4

My SIEM has produced something intriguing. I went looking for unauthorized SSH connections, and looked for the SFTP protocol by mistake. I found a Windows web server that is connecting from port 80 to a foreign IP address on port 115.

In researching this I discovered RFC913: Simple File Transfer Protocol (SFTP), a proposed file transfer protocol that was never widely adopted, that was proposed to exist between TFTP and FTP, and ran on port 115. IETF records the port for historical purposes only.

I have run AV and a couple of rootkit tools against the server and have not discovered any infections.

My question is, is anyone aware of any malware, trojans, etc. that leverage simple file transfer?

Community
  • 1
Snark Knight
  • 41
  • 3

1 Answers1

1

Have you tried a packet capture? That would allow you to determine if the data is what you expect of SFTP.

Although why your web server is performing outbound connections to a server you don't know on port 115 is alarming to me and worth investigating.

Joe M
  • 2,997
  • 1
  • 6
  • 13
  • 3
    I don't think this answers the question (*"...is anyone aware of any malware, trojans, etc. that leverage simple file transfer?"*). Instead it suggests how to collect more information. It would be better suited as a comment. – Steffen Ullrich Aug 09 '18 at 00:38
  • My answer is I do not know of any malware that speaks port 115, that isn't to say it is not malware. It's fairly easy to configure your RAT to talk on port whatever. – Joe M Aug 09 '18 at 15:09