Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Scans for telnetd on DNS servers.

Scans for telnetd on DNS servers.

From: Jay D. Dyson <jdyson_at_treachery.net>
Date: Sat, 4 Mar 2006 14:19:51 -0800 (PST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi folks,

         With all the chatter on SSH scans, I'm puzzled by an obvious spike
in specific scans on my DNS servers. I'm used to seing scans on these
systems, but today's scans have been an object lesson in high weirdness.

         In the past hour I've seen 43 scans for telnetd (port 23) on a
single DNS box. Most of these scans are coming from Asia, but a number
are originating from South America as well. These are not network sweeps;
they are aimed solely at DNS systems.

         As if that weren't odd enough, the operating systems of the boxes
that are tripping my alarms are evenly divided between Linux (kernel
versions 2.1.19 to 2.4.21) and, oddly enough, Microsoft Windows (nmap
can't tell if they're WinMe, Win2K, or WinXP).

         The systems identified thus far are as follows (37 unique so far):

                 59.114.133.238 59.115.155.217
                 59.143.224.179 61.182.160.23
                 61.231.147.111 72.29.65.187
                 84.156.88.229 86.108.12.54
                 86.194.143.163 148.221.145.97
                 194.79.46.194 195.190.104.24
                 198.107.38.61 200.138.189.184
                 200.140.216.82 200.147.120.33
                 200.151.180.142 200.180.180.192
                 200.97.171.2 200.97.49.173
                 201.18.118.135 201.50.0.138
                 202.76.10.193 210.104.255.77
                 210.172.165.69 211.115.88.55
                 213.151.33.233 213.77.71.234
                 218.160.158.17 218.168.113.3
                 218.232.187.58 219.153.32.221
                 220.129.124.151 220.133.16.14
                 220.138.120.24 220.142.33.3
                 221.143.22.24

         If anyone else is seeing this sort of strangeness, this could be
another one of those happy fun botnets that's trying to spank vulnerable
DNS systems. Too early to tell for sure.

- -Jay

    ( ( _______
    )) )) .-"There's always time for a good cup of coffee."-. >====<--.
  C|~~|C|~~| \------ Jay D. Dyson - jdyson_at_treachery.net ------/ | = |-'
   `--' `--' `--- Good? Bad? I'm the guy with the guns. ---' `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFEChKMdHgnXUr6DdMRAmOSAJ4m/3HujRywBd61+83ztDeUgCAQKQCgjeru
yaEVzWkasLPlUK4l7kQAxjw=
=Vbfc
-----END PGP SIGNATURE-----
Received on Mar 04 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]