DVRIP Port 34567 - Uptick
We are seeing a recent uptick in port 34567 for recent weeks. [1] I was curious, so I poked around to learn a few things. At this point, it appears it could be a century of some kind..
Admittedly, I do not know much about this port. After a little digging, I see a possible affinity to Fbot and Mirai or its variants. We have a Diary from Dr. J. on Mirai [2]. After some reading, I can not definitively tie this to Mirai or Fbot or something else just yet. However, in early 2019 there was a well publicized uptick in Fbot activity. [3] I went looking for data on ports that coincided with the early 2019 events from Fbot. I did find some correlation, but nothing purely consistent. By that I mean, all ports with ties to Fbot did not see a recent correlating spike. Some well known ports that showed activity back then for Fbot are TCP: port 80,port 81,port 88, port 8000 and port 8080. Some of these have correlating spikes of late. See some pics below.
[1]
[4]
[5]
Looking at these three graphs only, one could infer there were less infected hosts in early 2019. The recent uptick shows a more equal distribution of sources and targets. This can mean there are more infected hosts and possibly a new campaign has begun.
I invite you all to comment and share what you may know of this observation.
-Kevin
--
ISC Handler on Duty
[1] https://isc.sans.edu/port.html?port=34567
[2] https://isc.sans.edu/diary/22786 - JUllrich Diary on Mirai 09-05-2017
[3] https://blog.netlab.360.com/the-new-developments-of-the-fbot-en/
[4] https://isc.sans.edu/port.html?port=8000
[5] https://isc.sans.edu/port.html?port=88
Comments
Anonymous
Jul 26th 2019
5 years ago
just for curiosity !! may i know which tools you are using to see the port activity? is it snort or some other specialize customize tools ?
Anonymous
Jul 29th 2019
5 years ago