[Dshield] Port 23 activity spike

Tom Liston tliston at premmag.com
Tue Jan 6 18:31:43 GMT 2004

Hash: SHA1


In looking at the data (http://isc.sans.org/port_details.html?port=23) the 
most striking feature is that although there seems to be a lot of variance 
in the number of records and targets, the number of sources has stayed 
relatively constant (between 100 and 200).

My own data also shows that the scans that I'm seeing are coming from a 
small, constant number of hosts.

I would think that this would indicate "reporting anamolies"

- -TL

On 6 Jan 2004 at 9:25, Bill McCarty wrote:

> Hi Johannes and all,
> --On Monday, December 29, 2003 6:26 AM -0500 "Johannes B. Ullrich" 
> <jullrich at sans.org> wrote:
> >> I notice that recent DShield data show a spike in activity on port 23:
> >> <http://isc.incidents.org/port_details.html?port=23&repax=1&tarax=2&srca
> >> x=2 &percent=N&days=40&Redraw=>.
> >
> > This spike looks like a scan hitting one of our large class B
> > submitters. Telnet is a popular scanned service. I presume that
> > all they are looking for it weak passwords.
> I notice that the spike continues to grow. And, yesterday, I saw telnet
> probes of my own Class C network. Moreover, a exploit tool targeting
> Solaris 8 telnet servers (not a password brute forcer) has been recently
> circulating among certain Undernet IRC users.
> Does it continue to appear that the spike is primarily related to the large
> class B submitter?
> Cheers,
> ---------------------------------------------------
> Bill McCarty
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list

Version: PGP 8.0 -- QDPGP 2.70 
Comment: Public key - http://www.hackbusters.net/pgp.txt


More information about the list mailing list