We’ve been watching some interesting scans primarily hitting our HITME sensors in Asia for the last couple of weeks. The connection occurs on port 3131/TCP and contains the following request:
GET http://gameframe.net/headers HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.10
Accept-Encoding: deflate, gzip
The scans we have seen seem to be originating primarily from Europe.
Have you seen similar scans and probes on this port? If so, please share with us in comments or via Twitter (@lbhuston).
In the meantime, it is worth checking your application logs if you have any custom applications deployed on this port, particularly exposed to the Internet. While we don’t see anything indicating an attack, review of anything exposed for errors or follow on attack traffic is suggested (it’s usually a good idea anyway).
Thanks for reading!