Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Scans for telnetd on DNS servers.

from [Raistlin Majere] Network Security [Permanent Link]
Subject: Re: Scans for telnetd on DNS servers.
Date: Sat, 04 Mar 2006 23:21:36 -0500 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I can confirm to you that I have servers with WEB, FTP, SMTP and POP3
facing the internet and the firewall is not getting hit with DPT=23, not
a single hit all day!

Raist

Jay D. Dyson wrote:

Hi folks,

    With all the chatter on SSH scans, I'm puzzled by an obvious spike
in specific scans on my DNS servers.  I'm used to seing scans on these
systems, but today's scans have been an object lesson in high weirdness.

    In the past hour I've seen 43 scans for telnetd (port 23) on a
single DNS box.  Most of these scans are coming from Asia, but a number
are originating from South America as well.  These are not network
sweeps; they are aimed solely at DNS systems.

    As if that weren't odd enough, the operating systems of the boxes
that are tripping my alarms are evenly divided between Linux (kernel
versions 2.1.19 to 2.4.21) and, oddly enough, Microsoft Windows (nmap
can't tell if they're WinMe, Win2K, or WinXP).

    The systems identified thus far are as follows (37 unique so far):

        59.114.133.238        59.115.155.217
        59.143.224.179        61.182.160.23
        61.231.147.111        72.29.65.187
        84.156.88.229        86.108.12.54
        86.194.143.163        148.221.145.97
        194.79.46.194        195.190.104.24
        198.107.38.61        200.138.189.184
        200.140.216.82        200.147.120.33
        200.151.180.142        200.180.180.192
        200.97.171.2        200.97.49.173
        201.18.118.135        201.50.0.138
        202.76.10.193        210.104.255.77
        210.172.165.69        211.115.88.55
        213.151.33.233        213.77.71.234
        218.160.158.17        218.168.113.3
        218.232.187.58        219.153.32.221
        220.129.124.151        220.133.16.14
        220.138.120.24        220.142.33.3
        221.143.22.24

    If anyone else is seeing this sort of strangeness, this could be
another one of those happy fun botnets that's trying to spank vulnerable
DNS systems.  Too early to tell for sure.

-Jay

   (    (                                                       _______
   ))   ))  .-"There's always time for a good cup of coffee."-.  >====<--.
 C|~~|C|~~| \------ Jay D. Dyson - jdyson@treachery.net ------/ |    = |-'
  `--' `--'  `--- Good?  Bad?  I'm the guy with the guns. ---'  `------'



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFECmdP5vz/u/r21GQRApMmAKDmQ3tnqMG301IvhZp8cNC0yVbKTACgstut
5krM3Dv2Uqj9lFFuOksUkSw=
=jo2K
-----END PGP SIGNATURE-----
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Scans for telnetd on DNS servers., Jay D. Dyson
Next by Date:  Re: Bot net? SPAM Bounces... - Follow-up, gregs
Previous by Thread:  Scans for telnetd on DNS servers., Jay D. Dyson
Next by Thread:  Re: Scans for telnetd on DNS servers., Pavel Kankovsky
Indexes:  [Date] [Thread] [Top] [All Lists]