[clug] Intrusion problem
Stuart.Watson at anu.edu.au
Mon Nov 24 05:43:56 GMT 2008
On 24/11/2008, at 2:44 PM, conrad at mail.watersprite.com.au wrote:
> Given the repetitive nature of the requests I was logging, I'm
> botnetted PCs or similar. I wonder if they're looking for ADSL
> modems with
> open, external-facing telnet ports? Or is there a better explanation?
The network I keep a watchful eye over has had a tremendous increase
in scans on port 23 over the past 3 months. I've not useful figures
infront of me, but from memory this has accounted for 300K-500K
traffic flows per day.
Other metrics available for the greater internet also show this trend.
It's not specifically clear why, as there are a whole bunch of telnet
vulnerabilities for various vendors available.
Some research I read awhile ago suggested these attacks are aimed at
specific BSD, Cisco, and Solaris vulnerabilities. Although this is
probably uninteresting as the connection attempts are more likely to
just be initial data collection of what daemon and version is running
with a suitable exploit to follow.
More information about the linux