Hello, welcome to the Friday, August 2nd, 2019 edition of the Sandstone Storm Center's Stormcast.

My name is Johannes Ulrich.

I'm recording from Boston, Massachusetts.

I took a look at our honeypots today and did a quick follow-up on Port 9,527.

If you remember about a week ago, Kevin reported about this uptick in scans for Port 34,567.

Well, that was sort of vulnerability related to network cameras.

And I also noted that the same host that scanned 34567 did scan 9,527 as well.

Now, when I looked at some of the data collected from our honeypots, it looks like the port 9,527 is essentially an unauthenticated shell.

And this is somewhat confirmed by an article that one of our readers pointed to,

Pentest Partners wrote about a shell that's being offered by some DVRs made by Xiaomi.

And as Pentest Partners explains in their blog, this was actually after they finally disabled the Telnet server

when they then started up this other, well, sort of Telnet server on Port 9,527.

Now, the Pentest Partners report does mention some simple authentication,

but it also mentions that the shell being exposed here is fairly limited

and just sufficient to start the actual Telnet server,

and that's exactly actually the command that

I observed in our honeypods the attacker used the connection to port 9,527 to attempt to start

a telnet server on port 9,000 so far I haven't really observed any connections back to port 9,000. So far I haven't really observed any connections back to port 9,000, but there's a lot of

noise on that port because it's sometimes also used by web servers. So what I'm actually seeing

hit port 9,000 right now is mostly attacks against web applications running on that port. So what this really

means to you if you are owning some of these video cameras that may be vulnerable, don't forget to

include Port 9,500,000 in your port scans. You won't really get a prompt or anything like that. Just send some little

...