What is going on with Port 83?
Last Updated: 2017-06-16 17:44:28 UTC
by Lorna Hutcheson (Version: 1)
When I'm on shift, I really like to look at the port trends and see what the changes are. Looking at shifts in the network traffic is a great way to provide early warning that something new is out there. So today, port 83 caught my eye because it's just not a common port you run into. The climb in traffic has been subtle, but there were a couple of steep upticks along the way with the latest being in the last 24 hours.
First step, what normally lives as a service on this port? Well, IANA has the following:
However, I can't find any documentation about this. This step can sometimes be one of the most frustrating. It's not the research part, but finding GOOD documentation that lays out the service or protocol that normally listens on a port. Its finding sample traffic, logs etc. that can help you understand what you are seeing. That, however, is a completely different topic, but might be a fun rabbit hole to go down later.
Now, the fun part...getting packets to see what we can figure out what is going here. Normally that helps, but today, not so much. It actually has made it a little more confusing only because there are a lot of disparate items (so it seems) in the traffic and some very curious. Johannes got a sample of traffic off our honeypot by setting up a netcat listener. Here are a few of the interesting tidbits from the packets, but I haven't figured out how to put it all together or if any of it even fits together.
- There was a successful three-way handshake, then one packet with the PSH and ACK flags set and that was followed by a graceful teardown. Here is what data was pushed:
- Now for some interesting UDP traffic (HTTP/UDP):
- Here is another one over UDP which looks like a regular UPNP search:
- UDP with just one recognizable word:
- These two UDP packets seem related to TeamSpeak:
Who knew there was so much action on a port that I really hadn't looked at till today. If you have any packet captures for this or any ideas how this fits together or if it's just random, please let us know!!
So for certain configurations/distros it looks like Apache/PHP might use 81-83. Perhaps you are seeing a spike in use of the mentioned "other applications" that communicate with Apache/PHP through this port?
Jun 21st 2017
5 years ago