My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Port 37777 "MapTable" Requests

Published: 2017-01-10. Last Updated: 2017-01-10 16:00:43 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Thanks to Bjørn for noticing an increase in port 37777 TCP traffic. He wrote a blog with some of the payloads he found, and after he notified us, I was able to confirm his observations in our honeypot [1].

First 32 bytes of the payload:

c1 00 00 00 00 14 00 00  63 6f 6e 66 69 67 00 00
                          c. o. n. f. i. g
31 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

ASCII representation of the payload (640 Bytes. The payload is followed by 0 padding for a total payload size of 5151 bytes.

{ "Enable" : 1, "MapTable" : [
{ "Enable" : 1, "InnerPort" : 85, "OuterPort" : 85, "Protocol" : "TCP", "ServiceName" : "HTTP" },
{ "Enable" : 1, "InnerPort" : 37777, "OuterPort" : 37777, "Protocol" : "TCP", "ServiceName" : "TCP" },
{ "Enable" : 1, "InnerPort" : 37778, "OuterPort" : 37778, "Protocol" : "UDP", "ServiceName" : "UDP" },
{ "Enable" : 1, "InnerPort" : 554, "OuterPort" : 554, "Protocol" : "TCP", "ServiceName" : "RTSP" },
{ "Enable" : 1, "InnerPort" : 23, "OuterPort" : 23231, "Protocol" : "TCP", "ServiceName" : "TELNET" },
{ "Enable" : 1, "InnerPort" : 23, "OuterPort" : 23123, "Protocol" : "TCP", "ServiceName" : "NEW" } ] }

The payload appears to attempt to configure port forwarding rules, which is typically done via UPNP (and UPNP has been heavily abused, but is typically not reachable from the "outside"). But the requests are different from UPNP in some ways:

  • UPNP usually uses HTTP like headers. These requests do not use any readable headers, just a brief binary pre-ample.
  • UPNP is typically using UDP. These requests arrive over TCP
  • UPNP uses XML/SOAP for its payload. These requests use what looks like JSON

Some newer versions of UPNP allow for REST/JSON instead of the older SOAP/XML format. But this still doesn't explain the missing headers. Port 37777 is typically used to stream video from CCTV DVRs, not for configuration. But then again, it is possible that some DVRs do accept configuration commands like the one shown above. But a request like this should probably be directed at the gateway/router, not the DVR. 

So there are still a lot of questions. Please let us know if you have any answers ;-)

[1] https://bløgg.no/2017/01/probes-towards-tcp37777/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

1 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

that is mirai, see our mirai-scanner page here, it actually first hit our mirai-honeypot in Dec 10.

http://data.netlab.360.com/mirai-scanner

scroll down a little bit, you can see a clickable chart.

Diary Archives