Last week, Kevin wrote a diary about a marked uptick of %%port:34567%%. When I looked at some of the hosts scanning for it, I noticed that many of them are also scanning %%port:9527%%. So I put up a little honeypot for this port, and what I found is not the HTTP requests I expected (there are some vulnerabilities in webcam servers associated with this port). Instead, I found that it looks like the attacker is expecting an unauthenticated shell. Here is a typical set of commands:
Article Link: https://isc.sans.edu/diary/rss/25194