[Dshield] Port 23 activity spike

Tom Liston tliston at premmag.com
Tue Jan 6 20:52:53 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would agree with Johannes' earlier conclusion.  The spikes appear to be 
a result of a scan running through the network of a large submitter.  
Therefore the numbers are skewed by the fact that the scanning simply hit 
a large, actively monitored network, i.e. a result of "reporting 
anomalies" (correctly spelled this time!).

- -TL

On 6 Jan 2004 at 12:30, Pete Cap wrote:

> Tom,
> 
> By "reporting anomalies" do you mean something like a sampling error, or
> what?
> 
> Pete
> 
> Tom Liston <tliston at premmag.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Bill,
> 
> In looking at the data (http://isc.sans.org/port_details.html?port=23) the
> most striking feature is that although there seems to be a lot of variance
> in the number of records and targets, the number of sources has stayed
> relatively constant (between 100 and 200).
> 
> My own data also shows that the scans that I'm seeing are coming from a
> small, constant number of hosts.
> 
> I would think that this would indicate "reporting anamolies"
> 
> - -TL
> 
> On 6 Jan 2004 at 9:25, Bill McCarty wrote:
> 
> > Hi Johannes and all,
> > 
> > --On Monday, December 29, 2003 6:26 AM -0500 "Johannes B. Ullrich" 
> > wrote:
> > 
> > >> I notice that recent DShield data show a spike in activity on port 23:
> > >> > >> x=2 &percent=N&days=40&Redraw=>.
> > >
> > > This spike looks like a scan hitting one of our large class B
> > > submitters. Telnet is a popular scanned service. I presume that
> > > all they are looking for it weak passwords.
> > 
> > I notice that the spike continues to grow. And, yesterday, I saw telnet
> > probes of my own Class C network. Moreover, a exploit tool targeting
> > Solaris 8 telnet servers (not a password brute forcer) has been recently
> > circulating among certain Undernet IRC users.
> > 
> > Does it continue to appear that the spike is primarily related to the
> > large class B submitter?
> > 
> > Cheers,
> > 
> > ---------------------------------------------------
> > Bill McCarty
> > 
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0 -- QDPGP 2.70 
> Comment: Public key - http://www.hackbusters.net/pgp.txt
> 
> iQA/AwUBP/r/D6Oq/X4cwCZKEQLaLwCgm/HOiKR+ox+sr7302FyGWbUY05cAnAr3
> p3PjK4TimKqxUVQ2yKdwVYf0
> =FEVK
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> ---------------------------------
> Do you Yahoo!?
> Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list



-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0 -- QDPGP 2.70 
Comment: Public key - http://www.hackbusters.net/pgp.txt

iQA/AwUBP/sgJaOq/X4cwCZKEQINAgCgpLUjOyRbLJlO455uRKKjGttew0UAnjnJ
ulJu6RdkL6Xz0rMPBrbs+cih
=SlMt
-----END PGP SIGNATURE-----




More information about the list mailing list