When Im on shift, I really like to look at the port trends and see what the changes are. Looking at shifts in the network traffic is a great way to provide early warning that something new is out there. So today, port 83 caught my eye because its just not a common port you run into. width:748px” />
First step, what normally lives as a service on this port? width:326px” />
However, I cant find any documentation about this. This step can sometimes be one of the most frustrating. Its not the research part, but finding GOOD documentation that lays out the service or protocol that normally listens on a port. Its finding sample traffic, logs etc. that can help you understand what you are seeing. That, however, is a completely different topic, but might be a fun rabbit hole to go down later.
Now, the fun part…getting packets to see what we can figure out what is going here. Normally that helps, but today, not so much. It actually has made it a little more confusing only because there are a lot of disparate items (so it seems) in the traffic and some very curious. Johannes got a sample of traffic off our honeypot by setting up a netcat listener. Here are a few of the interesting tidbits from the packets, but I havent figured out how to put it all together or if any of it even fits together.
Who knew there was so much action on a port that I really hadnt looked at till today. If you have any packet captures for this or any ideas how this fits together or if its just random, please let us know!!
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.