-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jay,
Cisco publicly released an advisory on August 27th concerning
vulnerabilities in the telnet daemon for IOS. Perhaps these scans,
which took place less than a week before the public release, were an
attempt to find exploitable network devices. I've pasted the summary
from the Bugtraq post. See the link in the summary for the full
information.
Regards,
Pat
...
Summary
=======
A specifically crafted Transmission Control Protocol (TCP) connection
to a telnet or reverse telnet port of a Cisco device running
Internetwork Operating System (IOS) may block further telnet, reverse
telnet, Remote Shell (RSH), Secure Shell (SSH), and in some cases
Hypertext Transport Protocol (HTTP) access to the Cisco device.
Telnet, reverse telnet, RSH and SSH sessions established prior to
exploitation are not affected.
All other device services will operate normally. Services such as
packet forwarding, routing protocols and all other communication to
and through the device are not affected.
Cisco will make free software available to address this
vulnerability.
Workarounds, identified below, are available that protect against
this vulnerability.
This vulnerability is documented in Cisco bug ID CSCef46191 (
registered customers only) .
This Advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml.
...
- -----Original Message-----
From: Jay D. Dyson [mailto:jdyson@treachery.net]
Sent: Monday, August 30, 2004 10:53 PM
To: Incidents List
Subject: Uptick in telnetd scanners - possible worm activity.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi folks,
Don't recall seeing this discussed previously on this list (or
any other), so I'm passing this along to compare notes.
I've seen an extraordinary uptick in telnetd scans in the past
nine days. The first came around the morning of August 21 from
Thailand.
Then things went quiet, but today I've seen a large flurry of telnetd
connect attempts from a load of systems (nearly all of them from --
surprise! -- Asia).
A sampling of IP addresses hitting telnetd on systems across my
networks are:
61.238.125.96 CTIHK (Hong Kong)
61.238.173.194 CTIHK (Hong Kong)
62.141.251.101 MULTIMEDIA-POLSKA-1 (Poland)
202.183.209.47 CSCOM-TH (Thailand)
203.174.213.97 KMN (Japan)
218.28.9.164 HA-ZZ-ELECTRICPOWER-CORP (China)
218.52.89.24 HANANET (South Korea)
218.92.213.66 CHINANET-JS (China)
219.157.172.204 CNCGROUP-HA (China)
221.127.87.94 HGC (Hong Kong)
222.88.132.1 CHINATELECOM-HA (China)
222.137.41.79 CNCGROUP-HA (China)
Considering the slow start following by the volume I've seen
today, I'm thinking this might be some kind of worm. The distribution
and repetition volume of attack does not lead me to believe that we
simply have hyperactive ankle-biters here...though I'm not sure why a
worm would be looking for telnetd. I should hope that no *nix distros,
firewalls or routers still ship with that service enabled.
- - -Jay
( ( _______
)) )) .-"There's always time for a good cup of coffee"-.
====<--.
C|~~|C|~~| (>----- Jay D. Dyson -- jdyson@treachery.net -----<) | =
|-'
`--' `--' `------ Stick around; I may need an alibi. ------'
`------'
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.
iD8DBQFBM+gu6uxsHJ5aYG4RAmkgAJ9XWvK4xlx2zJXdUDyLmt80X1xNCgCeP5FQ
Z9oN21y8WFFqlolITAMoQSA=
=y5Ne
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBQTXIovBwmjqd2clHEQJJzwCghIxfIlkD0hjFMNl1SeNZklX9e3YAnR8f
DLncirlVYHagx+19iLHKDj5W
=4zOi
-----END PGP SIGNATURE-----
