With the rise of botnets like Mirai[1], we have seen ahuge increase of port scans to find new open ports like %%port:2323%% or later %%port:6789%%. If the classic %%port:80%% and %%port:23%% remain" />

The honeypots acceptconnections on ports 80 and 443 and just log attempts performed on other ports.

A few days ago, I deployed a new honeypot that listensto many more ports:

  • 21 (FTP)
  • 22 (SSH)
  • 69 (TFTP)
  • 80 (HTTP)
  • 123 (NTP)
  • 161 (SNMP)
  • 445 (SMB)
  • 1433 (MSSQL)
  • 3389 (RDP)
  • 5060 (SIP)
  • 5900 (VNC)
  • 8080 (Proxy)

For each protocol, the honeypot collects interesting information related to the application (user, password, commands, filename, path, ...) It"> Protocol Hits 21 1 3389 2 80 3 69 9 161 35 123 82 5060 234 3306 3097 1433 4897 23 41857

As you can see databases seems to remaina nice target. The MSSQL scans revealed the"> mysql root server

The NTP scanners issued the monlist command to search for NTP servers vulnerable to amplification attacks.

As you can see, there are bots scanning for many protocols. We need to keep an eye onwhat is happening below the radar. Im planning to listen to more ports in the coming days. I wish you already a wonderful and safe year 2017!

[1]https://isc.sans.edu/forums/diary/What+is+happening+on+2323TCP/21563
[2]https://www.us-cert.gov/ncas/alerts/TA14-013A

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
Internet Storm Center Infocon Status