03 Oct 16 15:10, you wrote to Janis Kracht:

 JK>> If you've been 'locked out' of the telnet server and you need to use
 JK>> it, let me know.  I'll check your ip wasn't marked as 'bad'. I've
 JK>> been trapping large numbers of nodes here who seem to just
 JK>> log-on/log-off

 BR> I'm getting quite a few myself, probably part of a new Telnet
"attack"
 BR> which I am getting from dozens of different IP addresses weekly that
 BR> try to

have you seen the links i shared earlier? i dropped them in several
conferences by cross posting a reply to janis...

 BR> login with the following sequence:

 BR> === Snip ===
 BR> Unknown
 BR> ENABLE
 BR> SYSTEM
 BR> SHELL
 BR> === Snip ===

actually, it is roughly two or three months old... the first portion (which
you left one out) is a user name... your "unknown" is actually
the password but not that sequence of letters... they are transmitted
normal-like with the CFLF after them... the rest of the string sequences
you posted are each followed by a nul (0x00) character and then the CRLF...
you're missing the last two parts, "sh" and a call to busybox
with a command name which is the main tracking and detection signature...

 BR> I am blocking some with multiple hits, but I ignore the rest {chuckle}

the order of the above was different in the beginning... there is always
the user name and password but one or the other may be empty (just a CRLF
sequence)... it started as only three commands followed by the call to
busybox with its command name... then it changed to four commands with
"enable" being first as you show above...

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin'
it wrong...
... Correction does much, but encouragement does more.
---