Subj : Telnet at <<Prism
To   : Ben Ritchey
From : mark lewis
Date : Mon Oct 03 2016 05:26 pm


03 Oct 16 15:10, you wrote to Janis Kracht:

JK>> If you've been 'locked out' of the telnet server and you need to use
JK>> it, let me know.  I'll check your ip wasn't marked as 'bad'. I've
JK>> been trapping large numbers of nodes here who seem to just
JK>> log-on/log-off

BR> I'm getting quite a few myself, probably part of a new Telnet "attack"
BR> which I am getting from dozens of different IP addresses weekly that
BR> try to

have you seen the links i shared earlier? i dropped them in several conferences
by cross posting a reply to janis...

BR> login with the following sequence:

BR> === Snip ===
BR> Unknown
BR> ENABLE
BR> SYSTEM
BR> SHELL
BR> === Snip ===

actually, it is roughly two or three months old... the first portion (which you
left one out) is a user name... your "unknown" is actually the password but not
that sequence of letters... they are transmitted normal-like with the CFLF
after them... the rest of the string sequences you posted are each followed by
a nul (0x00) character and then the CRLF... you're missing the last two parts,
"sh" and a call to busybox with a command name which is the main tracking and
detection signature...

BR> I am blocking some with multiple hits, but I ignore the rest {chuckle}

the order of the above was different in the beginning... there is always the
user name and password but one or the other may be empty (just a CRLF
sequence)... it started as only three commands followed by the call to busybox
with its command name... then it changed to four commands with "enable" being
first as you show above...

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it
wrong...
... Correction does much, but encouragement does more.
---
* Origin:  (1:3634/12.73)