Curious about a conversation of some weeks ago regarding noise on the default telnet port (port 23), I downloaded the latest BBS list from the Telnet BBS Guide and did a count of the most popular ports bulletin board systems were listening on.
Curious about a conversation of some weeks ago regarding noise on the default telnet port (port 23), I downloaded the latest BBS list from the Telnet BBS Guide and did a count of the most popular ports bulletin board systems were listening on.
hobbies. Some dudes surf. Some work on classic cars. I monitor my ports. Chicks. Dig me. For this. Like surfers. I...I'm cool.)
For the month of January 2002, these are the top ports in /etc/services
It's interesting to me that in 2023, telnet is the most thwacked of all ports, when it is largely considered deprecated. Not only that, it is
the top port by a very large margin.
If anyone is interested in more details about this, I put the logs
online. They include some nice credential pairs, if you want to
http://shibboleths.org/ibr/
When I have time, I am going to punch up these scripts so they look like more convincing honeypots, returning bogus but plausible data for each
of the commands.
For the month of January 2002, these are the top ports in /etc/servic
January 2022? or 2023?
Anyway, I took the top bunch and set up listeners on these ports for about 6 days using netcat (traditional) on a system which shouldn't have any inbound connections. Netcat hands inbound connections to a script which prints fake Login: and Password: prompts, and then, regardless of what is entered here, displays a fake # or $ shell prompt, depending on whether they're using root as the login or not.
A typical payload of a port 23 connection, and I didn't detect this on any of the other ports I was listening on, looks like this:
My router at home monitors all ports from /etc/services - none of which have ever allowed ingress - just to see what's knocking on my residential internet connection's door (don't judge, we all have hobbies. Some dudes surf. Some work on classic cars. I monitor my ports. Chicks. Dig me. For this. Like surfers. I...I'm cool.)
DustCouncil wrote to All <=-
Unsurprisingly (but perhaps dramatically), port 23 is nearly constantly pounded by what appear to be botnets.
Anyway, I took the top bunch and set up listeners on these ports for
about 6 days using netcat (traditional) on a system which shouldn't have any inbound connections. Netcat hands inbound connections to a script which prints fake Login: and Password: prompts, and then, regardless of what is entered here, displays a fake # or $ shell prompt, depending on whether they're using root as the login or not.
DustCouncil wrote to All <=-
Unsurprisingly (but perhaps dramatically), port 23 is nearly constantly pounded by what appear to be botnets.
This is because they are looking for IoT devices where people never change the default usernames and passwords. Many of them have an open port 23 for legit reasons, while others have 23 open because the default os install
does not disable it.
Ironically, maybe, I have not had as much trouble with unwanted port 23 traffic tying up the board as I have with unwanted port 22 (ssh) traffic. They cannot log in, but they tie up multiple sessions trying, so I changed that one from the default.
... Direct from the Ministry of Silly Walks
--- MultiMail/DOS
* Origin: possumso.fsxnet.nz * SSH:2122/telnet:24/ftelnet:80 (21:4/134)
For the month of January 2002, these are the top ports in /etc/services that machines on the Internet are trying to connect to:
Port 23 - 13116 hits [telnet]
Port 22 - 5067 hits [ssh]
Port 8080 - 4378 hits [http-alt]
Port 80 - 2864 hits [http]
Port 443 - 2032 hits [https]
Port 1433 - 1426 hits [ms-sql-s]
Port 123 - 815 hits [ntp]
Port 8081 - 800 hits [tproxy]
Port 53 - 686 hits [dns]
Port 3306 - 465 hits [mysql]
Port 21 - 453 hits [ftp cmd]
It's interesting to me that in 2023, telnet is the most thwacked of all ports, when it is largely considered deprecated. Not only that, it is
the top port by a very large margin.
Sysop: | Eric Oulashin |
---|---|
Location: | Beaverton, Oregon, USA |
Users: | 92 |
Nodes: | 16 (0 / 16) |
Uptime: | 04:46:01 |
Calls: | 5,233 |
Calls today: | 2 |
Files: | 8,493 |
D/L today: |
121 files (439M bytes) |
Messages: | 353,169 |