Re: multiple attempts to login via telnet from multiple IP's ... new worm?

From: Nathan Einwechter (psychospyat_private)
Date: Thu Nov 08 2001 - 18:12:21 PST

Next message: Becky Bace: "RE: Network and Incident Symbology: Comments Wanted"

Previous message: Dave Dittrich: "Analysis of SSH crc32 compensation attack detector exploit"
In reply to: netnerd: "multiple attempts to login via telnet from multiple IP's ... new worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Nick,

I just pulled some stats out of the myNetWatchman database. It doesn't seem
like there's a worm going after telnet going around. Below are the stats for
the past 2 weeks or so. This is the count of telnet probes for each day. It
doesn'tseem like there's any positive trend over the past two weeks. Other
than a single spike (Oct. 02), everything's been pretty "regular".

I would guess it's just a mass of decoy, or distributed attacks, directed
specifically at you. It would be interesting to see the actual packet traces
from this activity though.

Then again I could be mistaken. Check out the numbers for yourself though.

2001-10-25  296
2001-10-26  111
2001-10-27  701
2001-10-28  540
2001-10-29  508
2001-10-30  141
2001-10-31  136
2001-11-01  178
2001-11-02  847
2001-11-03  158
2001-11-04  250
2001-11-05  286
2001-11-06  179
2001-11-07  221
2001-11-08  242

Yours truly,
        Nathan Einwechter

----- Original Message -----
From: netnerd <nkavat_private>
To: <incidentsat_private>
Sent: Tuesday, November 06, 2001 5:36 AM
Subject: multiple attempts to login via telnet from multiple IP's ... new
worm?


> small bit from /var/log/messages:
>
>
> Nov  6 19:57:45 blue login[31450]: FAILED LOGIN 3 FROM 193.123.219.X FOR
> iris, User not known to the underlying authentication module
> Nov  6 19:57:47 blue PAM_pwdb[31450]: check pass; user unknown
> Nov  6 19:57:48 blue login[31450]: FAILED LOGIN SESSION FROM 193.123.219.X
> FOR gerd, User not known to the underlying authentication module
> Nov  6 19:57:53 blue telnetd[31452]: ttloop: peer died: EOF
> Nov  6 19:57:53 blue inetd[497]: pid 31452: exit status 1
> Nov  6 19:58:01 blue PAM_pwdb[31454]: check pass; user unknown
> Nov  6 19:58:03 blue login[31454]: FAILED LOGIN 1 FROM
> X.dsl.lsan03.pacbell.net FOR alok, User not known to the underlying
> authentication module
> Nov  6 19:58:05 blue PAM_pwdb[31454]: check pass; user unknown
> Nov  6 19:58:06 blue login[31454]: FAILED LOGIN 2 FROM
> X.dsl.lsan03.pacbell.net FOR demo, User not known to the underlying
> authentication module
> Nov  6 19:58:08 blue PAM_pwdb[31454]: check pass; user unknown
> Nov  6 19:58:09 blue login[31454]: FAILED LOGIN 3 FROM
> X.dsl.lsan03.pacbell.net FOR isel, User not known to the underlying
> authentication module
> Nov  6 19:58:11 blue PAM_pwdb[31454]: check pass; user unknown
> Nov  6 19:58:12 blue login[31454]: FAILED LOGIN SESSION FROM
> X.lsan03.pacbell.net FOR hong, User not known to the underlying
> authentication module
> Nov  6 19:58:20 blue PAM_pwdb[31456]: check pass; user unknown
> Nov  6 19:58:21 blue login[31456]: FAILED LOGIN 1 FROM X.mw.mediaone.net
> FOR dawit, User not known to the underlying authentication module
> Nov  6 19:58:23 blue PAM_pwdb[31456]: check pass; user unknown
> Nov  6 19:58:24 blue login[31456]: FAILED LOGIN 2 FROM X.mw.mediaone.net
> FOR efram, User not known to the underlying authentication module
> Nov  6 19:58:26 blue PAM_pwdb[31456]: check pass; user unknown
> Nov  6 19:58:27 blue login[31456]: FAILED LOGIN 3 FROM X.mw.mediaone.net
> FOR daffy, User not known to the underlying authentication module
> Nov  6 19:58:30 blue PAM_pwdb[31456]: check pass; user unknown
> Nov  6 19:58:31 blue login[31456]: FAILED LOGIN SESSION FROM
> X.mw.mediaone.net FOR edsel, User not known to the underlying
> authentication module
> Nov  6 19:59:00 blue PAM_pwdb[31459]: check pass; user unknown
> Nov  6 19:59:01 blue login[31459]: FAILED LOGIN 1 FROM X.aps.pl FOR craig,
> User not known to the underlying authentication module
> Nov  6 19:59:07 blue PAM_pwdb[31459]: check pass; user unknown
> Nov  6 19:59:08 blue login[31459]: FAILED LOGIN 2 FROM X.aps.pl FOR darin,
> User not known to the underlying authentication module
>
>
> login attempts are about 10 mins apart from each site.. might i say, I've
> probably being hit by about 50-60 different IP's
> of course, I have killed telnetd & am replying on ssh.
> is this a worm/virus? or have i pissed someone off???
> Any suggestions, help, comments welcome.
> Nick
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Becky Bace: "RE: Network and Incident Symbology: Comments Wanted"
Previous message: Dave Dittrich: "Analysis of SSH crc32 compensation attack detector exploit"
In reply to: netnerd: "multiple attempts to login via telnet from multiple IP's ... new worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 09 2001 - 13:07:45 PST