[Dshield] Port 23 activity spike

Pete Cap peteoutside at yahoo.com
Tue Jan 6 20:30:11 GMT 2004


Tom,
 
By "reporting anomalies" do you mean something like a sampling error, or what?
 
Pete

Tom Liston <tliston at premmag.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bill,

In looking at the data (http://isc.sans.org/port_details.html?port=23) the 
most striking feature is that although there seems to be a lot of variance 
in the number of records and targets, the number of sources has stayed 
relatively constant (between 100 and 200).

My own data also shows that the scans that I'm seeing are coming from a 
small, constant number of hosts.

I would think that this would indicate "reporting anamolies"

- -TL

On 6 Jan 2004 at 9:25, Bill McCarty wrote:

> Hi Johannes and all,
> 
> --On Monday, December 29, 2003 6:26 AM -0500 "Johannes B. Ullrich" 
> wrote:
> 
> >> I notice that recent DShield data show a spike in activity on port 23:
> >> > >> x=2 &percent=N&days=40&Redraw=>.
> >
> > This spike looks like a scan hitting one of our large class B
> > submitters. Telnet is a popular scanned service. I presume that
> > all they are looking for it weak passwords.
> 
> I notice that the spike continues to grow. And, yesterday, I saw telnet
> probes of my own Class C network. Moreover, a exploit tool targeting
> Solaris 8 telnet servers (not a password brute forcer) has been recently
> circulating among certain Undernet IRC users.
> 
> Does it continue to appear that the spike is primarily related to the large
> class B submitter?
> 
> Cheers,
> 
> ---------------------------------------------------
> Bill McCarty
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list



-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0 -- QDPGP 2.70 
Comment: Public key - http://www.hackbusters.net/pgp.txt

iQA/AwUBP/r/D6Oq/X4cwCZKEQLaLwCgm/HOiKR+ox+sr7302FyGWbUY05cAnAr3
p3PjK4TimKqxUVQ2yKdwVYf0
=FEVK
-----END PGP SIGNATURE-----

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

---------------------------------
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes


More information about the list mailing list