[Dshield] Port 23 activity spike

Bill McCarty bmccarty at pt-net.net
Tue Jan 6 17:25:51 GMT 2004


Hi Johannes and all,

--On Monday, December 29, 2003 6:26 AM -0500 "Johannes B. Ullrich" 
<jullrich at sans.org> wrote:

>> I notice that recent DShield data show a spike in activity on port 23:
>> <http://isc.incidents.org/port_details.html?port=23&repax=1&tarax=2&srca
>> x=2 &percent=N&days=40&Redraw=>.
>
> This spike looks like a scan hitting one of our large class B
> submitters. Telnet is a popular scanned service. I presume that
> all they are looking for it weak passwords.

I notice that the spike continues to grow. And, yesterday, I saw telnet 
probes of my own Class C network. Moreover, a exploit tool targeting 
Solaris 8 telnet servers (not a password brute forcer) has been recently 
circulating among certain Undernet IRC users.

Does it continue to appear that the spike is primarily related to the large 
class B submitter?

Cheers,

---------------------------------------------------
Bill McCarty




More information about the list mailing list