Security Incidents mailing list archives
Re: Strange authentication attempts
From: John Narron <zeek () cdsinet net>
Date: 31 Mar 2004 15:32:54 -0000
In-Reply-To: <20040330164153.5848.qmail () www securityfocus com> I've gathered some new information regarding this incident. I've been watching port 23 coming in and out of my network and captured a session. It appears to be some worm, trojan, or script thats seeking out a particular device that allows an unauthenticated login, then sets up a username and password and saves the configuration. The commands are as follows: config system password admin 13370n3z 13370n3z password user fawkoffsz fawkoffsz save It appears to set up a user named 'admin' with a password of '13370n3z', and another user name 'user' with a password of 'fawkoffsz'. I'm not sure what kind of device uses these sequence of commands, but I'm suspecting some sort of cable or DSL router (since a lot of those, still, come with unauthenticated logins). --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 ----------------------------------------------------------------------------
Current thread:
- Strange authentication attempts John Narron (Mar 30)
- <Possible follow-ups>
- Re: Strange authentication attempts John Narron (Mar 31)