Security Incidents mailing list archives

RE: Uptick in telnetd scanners - possible worm activity.

From: "Jonathan Upperman" <jupperman () lubasif com>
Date: Tue, 31 Aug 2004 15:23:09 -0500

Hello -
        
Im guessing the activity you're seeing is probably closely related to the
cisco telnet DoS vulnerability as described in the advisory that cisco
released 4-5 days ago:
http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml  - just
a thought... could be coincidental.


thanks

Jonathan M. Upperman
Network Engineer
SIF Consultants of LA, Inc.
http://www.lubasif.com
225.389.5822
jupperman () lubasif com

-----Original Message-----
From: Jay D. Dyson [mailto:jdyson () treachery net] 
Sent: Monday, August 30, 2004 9:53 PM
To: Incidents List
Subject: Uptick in telnetd scanners - possible worm activity.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi folks,

      Don't recall seeing this discussed previously on this 
list (or any other), so I'm passing this along to compare notes.

      I've seen an extraordinary uptick in telnetd scans in 
the past nine days.  The first came around the morning of 
August 21 from Thailand.
Then things went quiet, but today I've seen a large flurry of 
telnetd connect attempts from a load of systems (nearly all 
of them from -- surprise! -- Asia).

      A sampling of IP addresses hitting telnetd on systems 
across my networks are:

      61.238.125.96   CTIHK                           (Hong Kong)
      61.238.173.194  CTIHK                           (Hong Kong)
      62.141.251.101  MULTIMEDIA-POLSKA-1             (Poland)
      202.183.209.47  CSCOM-TH                        (Thailand)
      203.174.213.97  KMN                             (Japan)
      218.28.9.164    HA-ZZ-ELECTRICPOWER-CORP        (China)
      218.52.89.24    HANANET                         (South Korea)
      218.92.213.66   CHINANET-JS                     (China)
      219.157.172.204 CNCGROUP-HA                     (China)
      221.127.87.94   HGC                             (Hong Kong)
      222.88.132.1    CHINATELECOM-HA                 (China)
      222.137.41.79   CNCGROUP-HA                     (China)

      Considering the slow start following by the volume I've 
seen today, I'm thinking this might be some kind of worm.  
The distribution and repetition volume of attack does not 
lead me to believe that we simply have hyperactive 
ankle-biters here...though I'm not sure why a worm would be 
looking for telnetd.  I should hope that no *nix distros, 
firewalls or routers still ship with that service enabled.

- -Jay

   (    (                                                     
   _______
   ))   ))   .-"There's always time for a good cup of 
coffee"-.   >====<--.
 C|~~|C|~~| (>----- Jay D. Dyson -- jdyson () treachery net 
-----<) |    = |-'
  `--' `--'  `------ Stick around; I may need an alibi. 
------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFBM+gu6uxsHJ5aYG4RAmkgAJ9XWvK4xlx2zJXdUDyLmt80X1xNCgCeP5FQ
Z9oN21y8WFFqlolITAMoQSA=
=y5Ne
-----END PGP SIGNATURE-----

Current thread:

RE: Uptick in telnetd scanners - possible worm activity. Donahue, Pat (Sep 01)
- Re: Uptick in telnetd scanners - possible worm activity. Andy Cuff (Sep 01)
- <Possible follow-ups>
- RE: Uptick in telnetd scanners - possible worm activity. Jonathan Upperman (Sep 04)