Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: WTF tcp port 81 - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
WTF tcp port 81

I don't know what of our tools you, our readers, use on a regular basis, but one of the things, I like to look at first when I login to isc.sans.edu is the Top 10 Ports by Unique Sources chart. This suggests coordinated (think botnets) scanning. So, I was really shocked to see port 81 had jumped up to 2nd position just behind all the Mirai-ish port 23 scanning. Take a look at the port 81 chart. If any of our readers have any insight into what is going on here since 16 Apr, plase let us know.

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

I'll be teaching FOR610 in June, Sept, and Oct. See my schedule here: https://www.sans.org/instructors/jim-clausing

Jim

397 Posts
ISC Handler
Some kind of error in software coding perhaps, where zero being 1 has been overlooked?
Anonymous

Posts
We can confirm at our organization that we're also seeing a spike in port 81 access attempts since April 15th.

- Joel Hilke
JoelH

1 Posts Posts
The only thing I have seen is public IP checksfrom checkip.synology.com via user agent "uTorrent/347". Maybe a new technique in peering?
L0ngkn1f3

1 Posts Posts
we have a blog about this here, http://blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/
Anonymous

Posts
Hi Jim,

It is a new IOT botnet reported by netlab from 360 company.

More info below.
http://blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/
Anonymous

Posts
360's NetLab has some details on this activity: http://blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/
Catalin Cimpanu

2 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!