[HECnet] Botnet hits on 23/tcp
Joe Ferraro
jferraro at gmail.com
Wed Nov 16 10:11:53 PST 2016
I'm a bit late on this thread, but it was, more-than-likely the Mirai bot
(which was subsequently responsible for the internet-wide DDOS a few weeks
ago).. at least that was what kept hitting my VAX several times a second,
until I limited my tcp connection rate to 23/tcp.
Reading the code when it was released, it was pure happenstance that it
tried the "system" account (the code for Mirai made it out a day or so
after the attack....).
Apologies if this was already a part of this thread (I don't see the
entirety of the thread on this device..).
\fwiw
joe
On Tue, Oct 25, 2016 at 10:48 AM, Sampsa Laine <sampsa at mac.com> wrote:
> Guys,
>
> I basically had HILANT:: totally lose the plot because of these telnet
> botnets that are hitting port 23/tcp all over the place.
>
> Have any of you guys been affected? I have a feeling as I’ve got a Finnish
> IP address I might be one of the Lucky Winners of Putin’s latest ragefest.
>
> FYI, these scripts are smarter than the usual root/Administrator scripts -
> I logged in and there had been over 49,000 attempts to log in to the SYSTEM
> account…
>
> Anyway, I’ve changed the NAT forwarding to another port (if you happen to
> use HILANT:: via Telnet it’s now at telnet://hilant.sampsa.com:2389.
>
> Also, is renaming the SYSTEM account likely to break stuff? They seem to
> be targeting that specific username so I figured I’d change it to STALIN or
> something…
>
> Sampsa
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sonic.net/pipermail/hecnet-list/attachments/20161116/18722168/attachment.html>
More information about the Hecnet-list
mailing list