[HECnet] Botnet hits on 23/tcp

[Sampsa Laine]

Guys,

I basically had HILANT:: totally lose the plot because of these telnet botnets that are hitting port 23/tcp all over the place.

Have any of you guys been affected? I have a feeling as I’ve got a Finnish IP address I might be one of the Lucky Winners of Putin’s latest ragefest.

FYI, these scripts are smarter than the usual root/Administrator scripts - I logged in and there had been over 49,000 attempts to log in to the SYSTEM account…

Anyway, I’ve changed the NAT forwarding to another port (if you happen to use HILANT:: via Telnet it’s now at telnet://hilant.sampsa.com:2389.

Also, is renaming the SYSTEM account likely to break stuff? They seem to be targeting that specific username so I figured I’d change it to STALIN or something…

Sampsa


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.sonic.net/pipermail/hecnet-list/attachments/20161025/662ad988/attachment.sig>