For the last week or so, DShield and SANS have been showing a spike in Telnet (port 23) traffic for scans and attacks. However, the scans truly seem to be localized to specific ISPs. To date, none of the MSI honeypots or sensors have recorded any increase in Telnet traffic. On a couple of our consumer broadband connections, we have been watching for Telnet traffic for nearly a month without a SINGLE connection to any of our systems.
This may mean that some specific malware or scanning autorooter has been created that targets specific IP blocks that are known to belong to commercial operations. What they are seeking, at this point is still unknown.
This leaves us wondering if something else is coming, or if this is simply an anomoly or noise in the Net, so to speak. The smart idea is to do some additional monitoring around hosts that provide Internet facing Telnet services. It might be a good idea to run some quick scans for open Telnet connections and begin to round up whether they are needed or not. Some perimeter firewall config changes may help hide the unneeded ones from whatever is out there crawling the net for them.
If you see any unusual traffic on Telnet, please submit logs, packet captures or let us know using email or the “Talk to ISOC” function of WatchDog.