Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: What is going on with port 3333? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What is going on with port 3333?

We've seen a spike over the last day or so in reports of apparent scanning on TCP port 3333. I have serious doubts that anyone is actually looking for DEC Notes which is the registered IANA use for this port. While we're getting our own honeypots set up, I figured I'd ask our readers, do you have packets and/or any idea what is going on here? Please let us know in the comments or via our contact page. Thanx in advance.

Update: 2018-01-09 03:00 The original version of this diary inadvertantly said the traffic was UDP, the traffic that I am seeing in my logs at home is actually TCP. My apologies for the confusion.

Update: 2018-01-10 00:00 UTC The recurring theme in comments and email we've received suggests that some of the recent Monero miner malware samples are sending their results back to C2 servers on port 3333, so perhaps folks are trying to find and steal the illgotten cryptocurrency. I still haven't examined any traffic captured by our honeypots to confirm or refute that that is what they are looking for.

 

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

 

Upcoming Courses Taught By Jim Clausing
Type Course / Location Date

Community SANS
 
Community SANS Minneapolis FOR610 Minneapolis, MN
Mar 5, 2018 -
Mar 10, 2018

Community SANS
 
Community SANS Columbia FOR610 Columbia, MD
Mar 26, 2018 -
Mar 31, 2018
Jim

400 Posts
ISC Handler
I do not have logs or evidence to provide.
This is malware that exploits CVE-2017-10271 (Weblogic Exploit). It installed a cryptocurrency miner, either generating AEON, or possible Monero.
It's using port 3333 to call back to the control server.
Jim

0 Posts Posts
A lot of mining pools are configured on 3333 for their low hash levels (e.g. https://www.awesomeminer.com/help/pools.aspx). Might be someone mapping pools?
DSchatz

2 Posts Posts
It's the stratum protocol for Monero mining traffic. CVE-2017-10271 had PoC exploit code released recently. Around the Jan 1st the exploit was observed being used to push Monero miners to servers. Since then there has been a large uptick compromised servers.

Here are some of the mining pools / ports observed from samples I've seen.

pool.supportxmr.com:3333 pool.cortins.tk:3333 xmrpool.eu mine.moneropool.com xmr.crypto-pool.fr:8080 xmr.crypto-pool.fr:3333 xmr.crypto-pool.fr:6666 xmr.crypto-pool.fr:7777 xmr.crypto-pool.fr:443
Anonymous
Posts
I am seeing activity on tcp port 3333 as well from a few different sources. Main Source IPs are 181.214.87.7 and 109.248.9.114. I don't have any other info.
Anonymous
Posts
This could also be some type of search for the Claymore miner software used in mining. The application opens port tcp/3333 for read only monitoring. Possibly a vulnerability exists in the code that allows configuration changes.

https://bitcointalk.org/index.php?topic=1433925.msg14501372;topicseen#msg14501372
Jeff

1 Posts Posts
If the owner configures it with a password you can remotely write arbitrary files to the filesystem (assuming you know/guess the password). If you write a script to reboot.bat or reboot.sh, you can get the software to run it via another API endpoint.
yaleman

2 Posts Posts
5.188.203.131
185.62.188.88
5.188.86.157
77.72.85.106
109.248.9.248
5.188.203.54
191.101.167.167
77.72.85.105
51.15.93.216
181.214.87.239
77.72.85.106
5.188.86.156
181.214.87.11
77.72.85.10
77.72.82.72


this is what we see hitting this port from 01/16 - 01/22
JT

2 Posts Posts
I'm with the theory that it is #mining related. I also noted that 3333 is the default port of the Gophish admin server.
https://gophish.gitbooks.io/user-guide/content/installation.html
dotBATman

65 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!