Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: What is happening on 2323/TCP? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What is happening on 2323/TCP?

A number of sources, including DShield, have noticed an uptick on port 2323 TCP beginning around 3 weeks ago.

This is the scanner portion of the Mirai botnet scanning for IoT devices on both 23/TCP and 2323/TCP.   There are a number of IoT devices that use port 2323/TCP as an alternate port for Telnet.  Those who have setup listeners on port 2323 are seeing brute force credential attacks utilizing a small dictionary.

The Mirai botnet iwas used to attempt to DDOS Brian Krebs website i and ifor the nearly 1 Tbps DDOS against OVH in late September

 

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Rick

271 Posts
ISC Handler
I was just wondering about this very thing a couple of hours ago when I was looking through my firewall logs.
xannash

1 Posts Posts
Yes, I have been seeing a lot of this in some various logs as well. Thanks for your post.
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!