-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi folks,
With all the chatter on SSH scans, I'm puzzled by an obvious spike
in specific scans on my DNS servers. I'm used to seing scans on these
systems, but today's scans have been an object lesson in high weirdness.
In the past hour I've seen 43 scans for telnetd (port 23) on a
single DNS box. Most of these scans are coming from Asia, but a number
are originating from South America as well. These are not network sweeps;
they are aimed solely at DNS systems.
As if that weren't odd enough, the operating systems of the boxes
that are tripping my alarms are evenly divided between Linux (kernel
versions 2.1.19 to 2.4.21) and, oddly enough, Microsoft Windows (nmap
can't tell if they're WinMe, Win2K, or WinXP).
The systems identified thus far are as follows (37 unique so far):
59.114.133.238 59.115.155.217
59.143.224.179 61.182.160.23
61.231.147.111 72.29.65.187
84.156.88.229 86.108.12.54
86.194.143.163 148.221.145.97
194.79.46.194 195.190.104.24
198.107.38.61 200.138.189.184
200.140.216.82 200.147.120.33
200.151.180.142 200.180.180.192
200.97.171.2 200.97.49.173
201.18.118.135 201.50.0.138
202.76.10.193 210.104.255.77
210.172.165.69 211.115.88.55
213.151.33.233 213.77.71.234
218.160.158.17 218.168.113.3
218.232.187.58 219.153.32.221
220.129.124.151 220.133.16.14
220.138.120.24 220.142.33.3
221.143.22.24
If anyone else is seeing this sort of strangeness, this could be
another one of those happy fun botnets that's trying to spank vulnerable
DNS systems. Too early to tell for sure.
- -Jay
( ( _______
)) )) .-"There's always time for a good cup of coffee."-. >====<--.
C|~~|C|~~| \------ Jay D. Dyson - [EMAIL PROTECTED] ------/ | = |-'
`--' `--' `--- Good? Bad? I'm the guy with the guns. ---' `------'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.
iD8DBQFEChKMdHgnXUr6DdMRAmOSAJ4m/3HujRywBd61+83ztDeUgCAQKQCgjeru
yaEVzWkasLPlUK4l7kQAxjw=
=Vbfc
-----END PGP SIGNATURE-----
