*BSD Telnetd

From: John (johnsat_private)
Date: Wed Jul 25 2001 - 16:21:57 PDT

  • Next message: Lance Spitzner: "Honeynet Project -> Know Your Enemy: Statistics"

    Well, I am starting to see the first few known
    compromises that have used the new telnetd code.
    
    Also, at work we went from three tcp/23 scans
    a day to ten tcp/23 scans today. At home I have
    gone from three tcp/23 scans a day to three
    tcp/23 scans today.
    
    These systems seem to have been compromised with
    the new telnetd code.
    
    Insufficient responses for TCP sequencing (3), OS detection may be less
    accurate
    Interesting ports on www.bitch.org (209.81.14.26):
    (The 1536 ports scanned but not shown below are in state: closed)
    Port       State       Service
    21/tcp     open        ftp                     
    22/tcp     open        ssh                     
    23/tcp     open        telnet                  
    80/tcp     open        http                    
    111/tcp    open        sunrpc                  
    3306/tcp   open        mysql                   
    
    Remote operating system guess: FreeBSD 4.3
    Uptime 60.924 days (since Thu May 24 12:28:20 2001)
    
    Insufficient responses for TCP sequencing (2), OS detection may be less
    accurate
    Interesting ports on  (216.173.214.13):
    (The 1533 ports scanned but not shown below are in state: closed)
    Port       State       Service
    21/tcp     open        ftp                     
    22/tcp     open        ssh                     
    23/tcp     open        telnet                  
    25/tcp     open        smtp                    
    80/tcp     open        http                    
    110/tcp    open        pop-3                   
    111/tcp    open        sunrpc                  
    113/tcp    open        auth                    
    587/tcp    open        submission              
    
    Remote OS guesses: FreeBSD 4.1.1 - 4.3 (X86), FreeBSD 4.3
    
    (the below might have been; just a guess)
    Insufficient responses for TCP sequencing (1), OS detection may be less
    accurate
    Interesting ports on pacn3t.iserver.net (128.121.112.167):
    (The 1517 ports scanned but not shown below are in state: closed)
    Port       State       Service
    21/tcp     open        ftp                     
    22/tcp     open        ssh                     
    23/tcp     open        telnet                  
    25/tcp     open        smtp                    
    26/tcp     open        unknown                 
    53/tcp     open        domain                  
    79/tcp     open        finger                  
    80/tcp     open        http                    
    100/tcp    open        newacct                 
    106/tcp    open        pop3pw                  
    110/tcp    open        pop-3                   
    119/tcp    open        nntp                    
    139/tcp    open        netbios-ssn             
    143/tcp    open        imap2                   
    443/tcp    open        https                   
    465/tcp    open        smtps                   
    513/tcp    open        login                   
    514/tcp    open        shell                   
    990/tcp    open        ftps                    
    992/tcp    open        telnets                 
    993/tcp    open        imaps                   
    995/tcp    open        pop3s                   
    2401/tcp   open        cvspserver              
    3306/tcp   open        mysql                   
    5190/tcp   open        aol                     
    
    Remote OS guesses: FreeBSD 4.1.1 - 4.3 (X86), FreeBSD 4.3
    
    DShield reports have shown that tcp/23 scans have gone up too.
    
    http://www1.dshield.org/port_report.php?port=23
    
    http://www.incidents.org/cid/query/top_10port_7.php
    
    -- 
    The events which transpired five thousand years ago; Five 
    years ago or five minutes ago, have determined what will
    happen five minutes from now; five years From now or five
    thousand years from now. All history is a current event.
    - Dr John Henrik Clake -
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 20:08:32 PDT