Security Incidents mailing list archives

Scans for telnetd on DNS servers.

From: "Jay D. Dyson" <jdyson () treachery net>
Date: Sat, 4 Mar 2006 14:19:51 -0800 (PST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi folks,

With all the chatter on SSH scans, I'm puzzled by an obvious spikein specific scans on my DNS servers. I'm used to seing scans on thesesystems, but today's scans have been an object lesson in high weirdness.

In the past hour I've seen 43 scans for telnetd (port 23) on asingle DNS box. Most of these scans are coming from Asia, but a numberare originating from South America as well. These are not network sweeps;they are aimed solely at DNS systems.

As if that weren't odd enough, the operating systems of the boxesthat are tripping my alarms are evenly divided between Linux (kernelversions 2.1.19 to 2.4.21) and, oddly enough, Microsoft Windows (nmapcan't tell if they're WinMe, Win2K, or WinXP).


        The systems identified thus far are as follows (37 unique so far):

                59.114.133.238          59.115.155.217
                59.143.224.179          61.182.160.23
                61.231.147.111          72.29.65.187
                84.156.88.229           86.108.12.54
                86.194.143.163          148.221.145.97
                194.79.46.194           195.190.104.24
                198.107.38.61           200.138.189.184
                200.140.216.82          200.147.120.33
                200.151.180.142         200.180.180.192
                200.97.171.2            200.97.49.173
                201.18.118.135          201.50.0.138
                202.76.10.193           210.104.255.77
                210.172.165.69          211.115.88.55
                213.151.33.233          213.77.71.234
                218.160.158.17          218.168.113.3
                218.232.187.58          219.153.32.221
                220.129.124.151         220.133.16.14
                220.138.120.24          220.142.33.3
                221.143.22.24

If anyone else is seeing this sort of strangeness, this could beanother one of those happy fun botnets that's trying to spank vulnerableDNS systems. Too early to tell for sure.


- -Jay

   (    (                                                       _______
   ))   ))  .-"There's always time for a good cup of coffee."-.  >====<--.
 C|~~|C|~~| \------ Jay D. Dyson - jdyson () treachery net ------/ |    = |-'
  `--' `--'  `--- Good?  Bad?  I'm the guy with the guns. ---'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFEChKMdHgnXUr6DdMRAmOSAJ4m/3HujRywBd61+83ztDeUgCAQKQCgjeru
yaEVzWkasLPlUK4l7kQAxjw=
=Vbfc
-----END PGP SIGNATURE-----

Current thread:

Scans for telnetd on DNS servers. Jay D. Dyson (Mar 04)
- Re: Scans for telnetd on DNS servers. Raistlin Majere (Mar 06)
- Re: Scans for telnetd on DNS servers. Pavel Kankovsky (Mar 09)
  - Re: Scans for telnetd on DNS servers. Alex (Mar 09)
    - Re: Scans for telnetd on DNS servers. Pavel Kankovsky (Mar 13)
    - Re: Scans for telnetd on DNS servers. jim barchuk (Mar 14)
- <Possible follow-ups>
- Re: Re: Scans for telnetd on DNS servers. kmuskrat (Mar 13)