[HECnet] Botnet hits on 23/tcp
Supratim Sanyal
supratim at riseup.net
Wed Nov 16 11:40:15 PST 2016
Still going on - interesting how they came up with SHSTEM, SHSTEMT etc weird accounts to try
http://sanyalnet-openvms-vax.freeddns.org:82/falserver/intrusions.txt
> On Nov 16, 2016, at 1:11 PM, Joe Ferraro <jferraro at gmail.com> wrote:
>
> I'm a bit late on this thread, but it was, more-than-likely the Mirai bot (which was subsequently responsible for the internet-wide DDOS a few weeks ago).. at least that was what kept hitting my VAX several times a second, until I limited my tcp connection rate to 23/tcp.
>
> Reading the code when it was released, it was pure happenstance that it tried the "system" account (the code for Mirai made it out a day or so after the attack....).
>
> Apologies if this was already a part of this thread (I don't see the entirety of the thread on this device..).
>
>
>
> \fwiw
>
> joe
>
>
>> On Tue, Oct 25, 2016 at 10:48 AM, Sampsa Laine <sampsa at mac.com> wrote:
>> Guys,
>>
>> I basically had HILANT:: totally lose the plot because of these telnet botnets that are hitting port 23/tcp all over the place.
>>
>> Have any of you guys been affected? I have a feeling as I’ve got a Finnish IP address I might be one of the Lucky Winners of Putin’s latest ragefest.
>>
>> FYI, these scripts are smarter than the usual root/Administrator scripts - I logged in and there had been over 49,000 attempts to log in to the SYSTEM account…
>>
>> Anyway, I’ve changed the NAT forwarding to another port (if you happen to use HILANT:: via Telnet it’s now at telnet://hilant.sampsa.com:2389.
>>
>> Also, is renaming the SYSTEM account likely to break stuff? They seem to be targeting that specific username so I figured I’d change it to STALIN or something…
>>
>> Sampsa
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sonic.net/pipermail/hecnet-list/attachments/20161116/7689bf70/attachment.html>
More information about the Hecnet-list
mailing list