Telnet..????

Stuff that don´t fit in the other categories.
Post Reply
User avatar
Lyecdevf
cyber Idi Amin
cyber Idi Amin
Posts: 1222
Joined: 16 Mar 2006, 17:00
18
Location: In between life and death.
Contact:

Telnet..????

Post by Lyecdevf »

So I was checking some logs today and I came across some thing that I think were exploits. All were directed towards telnet port.

[truncated] Data: \211$v\303\357>Q\314P\204(\260\365Z\255w\367\240p\276Yk\241jU\327\212\006\202\205\\006\323B\327\305\230m\250,j\215\b\267\031\335v0\310\325\365\257\263g\233J\243\2543QH\206\303b\200\341\336Ha\271\037\374\304%z\325\253x\245

[truncated] Data: \222\307\252\274G\250:\272\026\265\220\210/\263\355\204\307\367!\347\204\301\341\250v\026^S\267\f\220\251\312M\340\003\233X])w-)\257A\005\355l/b\230\362I\230\024R\306b\233\230\372\026\263\217\207\274\214\253\031i\354Z\340

[truncated] Data: \335\037"\315\366\035\331\351\355=\355\323k\024<\324!\254'4e\235\362\230\000\314\036H D\261\242\372D\223-\020\307\236\330\031"M\023\323\361\317\373\245\375\231\332p\301\214\325\a\262 \252\266\307g\351 g\247\373\263\240\35

[truncated] Data: 2\023<o\t\313 Q8\324`\200\320\202OCh\274\346v\362N\274\316\2501\374=AV:\216\375\310\244Q\307N\361;\243:';$\366\234me\310L\230US(E\207\022Q\351\357\313R\017\353Y\244\001I\222\236\347\244\275\004uH}L^\022Ag\001"\274\342\315

[truncated] Data: \243\271\315\372\327]\3764\004|\241\241o&\317d"\342\277\327J2\332\267q\375dwj\203[\303\322\247~Q\303I\314yICs\030\260u(O\363}K\231\340@//S\353~\250\fU\346T/\272&xf\341\317\330\206\031\324\fn\335\017\256\321\263\357\265]x\

[truncated] Data: \004\202U\333\217\341\304\323\212$\354\334\215\316P\212|{C{\353\237\232S\234Fb\rc\t-\226%\366\263\037\342\323\321p\026\252\016]\251\245Q\353T\212\344\331\202[g\017@^D}\327\177\005K[\026\347\005\362\3439\321;\257\376\225c\

[truncated] Data: y\006\333\j\v%\2658@\f\355\v\0333\260\003-Ok\246K;$\341\366\334\220\204\002\232l\315\242"R\213\311l\034\373\265(\347\250\323\376\260\220\215\200\303\232\0348\346\363\256\301<\235f\347\024p\243\325R\273Ne\325\374\030a\200m

O.K. this is probably torrent stuff. Maybe the rest is too but you tell me!

Data: \023BitTorrent protocol\000\000\000\000\000\020\000\005|\306N>\263T\3367\270\325\304\375\370\au\366\213W\307\253-UT1810-_1y\360}\335"\f%\212M\376\000\000\000\255\024\000d1:ei0e1:md11:upload_onlyi3
We will either find a way, or make one.
- Hannibal

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Post by bad_brain »

umm...in what log you found this? :-k

User avatar
Lyecdevf
cyber Idi Amin
cyber Idi Amin
Posts: 1222
Joined: 16 Mar 2006, 17:00
18
Location: In between life and death.
Contact:

Post by Lyecdevf »

TCPdump! :D
We will either find a way, or make one.
- Hannibal

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Post by bad_brain »

hmm...the data looks "weird", but the one that is definitely from torrent traffic looks similar to the "undefined" ones....so it's very likely that all of those are in context with torrent traffic. it is definitely NOT shellcode, so those are no exploitation attempts... :wink:

but to be 100% sure I would have to see the packet headers (but I am 99.9% sure already)... :wink:

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:

Post by DNR »

yea the data part of the packets can sometimes be useless unless you know what the protocol is. The rest of the packet is the TCP/IP headers with IPs, macs, file type, packet type, etc

More nfo please!

DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

Post Reply