My next class:

Ongoing Scans Below the Radar

Published: 2016-12-31. Last Updated: 2016-12-31 09:44:45 UTC
by Xavier Mertens (Version: 1)
6 comment(s)

With the rise of botnets like Mirai[1], we have seen a huge increase of port scans to find new open ports like port 2323 or later port 6789. If the classic port 80 and port 23 remain the most scanned ports, we see new trends almost every week. By the way, thank you to our readers who also report this to the ISC!

This is the traffic detected by my current honeypots:

The honeypots accept connections on ports 80 and 443 and just log attempts performed on other ports.

A few days ago, I deployed a new honeypot that listens to many more ports:

  • 21 (FTP)
  • 22 (SSH)
  • 69 (TFTP)
  • 80 (HTTP)
  • 123 (NTP)
  • 161 (SNMP)
  • 445 (SMB)
  • 1433 (MSSQL)
  • 3389 (RDP)
  • 5060 (SIP)
  • 5900 (VNC)
  • 8080 (Proxy)

For each protocol, the honeypot collects interesting information related to the application (user, password, commands, filename, path, ...) It has been deployed on a brand new system that was unknown before. Here are some results after one week online:

Protocol Hits
21 1
3389 2
80 3
69 9
161 35
123 82
5060 234
3306 3097
1433 4897
23 41857

As you can see databases seems to remain a nice target. The MSSQL scans revealed the following users:

Chred1433
IIS
KISAdmin
kisadmin
sa
su
vice

With MySQL, the targeted users were:

mysql
root
server

The NTP scanners issued the "monlist" command to search for NTP servers vulnerable to amplification attacks.

As you can see, there are bots scanning for many protocols. We need to keep an eye on what is happening below the radar. I'm planning to listen to more ports in the coming days. I wish you already a wonderful and safe year 2017!

[1] https://isc.sans.edu/forums/diary/What+is+happening+on+2323TCP/21563
[2] https://www.us-cert.gov/ncas/alerts/TA14-013A

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Keywords: bots honeypot scans
6 comment(s)
My next class:

Comments

I'm sure some readers would be interested to know which honeypot you used when you guys talk about capturing traffia with one. Whether it's custom built from scratch or a distribution? I would think the more of us using them the more intelligence were gathering.
Dear Xavier,

You told about a new multi-listening honeypot deployed to help investigating for bots. Could you please provide a description of the honeypot used and how to deploy such one ? It could maybe be a nice idea to aggregate the collected data of many of the same honeypot you use ?

Many thanks in advance,
Best regards.
We see high activity on TCP/5358, maybe attributable to the Hajime worm, a cousin of Mirai.

Devices have a random (?) high port open, which sends directly malware:

https://www.virustotal.com/de/file/cd902176bb1ad799f422703b67f021e16922ac9f990f30e9ec032ae03a5602ff/analysis/1482934109/
I wish there were a way to post screenshots, this would make certain replies appear better. Here is a copy paste of just the text from my honeypot (the one J. ulrich provided for raspberry Pi's)

Here is what I see for the last 24 hours.

Port Summary
Port Packets Sources Targets Service Name
23 192 183 1 telnet
23231 66 66 1
6789 28 28 1 ibm-db2-admin dB2 Web Control Center
2222 36 21 1 AMD [trojan] Rootshell left by AMD exploit
60205 16 16 1
5358 9 9 1
2323 8 8 1 3d-nfsd 3d-nfsd
5060 9 7 1 sip SIP
3389 4 3 1 ms-term-services MS Terminal Services
3391 2 2 1 savant SAVANT
53 2 2 1 domain Domain Name Server
3306 2 2 1 mysql MySQL
5900 2 2 1 vnc Virtual Network Computer
62014 2 2 1
123 2 2 1 NetController [trojan] Net Controller
161 2 2 1 snmp SNMP
7547 2 2 1 TR069 Router Remote Admin
0 2 2 1
8000 3 2 1 irdmi iRDMI
21 1 1 1 ftp File Transfer [Control]
The editor is not good. it strips out all tab's and extra spaces. You create a nice looking tab/space delimited chart, and when you 'Submit' it comes back looking like it was formatted by a 4 year old. (I tried)
[quote=comment#38663]I'm sure some readers would be interested to know which honeypot you used when you guys talk about capturing traffia with one. Whether it's custom built from scratch or a distribution? I would think the more of us using them the more intelligence were gathering.[/quote]

I'm preparing a standard setup that I'll share later + integration into Splunk.

Diary Archives