All,

In June, we discussed a topic entitled: "Odd Username attempts at login" where Bill, KG6BAJ noticed odd connection attempts to his JNOS system via Telnet.

I have recently been working on my SNMP and NetFlow servers, and noticed quite a bit of Telnet connection attempts from Asia, Europe and South America. While I have also seen SSH, RDP, NTP, ICMP and VNC, by far the largest amount of traffic reaching my border interface is Telnet.

Doing some research, I discovered that NIC.CZ has been operating the Turris Project. They have determined that these attempts are coming from a botnet of embedded devices that have Telnet vulnerabilities.

I have provided a link to those findings here: https://en.blog.nic.cz/2016/09/01/telnet-is-not-dead-at-least-not-on-smart-d...

09-28 19:57:36 0.000 TCP 60.189.137.98:28940 -> 44.60.44.128:2323 09-28 19:57:55 0.000 TCP 115.219.124.37:49067 -> 44.60.44.133:23 09-28 19:57:55 0.000 TCP 222.124.85.17:34905 -> 44.60.44.133:23 09-28 19:57:52 5.552 TCP 190.67.215.114:29593 -> 44.60.44.6:23 09-28 19:58:03 0.123 TCP 115.219.124.37:21070 -> 44.60.44.133:23 09-28 19:58:54 0.000 TCP 116.102.62.182:37311 -> 44.60.44.135:23

Please be mindful.

73,

- Lynwood KB3VWG