16 Nov
2016
16 Nov
'16
8:40 p.m.
Still going on - interesting how they came up with SHSTEM, SHSTEMT etc weird accounts to
try
http://sanyalnet-openvms-vax.freeddns.org:82/falserver/intrusions.txt
On Nov 16, 2016, at 1:11 PM, Joe Ferraro <jferraro
at gmail.com> wrote:
I'm a bit late on this thread, but it was, more-than-likely the Mirai bot (which was
subsequently responsible for the internet-wide DDOS a few weeks ago).. at least that was
what kept hitting my VAX several times a second, until I limited my tcp connection rate to
23/tcp.
Reading the code when it was released, it was pure happenstance that it tried the
"system" account (the code for Mirai made it out a day or so after the
attack....).
Apologies if this was already a part of this thread (I don't see the entirety of the
thread on this device..).
\fwiw
joe
On Tue, Oct 25, 2016 at 10:48 AM, Sampsa Laine
<sampsa at mac.com> wrote:
Guys,
I basically had HILANT:: totally lose the plot because of these telnet botnets that are
hitting port 23/tcp all over the place.
Have any of you guys been affected? I have a feeling as I?ve got a Finnish IP address I
might be one of the Lucky Winners of Putin?s latest ragefest.
FYI, these scripts are smarter than the usual root/Administrator scripts - I logged in
and there had been over 49,000 attempts to log in to the SYSTEM account?
Anyway, I?ve changed the NAT forwarding to another port (if you happen to use HILANT::
via Telnet it?s now at telnet://hilant.sampsa.com:2389.
Also, is renaming the SYSTEM account likely to break stuff? They seem to be targeting
that specific username so I figured I?d change it to STALIN or something?
Sampsa