Re: Scans for telnetd on DNS servers.

[Raistlin Majere <raistlin () majere net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I can confirm to you that I have servers with WEB, FTP, SMTP and POP3
facing the internet and the firewall is not getting hit with DPT=23, not
a single hit all day!

Raist

Jay D. Dyson wrote:
> Hi folks,
>
>     With all the chatter on SSH scans, I'm puzzled by an obvious spike
> in specific scans on my DNS servers.  I'm used to seing scans on these
> systems, but today's scans have been an object lesson in high weirdness.
>
>     In the past hour I've seen 43 scans for telnetd (port 23) on a
> single DNS box.  Most of these scans are coming from Asia, but a number
> are originating from South America as well.  These are not network
> sweeps; they are aimed solely at DNS systems.
>
>     As if that weren't odd enough, the operating systems of the boxes
> that are tripping my alarms are evenly divided between Linux (kernel
> versions 2.1.19 to 2.4.21) and, oddly enough, Microsoft Windows (nmap
> can't tell if they're WinMe, Win2K, or WinXP).
>
>     The systems identified thus far are as follows (37 unique so far):
>
>         59.114.133.238        59.115.155.217
>         59.143.224.179        61.182.160.23
>         61.231.147.111        72.29.65.187
>         84.156.88.229        86.108.12.54
>         86.194.143.163        148.221.145.97
>         194.79.46.194        195.190.104.24
>         198.107.38.61        200.138.189.184
>         200.140.216.82        200.147.120.33
>         200.151.180.142        200.180.180.192
>         200.97.171.2        200.97.49.173
>         201.18.118.135        201.50.0.138
>         202.76.10.193        210.104.255.77
>         210.172.165.69        211.115.88.55
>         213.151.33.233        213.77.71.234
>         218.160.158.17        218.168.113.3
>         218.232.187.58        219.153.32.221
>         220.129.124.151        220.133.16.14
>         220.138.120.24        220.142.33.3
>         221.143.22.24
>
>     If anyone else is seeing this sort of strangeness, this could be
> another one of those happy fun botnets that's trying to spank vulnerable
> DNS systems.  Too early to tell for sure.
>
> -Jay
>
>    (    (                                                       _______
>    ))   ))  .-"There's always time for a good cup of coffee."-.  >====<--.
>  C|~~|C|~~| \------ Jay D. Dyson - jdyson () treachery net ------/ |    = |-'
>   `--' `--'  `--- Good?  Bad?  I'm the guy with the guns. ---'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFECmdP5vz/u/r21GQRApMmAKDmQ3tnqMG301IvhZp8cNC0yVbKTACgstut
5krM3Dv2Uqj9lFFuOksUkSw=
=jo2K
-----END PGP SIGNATURE-----