Cause for security concern?

I caught this in the log while installing Grafana on an RPi yesterday. Googling didn't do much good. Knowing the 172.16.. is a private, non routable address and reporting failed, but still. Anyone have a clue?

My first thought is that the port is somewhat unusual:

threat/application/port search:

Port(s) Protocol Service Details Source
1337 tcp trojan Shadyshell SG
WASTE Encrypted File Sharing Program also uses this port.
neo4j-shell and Strapi also use this port.
Sails.js default port.
1337 means "elite" in hacker/cracker spelling (1=L, 3=E, 7=T, "LEET"="ELITE"). Because of the reference, it may be used by some backdoors.
VX Search is vulnerable to a buffer overflow, caused by improper bounds checking by 'Proxy Host Name' field. By generating a bind shell on port 1337, a local attacker could overflow a buffer and execute arbitrary code on the system.
References: [XFDB-135140]
IANA registered for: menandmice DNS.
1337 tcp PowerFolder P2P Encrypted File Synchronization Program (unofficial) Wikipedia
1337 tcp WASTE Encrypted File Sharing Program (unofficial) Wikipedia
1337 tcp Shadyshell [trojan] Shadyshell SANS
1337 tcp waste Nullsoft WASTE encrypted P2P app Nmap
1337 tcp,udp threat OptixPro Bekkoame
1337 tcp,udp menandmice-dns menandmice DNS IANA
1 Like

Exactly.. That's why I wonder. The image for the RPi was freshly downloaded from a known site and the addon from within that image, so feels strange. Maybe a reinstall is called for?

Might be safer...

1 Like

Agreed. Don't like it much. Device is on it's own vlan, but still...

The port is definitely suspicious but the ip it's hitting at is a reserved local range, you don't have any devices on your local net using that for confiugration or something?

172.16.0.0/12 172.16.0.0–172.31.255.255 1048576 Private network Used for local communications within a private network

1 Like

No, never have, and the device is freshly installed from a burned image, Grafana dowloaded from within that...

Only other thing to consider is docker often uses the 172 range, you have any docker running either on the pi or elsewhere?

1 Like

If anywhere it would be on the pi, but I haven't installed it. Maybe Grafana is installed in a Docker container? Looking at the log may indicate something to do with docker... But port is still weird...?

I install grafana directly but it can be installed via docker, still the port is suspect.

You can run "netstat -tulpn | grep 1337" to see if that port is listening locally.

if I'm writing software I'm going out of my way to avoid that port. I'd wipe that sucker and start fresh.

2 Likes

Yeah, thanks. I totally agree. It has been shut off since yesterday and I have nothing on it so I will just wipe it then.

Thanks all for answering! :+1:

1 Like