DVRIP Port 34567 - Uptick
Last Updated: 2019-07-26 15:26:21 UTC
by Kevin Shortt (Version: 1)
We are seeing a recent uptick in port 34567 for recent weeks.  I was curious, so I poked around to learn a few things. At this point, it appears it could be a century of some kind..
Admittedly, I do not know much about this port. After a little digging, I see a possible affinity to Fbot and Mirai or its variants. We have a Diary from Dr. J. on Mirai . After some reading, I can not definitively tie this to Mirai or Fbot or something else just yet. However, in early 2019 there was a well publicized uptick in Fbot activity.  I went looking for data on ports that coincided with the early 2019 events from Fbot. I did find some correlation, but nothing purely consistent. By that I mean, all ports with ties to Fbot did not see a recent correlating spike. Some well known ports that showed activity back then for Fbot are TCP: port 80,port 81,port 88, port 8000 and port 8080. Some of these have correlating spikes of late. See some pics below.
Looking at these three graphs only, one could infer there were less infected hosts in early 2019. The recent uptick shows a more equal distribution of sources and targets. This can mean there are more infected hosts and possibly a new campaign has begun.
I invite you all to comment and share what you may know of this observation.
ISC Handler on Duty
 https://isc.sans.edu/diary/22786 - JUllrich Diary on Mirai 09-05-2017
Jul 26th 2019
3 years ago
just for curiosity !! may i know which tools you are using to see the port activity? is it snort or some other specialize customize tools ?
Jul 29th 2019
3 years ago