Re: Scans for telnetd on DNS servers.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I can confirm to you that I have servers with WEB, FTP, SMTP and POP3
facing the internet and the firewall is not getting hit with DPT=23, not
a single hit all day!

Raist

Jay D. Dyson wrote:
Hi folks,

With all the chatter on SSH scans, I'm puzzled by an obvious spike
in specific scans on my DNS servers. I'm used to seing scans on these
systems, but today's scans have been an object lesson in high weirdness.

In the past hour I've seen 43 scans for telnetd (port 23) on a
single DNS box. Most of these scans are coming from Asia, but a number
are originating from South America as well. These are not network
sweeps; they are aimed solely at DNS systems.

As if that weren't odd enough, the operating systems of the boxes
that are tripping my alarms are evenly divided between Linux (kernel
versions 2.1.19 to 2.4.21) and, oddly enough, Microsoft Windows (nmap
can't tell if they're WinMe, Win2K, or WinXP).

The systems identified thus far are as follows (37 unique so far):

59.114.133.238 59.115.155.217
59.143.224.179 61.182.160.23
61.231.147.111 72.29.65.187
84.156.88.229 86.108.12.54
86.194.143.163 148.221.145.97
194.79.46.194 195.190.104.24
198.107.38.61 200.138.189.184
200.140.216.82 200.147.120.33
200.151.180.142 200.180.180.192
200.97.171.2 200.97.49.173
201.18.118.135 201.50.0.138
202.76.10.193 210.104.255.77
210.172.165.69 211.115.88.55
213.151.33.233 213.77.71.234
218.160.158.17 218.168.113.3
218.232.187.58 219.153.32.221
220.129.124.151 220.133.16.14
220.138.120.24 220.142.33.3
221.143.22.24

If anyone else is seeing this sort of strangeness, this could be
another one of those happy fun botnets that's trying to spank vulnerable
DNS systems. Too early to tell for sure.

-Jay

( ( _______
)) )) .-"There's always time for a good cup of coffee."-. >====<--.
C|~~|C|~~| \------ Jay D. Dyson - jdyson@xxxxxxxxxxxxx ------/ | = |-'
`--' `--' `--- Good? Bad? I'm the guy with the guns. ---' `------'


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFECmdP5vz/u/r21GQRApMmAKDmQ3tnqMG301IvhZp8cNC0yVbKTACgstut
5krM3Dv2Uqj9lFFuOksUkSw=
=jo2K
-----END PGP SIGNATURE-----



Relevant Pages

  • Re: wont logon
    ... Please don't recommend a specific fix unless you know for sure it applies ... First, get into Mail and hit Tools, then accounts. ... go to the Servers Tab. ... Then at the bottom of the box, there should be the a box called settings. ...
    (microsoft.public.windows.vista.mail)
  • RE: Permission problems with integrated authentication
    ... | either of the web servers). ... | authentication is enabled throughout the site (this is an intranet ... | One of the web pages accesses a remote public queue using System.Messaging ... Whenever I hit this page directly on either of the web ...
    (microsoft.public.inetserver.iis.security)
  • Re: synaptic
    ... seeing this behavior before where it keeps trying to hit ... apt-get upgrade loads packages and installs them just fine. ... I am really not sure why you would be having such a problem because Mint is a simple lift of Ubuntu and uses the same method and repos to update itself. ... I am sure that you would be aware that in the list of servers for the s/ware the default setting is the main server for Ubuntu, but you can then either select a mirror of your choice or allow the system to give you a list of the most EFFICIENT servers for you to access - and you then select the one you feel most comfortable with. ...
    (Ubuntu)
  • Client performance on our domain is slow..??
    ... At my work they installed new servers and we're all on a domain now. ... During the day I have Filemaker, Photoshop, Dreamweaver, Outlook w/ Word, ... I'll type that out really fast and hit enter, ... Photoshop to keep up with me saving photos. ...
    (microsoft.public.windows.server.general)
  • Re: CNN: Yes, weve got trouble -- right here in Cyber City
    ... > Didn't affect one of the 30 Win2k machines I'm responsible for, ... 2K3 servers aren't vulnerable to it, ... > Win2k and WinME boxes at home didn't get hit either. ... by Microsoft on Aug. 9th, and exactly one week later, we have a worm ...
    (soc.motss)