Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Uptick in telnetd scanners - possible worm activity.

From: "Jay D. Dyson" <jdyson () treachery net>
Date: Mon, 30 Aug 2004 19:53:22 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi folks,

        Don't recall seeing this discussed previously on this list (or any
other), so I'm passing this along to compare notes.

        I've seen an extraordinary uptick in telnetd scans in the past
nine days.  The first came around the morning of August 21 from Thailand.
Then things went quiet, but today I've seen a large flurry of telnetd
connect attempts from a load of systems (nearly all of them from --
surprise! -- Asia).

        A sampling of IP addresses hitting telnetd on systems across my
networks are:

        61.238.125.96   CTIHK                           (Hong Kong)
        61.238.173.194  CTIHK                           (Hong Kong)
        62.141.251.101  MULTIMEDIA-POLSKA-1             (Poland)
        202.183.209.47  CSCOM-TH                        (Thailand)
        203.174.213.97  KMN                             (Japan)
        218.28.9.164    HA-ZZ-ELECTRICPOWER-CORP        (China)
        218.52.89.24    HANANET                         (South Korea)
        218.92.213.66   CHINANET-JS                     (China)
        219.157.172.204 CNCGROUP-HA                     (China)
        221.127.87.94   HGC                             (Hong Kong)
        222.88.132.1    CHINATELECOM-HA                 (China)
        222.137.41.79   CNCGROUP-HA                     (China)

        Considering the slow start following by the volume I've seen
today, I'm thinking this might be some kind of worm.  The distribution and
repetition volume of attack does not lead me to believe that we simply
have hyperactive ankle-biters here...though I'm not sure why a worm would
be looking for telnetd.  I should hope that no *nix distros, firewalls or
routers still ship with that service enabled.

- -Jay

   (    (                                                        _______
   ))   ))   .-"There's always time for a good cup of coffee"-.   >====<--.
 C|~~|C|~~| (>----- Jay D. Dyson -- jdyson () treachery net -----<) |    = |-'
  `--' `--'  `------ Stick around; I may need an alibi. ------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFBM+gu6uxsHJ5aYG4RAmkgAJ9XWvK4xlx2zJXdUDyLmt80X1xNCgCeP5FQ
Z9oN21y8WFFqlolITAMoQSA=
=y5Ne
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: