Re: Scans for telnetd on DNS servers.

Hash: SHA1

I can confirm to you that I have servers with WEB, FTP, SMTP and POP3
facing the internet and the firewall is not getting hit with DPT=23, not
a single hit all day!


Jay D. Dyson wrote:
Hi folks,

With all the chatter on SSH scans, I'm puzzled by an obvious spike
in specific scans on my DNS servers. I'm used to seing scans on these
systems, but today's scans have been an object lesson in high weirdness.

In the past hour I've seen 43 scans for telnetd (port 23) on a
single DNS box. Most of these scans are coming from Asia, but a number
are originating from South America as well. These are not network
sweeps; they are aimed solely at DNS systems.

As if that weren't odd enough, the operating systems of the boxes
that are tripping my alarms are evenly divided between Linux (kernel
versions 2.1.19 to 2.4.21) and, oddly enough, Microsoft Windows (nmap
can't tell if they're WinMe, Win2K, or WinXP).

The systems identified thus far are as follows (37 unique so far):

If anyone else is seeing this sort of strangeness, this could be
another one of those happy fun botnets that's trying to spank vulnerable
DNS systems. Too early to tell for sure.


( ( _______
)) )) .-"There's always time for a good cup of coffee."-. >====<--.
C|~~|C|~~| \------ Jay D. Dyson - jdyson@xxxxxxxxxxxxx ------/ | = |-'
`--' `--' `--- Good? Bad? I'm the guy with the guns. ---' `------'

Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


Relevant Pages

  • Re: wont logon
    ... Please don't recommend a specific fix unless you know for sure it applies ... First, get into Mail and hit Tools, then accounts. ... go to the Servers Tab. ... Then at the bottom of the box, there should be the a box called settings. ...
  • RE: Permission problems with integrated authentication
    ... | either of the web servers). ... | authentication is enabled throughout the site (this is an intranet ... | One of the web pages accesses a remote public queue using System.Messaging ... Whenever I hit this page directly on either of the web ...
  • Re: synaptic
    ... seeing this behavior before where it keeps trying to hit ... apt-get upgrade loads packages and installs them just fine. ... I am really not sure why you would be having such a problem because Mint is a simple lift of Ubuntu and uses the same method and repos to update itself. ... I am sure that you would be aware that in the list of servers for the s/ware the default setting is the main server for Ubuntu, but you can then either select a mirror of your choice or allow the system to give you a list of the most EFFICIENT servers for you to access - and you then select the one you feel most comfortable with. ...
  • Client performance on our domain is slow..??
    ... At my work they installed new servers and we're all on a domain now. ... During the day I have Filemaker, Photoshop, Dreamweaver, Outlook w/ Word, ... I'll type that out really fast and hit enter, ... Photoshop to keep up with me saving photos. ...
  • Re: CNN: Yes, weve got trouble -- right here in Cyber City
    ... > Didn't affect one of the 30 Win2k machines I'm responsible for, ... 2K3 servers aren't vulnerable to it, ... > Win2k and WinME boxes at home didn't get hit either. ... by Microsoft on Aug. 9th, and exactly one week later, we have a worm ...