DVRIP Port 34567 – Uptick, (Fri, Jul 26th)

We are seeing a recent uptick in port 34567 for recent weeks. [1]   I was curious, so I poked around to learn a few things.  At this point, it appears it could be a century of some kind..  

Admittedly, I do not know much about this port.  After a little digging, I see a possible affinity to Fbot and Mirai or its variants.  We have a Diary from Dr. J. on Mirai  [2].   After some reading, I can not definitively tie this to Mirai or Fbot or something else just yet.  However, in early 2019 there was a well publicized uptick in Fbot activity. [3]    I went looking for data on ports that coincided with the early 2019 events from Fbot.   I did find some correlation, but nothing purely consistent.  By that I mean, all ports with ties to Fbot did not see a recent correlating spike.  Some well known ports that showed activity back then for Fbot are TCP:80,81,88, 8000 and 8080.  Some of these have correlating spikes of late.   See some pics below.

[1]

[4]

[5]

Looking at these three graphs only, one could infer there were less infected hosts in early 2019.   The recent uptick shows a more equal distribution of sources and targets.  This can mean there are more infected hosts and possibly a new campaign has begun.

I invite you all to comment and share what you may know of this observation.

-Kevin

—
ISC Handler on Duty

[1] https://isc.sans.edu/port.html?port=34567
[2] https://isc.sans.edu/diary/22786  – JUllrich Diary on Mirai 09-05-2017
[3] https://blog.netlab.360.com/the-new-developments-of-the-fbot-en/
[4] https://isc.sans.edu/port.html?port=8000
[5] https://isc.sans.edu/port.html?port=88

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.