\xfeMX\x98\xc5\x01\xba\x0b\r\
SF:x89\x01G\xae\xf3a\x14\xd7N\xae}p'\r\x11U\xb3o\\=2\xe0\xc9Kt\xbe\x83j\xd
SF:a\xd4\x95\xf2\x15\$\xf0\xac\xdf<\x85\x83\xa9\x94<\xcd\xf2\xb7i\xa8F\x1f
SF:q\xc6S\x9b;\x80U}\xc9b\xbe1\xab8\x19z\xb9\xba\xcd\xbd\xee\x06\xc6\x89\x
SF:e4\x16\xdd\xd7\x08\xe2\xf9aX\xe8TJFT\x7fBz\xd8a\x15\"sJ\xdeV\xc7\xc5\xe
SF:8\xc4\x1e\x9d\xe445\*\x96\xb9\x19m\x9b\x07\[\x86E\x07SY\xd0\x98\x89\xfe
SF:bl\+\+\xf6\xf7\x87K2\xf4\x98Q\xd3\*\xb0qo\x91\xb6\xe1\)hg\x0b\xce\xf2\x
SF:96j>\xeb\x90\xdd\x12\x82\x94<\x18\x91\x86\xbc\xa8<\xc9}\$\xfdi\xec\xdb\
SF:x15\xb1HOJ1\x92L\xdc\xf7\xad\|\x832\xfd0\x9f\xaa\xa8\xb6\x8dx\xc2\xb1\x
SF:af\xff\.\xc6\xa7\xa3\xc4c\x16\xd0\xcdaj%\x108\xdb1\xa3\xda\xee\n\n\x84\
SF:xc1\xf1\xf0:Y/\xef\x1f\xe01\x8d\xb7\x0e\xc1\)\x87\|\x02\xb3\xaf\xff\xbd
SF:\x1dIw\xc9\xa5\x8d\?\x08\xd6\xabhA\xc7\xf4\|\x85N\"%3\x8d\xafn\x1f\xfbK
SF:\xde~V\xf7\xc3\t\xcah0\xf0\xee\xd8\x95\xc0;\[E\xb5\xb4\xa7S\xa1#}D&Q\x1
SF:6JG&\x12&\xba\x93\xe3q\xc9}\x86m\x8dbH\x9b\xa7:\xb8\x92\xa7`a\xfbJ\x16\
SF:xf6\)\x93\xf1\x02\xfa\rJ\x88K\x94\[\xc7\xe6\xce\x9dq\x9f\xe5p\xf7\x19o\
SF:x02YMj\x08\x08\x082\xa6\xf3:\xab\x0b\xc2\xdfF\x1d\xe2\x7f\x1ea/\x1br5\x
SF:b9W\xe8%2~\xb7#\x930\xf7\xdf\xe6Mb\x99\xa6\x9cM\xdb\xd4\xf0z\xe2Zt\x16y
SF:Q\xa5\x8f;!\x18\xa2\xf5r\xdcl\xc3K\xcd\xcf\x1c\x90\xe4c}s\xb9LK\x07\xb8
SF:/\xf5=\xe2\x11\x13H5\xf1\xe1\xf8\xf2\xe0\.;\x14\xfa\x0b\xc5\x06Zh\xf7\x
SF:0e\xa1\+\xbcz\xe4\xd3\t0!>\xc3\xaemf\x1d=~\xd6B\x9f:\0pT\xd7\xd3\x9a-\x
SF:bf\xe7'<A\x06\xf1\xdf\xf6\x1e\xb7TT\xc3\xccC\xb1\xfc\xd7Z\x04\xd4\xb8\x
SF:a3`\?\xec`G\x95\x18\xc6\xf0oV\x0cmf\xd9\xab\xf4\x10\xd7\xd9\xb7gs\x97\x
SF:f9\xaa>`\*\x17\xf3W\xad\xfe\x9d\x1a'\x90\x16\x11\x1e");
Jens

41 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!