Here at the ISC we provide access to a number of bits of data which can be used to dig into problems or even as an early warning system of unusual activity. Well today's data has revealed a confounding one. Port 62234, which traditionally has zero on near zero sources attempting to access it suddenly has hundreds of sources. This port is not one I have seen as a target before, and none of my sources show any traffic on this port. A check of Shodan shows only 3 hits, and two of those appear to be BitTorrent related. I am at a loss. If any of you has further information, firewall logs, or better yet, packet captures of this activity it would be appreciated if you could send it over for analysis. -- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected) |
Rick 324 Posts ISC Handler May 19th 2020 |
Thread locked Subscribe |
May 19th 2020 1 year ago |
Question - what is the transport for this activity that you are seeing (tcp/udp)?
|
NightFalcon 1 Posts |
Quote |
May 19th 2020 1 year ago |
I believe it is TCP. But still investigating...
|
Rick 324 Posts ISC Handler |
Quote |
May 19th 2020 1 year ago |
I see a few attempts a week to this destination port, TCP, I have 3 IPs on my server and they usually hit all three. Source IPs include 154.59.121.150, 154.59.121.132, 185.153.196.64 so far this month.
|
Anonymous |
Quote |
May 21st 2020 1 year ago |
Curious if there's been any more info. I saw a large spike in activity on this port. Looks like scanning from a single Bangladesh IP with single hits to ranges of IPs.
|
Anonymous |
Quote |
May 22nd 2020 1 year ago |
I am curious about whether or not, you have more information about what is going on at these ports.
Also, Is it true that Bangladesh IPs are trying to hit these ports all the time? |
Anonymous |
Quote |
May 25th 2020 1 year ago |
I did not receive anything I could use to followup. All I can tell you for sure is that the scanning started around May 17th, and while the number of sources has tailed off a bit, we are still seeing more than 300 sources per day. If you look at the ports page (isc.sans.edu/…) it has the top 10 IPs that are scanning today. They are mostly Korea and Japan with some China and others thrown in.
I would still love a pcap. (-8 |
Rick 324 Posts ISC Handler |
Quote |
May 25th 2020 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!