[Dshield] Port 23 activity spike
tliston at premmag.com
Tue Jan 6 18:31:43 GMT 2004
-----BEGIN PGP SIGNED MESSAGE-----
In looking at the data (http://isc.sans.org/port_details.html?port=23) the
most striking feature is that although there seems to be a lot of variance
in the number of records and targets, the number of sources has stayed
relatively constant (between 100 and 200).
My own data also shows that the scans that I'm seeing are coming from a
small, constant number of hosts.
I would think that this would indicate "reporting anamolies"
On 6 Jan 2004 at 9:25, Bill McCarty wrote:
> Hi Johannes and all,
> --On Monday, December 29, 2003 6:26 AM -0500 "Johannes B. Ullrich"
> <jullrich at sans.org> wrote:
> >> I notice that recent DShield data show a spike in activity on port 23:
> >> <http://isc.incidents.org/port_details.html?port=23&repax=1&tarax=2&srca
> >> x=2 &percent=N&days=40&Redraw=>.
> > This spike looks like a scan hitting one of our large class B
> > submitters. Telnet is a popular scanned service. I presume that
> > all they are looking for it weak passwords.
> I notice that the spike continues to grow. And, yesterday, I saw telnet
> probes of my own Class C network. Moreover, a exploit tool targeting
> Solaris 8 telnet servers (not a password brute forcer) has been recently
> circulating among certain Undernet IRC users.
> Does it continue to appear that the spike is primarily related to the large
> class B submitter?
> Bill McCarty
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0 -- QDPGP 2.70
Comment: Public key - http://www.hackbusters.net/pgp.txt
-----END PGP SIGNATURE-----
More information about the list