Forgot your password?
typodupeerror
Botnet Security IT

Hackers Bringing Telnet Back 238

Posted by CmdrTaco
from the gopher-still-dead dept.
alphadogg writes "A new report from Akamai Technologies (CT: Requires login) shows that hackers appear to be increasingly using the Telnet remote access protocol to attack corporate servers over mobile networks. The report, which covers the third quarter of 2010, shows that 10 percent of attacks that came from mobile networks are directed at Port 23, which Telnet uses. That marks a somewhat unusual spike for the aging protocol used to log into remote servers but that has been gradually replaced by SSH."
This discussion has been archived. No new comments can be posted.

Hackers Bringing Telnet Back

Comments Filter:
  • by Raxxon (6291) on Thursday January 27, 2011 @10:04AM (#35019242)

    I use telnet constantly. Port 110 to check for a broken email header, Port 25 to check for SMTP auth errors, Port 3200 to check for the present of a NetGen DSS unit, etc, etc... I love telnet. Simple 3-way handshake and boom, datastream.

    • by Notquitecajun (1073646) on Thursday January 27, 2011 @10:06AM (#35019270)
      You play a MUD still, too. Admit it.
    • by mvar (1386987)
      Yes the telnet client is really useful, but its the server that has some..uhm.."issues".
    • by Ephemeriis (315124) on Thursday January 27, 2011 @10:19AM (#35019388)

      I use telnet constantly. Port 110 to check for a broken email header, Port 25 to check for SMTP auth errors, Port 3200 to check for the present of a NetGen DSS unit, etc, etc... I love telnet. Simple 3-way handshake and boom, datastream.

      Sure, the telnet client is useful. I use it all the time for those very same reasons.

      But actually running a telnet server and allowing incoming connections on port 23? Nope. Stopped doing that for everything I could years ago, switched to SSH on everything that would support it. The things that wouldn't support it were all tucked away on our inside network. I've got nothing facing the world that'll accept connections on port 23.

      • by lahvak (69490)

        The things that wouldn't support it were all tucked away on our inside network

        I didn't read the article, but I wonder is this is exactly what it is about. The summary mentioned the use of mobile devices. I wonder if it goes like this: bring a phone to a building, manage to connect to a purely secured wireless network, find a device that has port 23 open, ..., profit!

        Of course, if you van get to it from the wireless network, it is not really safely tucked away.

        • If you allow unknown machines on your wireless in your office,you're not properly secure. We have unsecured wireless in our offices, but they are all on a VLAN that can only go out to the iNet.No corporate networks are accessible. And if you need more security than that, multiple firewalls and DMZs and Intrusion Detection Systems.

          • by Carewolf (581105)

            When bring a wire and connected to your wired network. If you can have a security breach simply by someone being on the same network you have security problem.. Ohh. look: Your manager just downloaded a trojan he thought was porn == hacked.

    • by vagabond_gr (762469) on Thursday January 27, 2011 @10:22AM (#35019410)

      I'm using telnet for ssh too. Doing RSA in your head is a bit tricky at first, but once you get used to it it's really convenient.

      PS. For a real challenge try to PPP authenticate over dial-up using your voice.

      • Re: (Score:3, Funny)

        by enec (1922548) *
        That's easy play. I surf the web by licking the ethernet cable.
      • by Dunbal (464142) *
        Ahh but can you whistle 300 baud?
      • by nblender (741424)
        You joke... When I was a kid, my 300 baud acoustic coupler had a little lever you had to lift up and pivot to simultaneously clamp down the handset and if you lifted it further, it would initiate outgoing carrier instead of listening for carrier... The contacts on the second level were trashed by some previous knucklehead so if you were trying to initiate a dialup session with someone calling you (a friend to trade some Apple-][ warez), I couldn't get my coupler to initiate... So I had to figure out how to
    • by LordLimecat (1103839) on Thursday January 27, 2011 @10:30AM (#35019486)

      So you mean telnet the program, not telnet the protocol-- what the article was about?

    • You might want to look into using Netcat [wikipedia.org] (or socat [dest-unreach.org]) for this purpose; more flexible if you want to pipe the output through something like grep or tee, and it won't mistakenly try to interpret certain characters according to the Telnet protocol.
    • by The Moof (859402)

      Port 110 to check for a broken email header, Port 25 to check for SMTP auth errors

      If you're testing user accounts, or logging into your POP3 box to check those mail headers, you may want to consider not using the telnet client anymore. You're potentially compromising any accounts you log into the same as you would with telnet accounts. Your server should be configured to use TLS/SSL for clients, and you can debug them telnet-style with the s_client [openssl.org] (in the OpenSSL suite).

    • You might want to look into NMaps scripting features [nmap.org] if you have the time. It's designed to implement exactly that kind of stuff.
    • by 1s44c (552956)

      I use telnet constantly. Port 110 to check for a broken email header, Port 25 to check for SMTP auth errors, Port 3200 to check for the present of a NetGen DSS unit, etc, etc... I love telnet. Simple 3-way handshake and boom, datastream.

      But you don't use it to telnet to port 23 and login to a system with a username and password. That appears to be what this story is about.

      Yes the telnet binary is still very useful just not for carrying passwords though public networks.

  • by goodmanj (234846) on Thursday January 27, 2011 @10:05AM (#35019250)

    If you manage your company or institution's IT department, please do the following:

    Step 1: Turn on "telnet" on your PC. [microsoft.com] (Of course you Windows, you're management, right?)
    Step 2: Try to "telnet" to your company's website, or to any other machine or service names your underlings bandy about.
    Step 3: If you don't see "Connection refused" every time, FIRE EVERYONE WHO REPORTS TO YOU.

