Re: Strange authentication attempts

From: John Narron (zeek_at_cdsinet.net)
Date: 03/31/04

  • Next message: Jamey Dillon: "Scanning from source Port 220 for Port 21"
    Date: 31 Mar 2004 15:32:54 -0000
    To: incidents@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <20040330164153.5848.qmail@www.securityfocus.com>

    I've gathered some new information regarding this incident.

    I've been watching port 23 coming in and out of my network and captured a session. It appears to be some worm, trojan, or script thats seeking out a particular device that allows an unauthenticated login, then sets up a username and password and saves the configuration. The commands are as follows:

    config
    system
    password admin
    13370n3z
    13370n3z
    password user
    fawkoffsz
    fawkoffsz
    save

    It appears to set up a user named 'admin' with a password of '13370n3z', and another user name 'user' with a password of 'fawkoffsz'. I'm not sure what kind of device uses these sequence of commands, but I'm suspecting some sort of cable or DSL router (since a lot of those, still, come with unauthenticated logins).

    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of
    ownership.

    Download your free trial at
    http://www.securityfocus.com/sponsor/Astaro_incidents_040301
    ----------------------------------------------------------------------------


  • Next message: Jamey Dillon: "Scanning from source Port 220 for Port 21"