Last Updated: 2016-09-08 18:40:02 UTC
by Kevin Shortt (Version: 1)
It could be nothing. It could be something.
The ISC HoneyPot has been showing some port 161 traffic.
12:08:27.874575 IP x.x.x.x.12458 > y.y.y.y.161: GetRequest(28) .184.108.40.206.220.127.116.11.0
12:09:10.952260 IP z.z.z.z.12458 > a.a.a.a.161: GetRequest(28) .18.104.22.168.22.214.171.124.0
12:09:52.802179 IP b.b.b.b.12458 > c.c.c.c.161: GetRequest(28) .126.96.36.199.188.8.131.52.0
So I did some poking around, read some articles  and found some simlarities, etc. No real testing per se yet. Then after yesterday's data was collected, the ISC port data showed a curious correlation. So I am turning to our readers. Can any of you offer any corroborating data or anecdotes. The pic  below shows a triple in sources on Aug 11 near the time when some of the recent Cisco vulnerabilities became well known.  Then a similar spike yesterday. The numbers do not entirely warrant a deep dive, however, knowing about the events surrounding port 161 from Aug 13 (or near there), there could be something to it.
Please leave a comment if you see anything that correlates in your travels.
ISC Handler on Duty