[HECnet] Botnet hits on 23/tcp
Johnny Billquist
bqt at softjar.se
Tue Oct 25 09:46:35 PDT 2016
On 2016-10-25 16:48, Sampsa Laine wrote:
> Guys,
>
> I basically had HILANT:: totally lose the plot because of these telnet botnets that are hitting port 23/tcp all over the place.
>
> Have any of you guys been affected? I have a feeling as I’ve got a Finnish IP address I might be one of the Lucky Winners of Putin’s latest ragefest.
Affected in the sense that I see lots and lots of connections on MIM and
Magica, yes.
Since my TCP/IP for RSX have detection for this kind of stuff, and
automatically filters traffic out for a while from abusive sites, I
can't say that I've been affected much in any negative way.
> FYI, these scripts are smarter than the usual root/Administrator scripts - I logged in and there had been over 49,000 attempts to log in to the SYSTEM account…
Yeah, that's the next thing. These scripts get very confused by RSX, as
RSX actually allows you to issue commands without being logged in, so it
does not start by prompting for a username. Scripts usually stalls right
there and then. :-)
> Anyway, I’ve changed the NAT forwarding to another port (if you happen to use HILANT:: via Telnet it’s now at telnet://hilant.sampsa.com:2389.
>
> Also, is renaming the SYSTEM account likely to break stuff? They seem to be targeting that specific username so I figured I’d change it to STALIN or something…
I suspect there might be some things that get broken if you rename it,
but I don't know for sure.
But it's hilarious to watch from RSX, how the script-kiddies try and try...
Johnny
More information about the Hecnet-list
mailing list