Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What is Listening On Port 9527/TCP?

Last week, Kevin wrote a diary about a marked uptick of port 34567. When I looked at some of the hosts scanning for it, I noticed that many of them are also scanning port 9527. So I put up a little honeypot for this port, and what I found is not the HTTP requests I expected (there are some vulnerabilities in webcam servers associated with this port). Instead, I found that it looks like the attacker is expecting an unauthenticated shell. Here is a typical set of commands:

/bin/busybox LA;
cd /var/tmp; echo -e "/bin/busybox telnetd -p9000 -l/bin/sh; /bin/busybox LA" > telneton; sh telneton;

The first command is a typical test if busybox is installed on the system. The attacker is expecting something like "LA: applet not found" back in return. Next, the attacker is creating a little script in /var/tmp/telneton. This script will be used to start the telnet server on port 9000. 

I haven't found yet what the "next step" will be, but am waiting for incoming telnet connections on port 9000. So far I am just getting the usual "webcam" HTTP requests on port 9000 like 


But I think these are unrelated. Scans for port 9527 had some interesting "decay patterns" over the last few months.

Let me know if you have any insight into this activity

Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute

I will be teaching next: Intrusion Detection In-Depth - SANS Doha March 2022


4347 Posts
ISC Handler
Aug 1st 2019
Looks like some DVRs have unauthenticated shells on that port:
Hi John,

may i know what tools we are using for port activities please ?

2 Posts

Sign Up for Free or Log In to start participating in the conversation!