Re: Strange authentication attempts

From: John Narron (
Date: 03/31/04

  • Next message: Jamey Dillon: "Scanning from source Port 220 for Port 21"
    Date: 31 Mar 2004 15:32:54 -0000
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <>

    I've gathered some new information regarding this incident.

    I've been watching port 23 coming in and out of my network and captured a session. It appears to be some worm, trojan, or script thats seeking out a particular device that allows an unauthenticated login, then sets up a username and password and saves the configuration. The commands are as follows:

    password admin
    password user

    It appears to set up a user named 'admin' with a password of '13370n3z', and another user name 'user' with a password of 'fawkoffsz'. I'm not sure what kind of device uses these sequence of commands, but I'm suspecting some sort of cable or DSL router (since a lot of those, still, come with unauthenticated logins).

    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of

    Download your free trial at

  • Next message: Jamey Dillon: "Scanning from source Port 220 for Port 21"