I caught this in the log while installing Grafana on an RPi yesterday. Googling didn't do much good. Knowing the 172.16.. is a private, non routable address and reporting failed, but still. Anyone have a clue?
My first thought is that the port is somewhat unusual:
|WASTE Encrypted File Sharing Program also uses this port.|
|neo4j-shell and Strapi also use this port.|
|Sails.js default port.|
|1337 means "elite" in hacker/cracker spelling (1=L, 3=E, 7=T, "LEET"="ELITE"). Because of the reference, it may be used by some backdoors.|
|VX Search is vulnerable to a buffer overflow, caused by improper bounds checking by 'Proxy Host Name' field. By generating a bind shell on port 1337, a local attacker could overflow a buffer and execute arbitrary code on the system.|
|IANA registered for: menandmice DNS.|
|1337||tcp||PowerFolder P2P Encrypted File Synchronization Program (unofficial)||Wikipedia|
|1337||tcp||WASTE Encrypted File Sharing Program (unofficial)||Wikipedia|
|1337||tcp||waste||Nullsoft WASTE encrypted P2P app||Nmap|
Exactly.. That's why I wonder. The image for the RPi was freshly downloaded from a known site and the addon from within that image, so feels strange. Maybe a reinstall is called for?
Might be safer...
Agreed. Don't like it much. Device is on it's own vlan, but still...
The port is definitely suspicious but the ip it's hitting at is a reserved local range, you don't have any devices on your local net using that for confiugration or something?
172.16.0.0/12 172.16.0.0–172.31.255.255 1048576 Private network Used for local communications within a private network
No, never have, and the device is freshly installed from a burned image, Grafana dowloaded from within that...
Only other thing to consider is docker often uses the 172 range, you have any docker running either on the pi or elsewhere?
If anywhere it would be on the pi, but I haven't installed it. Maybe Grafana is installed in a Docker container? Looking at the log may indicate something to do with docker... But port is still weird...?
I install grafana directly but it can be installed via docker, still the port is suspect.
You can run "netstat -tulpn | grep 1337" to see if that port is listening locally.
if I'm writing software I'm going out of my way to avoid that port. I'd wipe that sucker and start fresh.
Yeah, thanks. I totally agree. It has been shut off since yesterday and I have nothing on it so I will just wipe it then.
Thanks all for answering!