OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Nathan Einwechter (psychospyfatelabs.com)
Date: Thu Nov 08 2001 - 20:12:21 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Nick,

    I just pulled some stats out of the myNetWatchman database. It doesn't seem
    like there's a worm going after telnet going around. Below are the stats for
    the past 2 weeks or so. This is the count of telnet probes for each day. It
    doesn'tseem like there's any positive trend over the past two weeks. Other
    than a single spike (Oct. 02), everything's been pretty "regular".

    I would guess it's just a mass of decoy, or distributed attacks, directed
    specifically at you. It would be interesting to see the actual packet traces
    from this activity though.

    Then again I could be mistaken. Check out the numbers for yourself though.

    2001-10-25 296
    2001-10-26 111
    2001-10-27 701
    2001-10-28 540
    2001-10-29 508
    2001-10-30 141
    2001-10-31 136
    2001-11-01 178
    2001-11-02 847
    2001-11-03 158
    2001-11-04 250
    2001-11-05 286
    2001-11-06 179
    2001-11-07 221
    2001-11-08 242

    Yours truly,
            Nathan Einwechter

    ----- Original Message -----
    From: netnerd <nkavtpg.com.au>
    To: <incidentssecurityfocus.com>
    Sent: Tuesday, November 06, 2001 5:36 AM
    Subject: multiple attempts to login via telnet from multiple IP's ... new
    worm?

    > small bit from /var/log/messages:
    >
    >
    > Nov 6 19:57:45 blue login[31450]: FAILED LOGIN 3 FROM 193.123.219.X FOR
    > iris, User not known to the underlying authentication module
    > Nov 6 19:57:47 blue PAM_pwdb[31450]: check pass; user unknown
    > Nov 6 19:57:48 blue login[31450]: FAILED LOGIN SESSION FROM 193.123.219.X
    > FOR gerd, User not known to the underlying authentication module
    > Nov 6 19:57:53 blue telnetd[31452]: ttloop: peer died: EOF
    > Nov 6 19:57:53 blue inetd[497]: pid 31452: exit status 1
    > Nov 6 19:58:01 blue PAM_pwdb[31454]: check pass; user unknown
    > Nov 6 19:58:03 blue login[31454]: FAILED LOGIN 1 FROM
    > X.dsl.lsan03.pacbell.net FOR alok, User not known to the underlying
    > authentication module
    > Nov 6 19:58:05 blue PAM_pwdb[31454]: check pass; user unknown
    > Nov 6 19:58:06 blue login[31454]: FAILED LOGIN 2 FROM
    > X.dsl.lsan03.pacbell.net FOR demo, User not known to the underlying
    > authentication module
    > Nov 6 19:58:08 blue PAM_pwdb[31454]: check pass; user unknown
    > Nov 6 19:58:09 blue login[31454]: FAILED LOGIN 3 FROM
    > X.dsl.lsan03.pacbell.net FOR isel, User not known to the underlying
    > authentication module
    > Nov 6 19:58:11 blue PAM_pwdb[31454]: check pass; user unknown
    > Nov 6 19:58:12 blue login[31454]: FAILED LOGIN SESSION FROM
    > X.lsan03.pacbell.net FOR hong, User not known to the underlying
    > authentication module
    > Nov 6 19:58:20 blue PAM_pwdb[31456]: check pass; user unknown
    > Nov 6 19:58:21 blue login[31456]: FAILED LOGIN 1 FROM X.mw.mediaone.net
    > FOR dawit, User not known to the underlying authentication module
    > Nov 6 19:58:23 blue PAM_pwdb[31456]: check pass; user unknown
    > Nov 6 19:58:24 blue login[31456]: FAILED LOGIN 2 FROM X.mw.mediaone.net
    > FOR efram, User not known to the underlying authentication module
    > Nov 6 19:58:26 blue PAM_pwdb[31456]: check pass; user unknown
    > Nov 6 19:58:27 blue login[31456]: FAILED LOGIN 3 FROM X.mw.mediaone.net
    > FOR daffy, User not known to the underlying authentication module
    > Nov 6 19:58:30 blue PAM_pwdb[31456]: check pass; user unknown
    > Nov 6 19:58:31 blue login[31456]: FAILED LOGIN SESSION FROM
    > X.mw.mediaone.net FOR edsel, User not known to the underlying
    > authentication module
    > Nov 6 19:59:00 blue PAM_pwdb[31459]: check pass; user unknown
    > Nov 6 19:59:01 blue login[31459]: FAILED LOGIN 1 FROM X.aps.pl FOR craig,
    > User not known to the underlying authentication module
    > Nov 6 19:59:07 blue PAM_pwdb[31459]: check pass; user unknown
    > Nov 6 19:59:08 blue login[31459]: FAILED LOGIN 2 FROM X.aps.pl FOR darin,
    > User not known to the underlying authentication module
    >
    >
    > login attempts are about 10 mins apart from each site.. might i say, I've
    > probably being hit by about 50-60 different IP's
    > of course, I have killed telnetd & am replying on ssh.
    > is this a worm/virus? or have i pissed someone off???
    > Any suggestions, help, comments welcome.
    > Nick
    >
    >
    > -------------------------------------------------------------------------- 

    --
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

    ----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com