Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: WTF tcp port 81 - Internet Security | DShield SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
WTF tcp port 81

I don't know what of our tools you, our readers, use on a regular basis, but one of the things, I like to look at first when I login to is the Top 10 Ports by Unique Sources chart. This suggests coordinated (think botnets) scanning. So, I was really shocked to see port 81 had jumped up to 2nd position just behind all the Mirai-ish port 23 scanning. Take a look at the port 81 chart. If any of our readers have any insight into what is going on here since 16 Apr, plase let us know.

Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

I'll be teaching FOR610 in June, Sept, and Oct. See my schedule here:


400 Posts
ISC Handler
Some kind of error in software coding perhaps, where zero being 1 has been overlooked?
We can confirm at our organization that we're also seeing a spike in port 81 access attempts since April 15th.

- Joel Hilke

1 Posts Posts
The only thing I have seen is public IP checksfrom via user agent "uTorrent/347". Maybe a new technique in peering?

1 Posts Posts
we have a blog about this here,
Hi Jim,

It is a new IOT botnet reported by netlab from 360 company.

More info below.
360's NetLab has some details on this activity:
Catalin Cimpanu

2 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!