[clug] Intrusion problem

Stu Watson Stuart.Watson at anu.edu.au
Mon Nov 24 05:43:56 GMT 2008

On 24/11/2008, at 2:44 PM, conrad at mail.watersprite.com.au wrote:

> Given the repetitive nature of the requests I was logging, I'm  
> suspecting
> botnetted PCs or similar. I wonder if they're looking for ADSL  
> modems with
> open, external-facing telnet ports? Or is there a better explanation?

The network I keep a watchful eye over has had a tremendous increase  
in scans on port 23 over the past 3 months. I've not useful figures  
infront of me, but from memory this has accounted for 300K-500K  
traffic flows per day.

Other metrics available for the greater internet also show this trend.  
It's not specifically clear why, as there are a whole bunch of telnet  
vulnerabilities for various vendors available.

Some research I read awhile ago suggested these attacks are aimed at  
specific BSD, Cisco, and Solaris vulnerabilities. Although this is  
probably uninteresting as the connection attempts are more likely to  
just be initial data collection of what daemon and version is running  
with a suitable exploit to follow.


More information about the linux mailing list