Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Port 23 (tcp/udp) Attack Activity - SANS Internet Storm Center Port 23 (tcp/udp) Attack Activity


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Loading...
[get complete service list]
Top of page
Port Information
Protocol Service Name
tcp telnet Telnet
udp telnet Telnet
tcp ADMworm [trojan] ADM worm
tcp FireHacKer [trojan] Fire HacKer
tcp MyVeryOwntrojan [trojan] My Very Own trojan
tcp RTB666 [trojan] RTB 666
tcp TelnetPro [trojan] Telnet Pro
tcp TinyTelnetServer [trojan] Tiny Telnet Server - TTS
tcp TruvaAtl [trojan] Truva Atl
Top IPs Scanning
TodayYesterday
152.89.170.31 (11387)37.0.8.86 (85492)
37.0.8.86 (6720)198.12.90.146 (5058)
212.192.241.70 (2724)149.57.210.215 (4674)
103.99.150.43 (2160)183.94.244.32 (4199)
109.244.18.237 (1912)103.99.150.43 (3844)
198.12.90.146 (1639)222.189.143.46 (3829)
45.61.186.75 (1577)149.97.213.250 (3695)
154.12.224.81 (1296)37.0.11.130 (3682)
194.31.98.17 (1113)109.244.18.237 (3528)
103.151.140.107 (1094)124.152.185.167 (2936)
Port diary mentions
URL
Distributed FTPPort 21 scan follow-up; Port 23 scan increases;
Something new on Telnet?
Solaris worm?
America's Got Telnet !
Increase in Port 23 (telnet) scanning
What is happening on 2323TCP?
Ongoing Scans Below the Radar
WTF tcp port 81
Top of page
User Comments
Submitted By Date
Comment
2015-12-27 03:19:02
say, another thought, there's a "Snort" rule that appears to alert if a Juniper Network backdoor password attempt was made. (https://gist.github.com/fox-srt/ca94b350f2a91bd8ed3f) does that mean that, with all these port 23 hits happening, that the Juniper backdoor could have been found years ago by pretty much anyone on the Internet who just monitored the actual packets they were being probed with? if any of them were actually such attempts. maybe they'd have to use it to do some scanning themselves to find what it was for though. does anyone do that?
2015-12-27 03:18:55
Gee, activity on this ssl port became really strong around the middle of 2012, and the Juniper Networks ssl backdoor showed up around the middle of 2012. Only nobody knew it then. How did that happen?
Add a comment
Top of page
CVE Links
CVE # Description
CVE-2001-0797 Buffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin.
CVE-2015-0014
Top of page