    • by dr2chase (653338) on Thursday January 27, 2011 @10:38AM (#35019564) Homepage
      I think it would be ok if it said, "Hello, I am Eliza."
    • by Skater (41976)
      Unfortunately I use a software package that requires telnet. Their SSH solution is basically unusable, and it's not feasible to switch away from that package. Pretty annoying, actually, because every new server is set up with telnet disabled (naturally), and we have to get it re-enabled, and they always put it on a random port number.
      • by hedwards (940851)
        I take it that tunneling the telnet session via SSH isn't a reasonable option. Telnet at this point is antiquated and anybody that's providing software that requires it needs to be barred from the industry. It hasn't been a reasonable option in my memory, and it wasn't a reasonable option for quite some time when I started picking up FreeBSD in '99 or so.
        • by dr2chase (653338)
          Tunnelling is a fabulous suggestion, but it's not intuitively obvious (I figure it out when I need it, and retain the info just long enough to get the shell script working). If you can provide the incantation, that would be very helpful.
      • by vegiVamp (518171)

        Sooo... port forwarding over SSH ?

  • by antifoidulus (807088) on Thursday January 27, 2011 @10:09AM (#35019298) Homepage Journal
    Um, the reason they are using telnet is because it's trivial to hack, in other words the headline should read "hackers hacking easiest to hack service on poorly configured machines, also water is wet, details at 11"
    • by Ngarrang (1023425)

      Um, the reason they are using telnet is because it's trivial to hack, in other words the headline should read "hackers hacking easiest to hack service on poorly configured machines, also water is wet, details at 11"

      If I had a mod point, you would have it. This is so true. The hackers can only hack what you've left connected and unsecured. What happened to the policy of closing every port, then open up the one's you actually need.

    • A surge in connection attempts like this obviously indicates that someone's found a remote pre-auth hole in a popular telnet service. Apart from coders presumably putting in a lot more effort to write secure code for the SSH server, telnet is only easier to hack compared to an SSH server in terms of MITM/sniffing attacks.
      • Though you sort of get into conditional probabilities there. If an attacker does a sweep looking for targets, anything with telnet is going to stand out as a something potentially juicy. If telnet is configured more than likely there are other services that aren't up to snuff and it's probably easier to find a way in.
    • > Um, the reason they are using telnet is because it's trivial to hack,

      No, it is trivial to intercept telnet passwords (which are sent in the clear) if you have access to a channel over which someone is logging in via telnet. A telnet deamon just sitting there unused creates a vulnerability only to the extent that it is a channel for attacking bad passwords (which is surely what these kids are doing).

      However, there is no good reason to run a telnet daemon these days, especially on the public Internet.

      • by kbielefe (606566)

        However, there is no good reason to run a telnet daemon these days, especially on the public Internet.

        Interesting you should say that, because the article actually says they don't know if it's brute force login attempts or botnet traffic. A largely unused port with traffic that most people ignore makes sense to park a botnet on. It makes a lot more sense than a sudden spike in system administrator incompetence, which means most of the comments on this story are likely off the mark.

  • by crow_t_robot (528562) on Thursday January 27, 2011 @10:12AM (#35019326)
    How can hackers bring telnet attacks back if admins don't run telnet? Should the headline say "Admins are bringing telnet back and getting bitten in the ass for it?"
    • by gsslay (807818)

      Probably less a case of admins "bringing it back" and more a case of admins forgetting, or being oblivious to it being there in the first place. More and more admins will have scarcely used telnet ever in their professional lives, and so will overlook its presence on their servers. Ideal for hackers.

      • Re: (Score:3, Insightful)

        by heathen_01 (1191043)
        Its stretching credibility that admins won't know about telnet, but sure I can accept that. However I can't accept an admin missing that an unknown service is running and accepting connections on port 23 that the admin is oblivious about.
      • by greed (112493)

        Or an admin that has carefully secured a Solaris 10 machine, starting with shutting down telnet and the r* daemons, fingerd and all the other cruft. But then he installs a patch cluster... ...and suddenly all that crap is running again.

        Don't ask me how I know that.

      • > ...overlook its presence on their servers.

        Why are there any services running on their servers that they did not explicitly configure to run?

    • by scorp1us (235526)

      What has happened here, is only the outdated, maintained systems are still running telnet. This corresponds to a likely weak password. And if no one is obsoleting it, then no one is really watching it either. It has now become the forgotten-about low-hanging fruit.

  • by SJ2000 (1128057)
    Too many networking manufacturer's still only have their gear accessibly only by telnet. Duh.
  • by llManDrakell (897726) on Thursday January 27, 2011 @11:21AM (#35020148)
    I'm bringin' telnet back.
    Them other protocols don't know how to act.
    I think it's special what's inside your rack.
    So enable the service and I'll begin to hack.
  • by CoolVibe (11466) on Thursday January 27, 2011 @12:16PM (#35020814) Journal
    Seeing traffic on port 23 does not mean telnet is involved. I know some people who run their SSH daemon on that port to lessen the stupid ssh scans.
  • Printers? (Score:5, Informative)

    by Culture20 (968837) on Thursday January 27, 2011 @01:49PM (#35021852)
    I just realized; almost every network printer out there uses telnet for remote configuration. Maybe there was a new vulnerability found on a specific type of printer that allows forwarding of the printed pages back to the script kiddies?

C'est magnifique, mais ce n'est pas l'Informatique. -- Bosquet [on seeing the IBM 4341]

Working...