Well, I am starting to see the first few known compromises that have used the new telnetd code. Also, at work we went from three tcp/23 scans a day to ten tcp/23 scans today. At home I have gone from three tcp/23 scans a day to three tcp/23 scans today. These systems seem to have been compromised with the new telnetd code. Insufficient responses for TCP sequencing (3), OS detection may be less accurate Interesting ports on www.bitch.org (209.81.14.26): (The 1536 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 80/tcp open http 111/tcp open sunrpc 3306/tcp open mysql Remote operating system guess: FreeBSD 4.3 Uptime 60.924 days (since Thu May 24 12:28:20 2001) Insufficient responses for TCP sequencing (2), OS detection may be less accurate Interesting ports on (216.173.214.13): (The 1533 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 80/tcp open http 110/tcp open pop-3 111/tcp open sunrpc 113/tcp open auth 587/tcp open submission Remote OS guesses: FreeBSD 4.1.1 - 4.3 (X86), FreeBSD 4.3 (the below might have been; just a guess) Insufficient responses for TCP sequencing (1), OS detection may be less accurate Interesting ports on pacn3t.iserver.net (128.121.112.167): (The 1517 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 26/tcp open unknown 53/tcp open domain 79/tcp open finger 80/tcp open http 100/tcp open newacct 106/tcp open pop3pw 110/tcp open pop-3 119/tcp open nntp 139/tcp open netbios-ssn 143/tcp open imap2 443/tcp open https 465/tcp open smtps 513/tcp open login 514/tcp open shell 990/tcp open ftps 992/tcp open telnets 993/tcp open imaps 995/tcp open pop3s 2401/tcp open cvspserver 3306/tcp open mysql 5190/tcp open aol Remote OS guesses: FreeBSD 4.1.1 - 4.3 (X86), FreeBSD 4.3 DShield reports have shown that tcp/23 scans have gone up too. http://www1.dshield.org/port_report.php?port=23 http://www.incidents.org/cid/query/top_10port_7.php -- The events which transpired five thousand years ago; Five years ago or five minutes ago, have determined what will happen five minutes from now; five years From now or five thousand years from now. All history is a current event. - Dr John Henrik Clake - ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 20:08:32 PDT