Hackers Bringing Telnet Back

alphadogg writes "A new report from Akamai Technologies (CT: Requires login) shows that hackers appear to be increasingly using the Telnet remote access protocol to attack corporate servers over mobile networks. The report, which covers the third quarter of 2010, shows that 10 percent of attacks that came from mobile networks are directed at Port 23, which Telnet uses. That marks a somewhat unusual spike for the aging protocol used to log into remote servers but that has been gradually replaced by SSH."

People stopped using Telnet?

[Raxxon]

I use telnet constantly. Port 110 to check for a broken email header, Port 25 to check for SMTP auth errors, Port 3200 to check for the present of a NetGen DSS unit, etc, etc... I love telnet. Simple 3-way handshake and boom, datastream.

Re:People stopped using Telnet?

[Notquitecajun]

You play a MUD still, too. Admit it.

Re:People stopped using Telnet?

[omglolbah]

Lensmoor.org port 3500

Shameless plug. Fun place to hang ;)

Re:

[SuricouRaven]

muck.furry.com 8888

Re:

[SuricouRaven]

Also spr.ctrl-c.liu.se 23. Lots of geeky types there.

Re:

[jhesse]

bbs.iscabbs.com

Re:

[MacGyver2210]

moo.sindome.org:5555

Re:

[jayme0227]

revengeofthejedi.com port 9400

Ok, so I haven't played it in a few months, but I always seem to return.

Re:

[DavidTC]

Ah, but some of those now support SSL connections.

Re:

[rickb928]

Yes, and my level 283 Ninja is a lot more fun than your level 546 Scavi. Deal with it.

Re:

[ZorinLynx]

furry.com 8888

Since 1995! Some things never change. :)

(though in reality these days the TinyMUCK server supports SSL and I definitely use it)

Re:

[SuricouRaven]

Which makes Second Life a MUCK for the dyslexic. And those of short attention span.

Re:

[mvar]

Yes the telnet client is really useful, but its the server that has some..uhm.."issues".

Re:People stopped using Telnet?

[Ephemeriis]

I use telnet constantly. Port 110 to check for a broken email header, Port 25 to check for SMTP auth errors, Port 3200 to check for the present of a NetGen DSS unit, etc, etc... I love telnet. Simple 3-way handshake and boom, datastream.

Sure, the telnet client is useful. I use it all the time for those very same reasons.

But actually running a telnet server and allowing incoming connections on port 23? Nope. Stopped doing that for everything I could years ago, switched to SSH on everything that would support it. The things that wouldn't support it were all tucked away on our inside network. I've got nothing facing the world that'll accept connections on port 23.

Re:

[lahvak]

The things that wouldn't support it were all tucked away on our inside network

I didn't read the article, but I wonder is this is exactly what it is about. The summary mentioned the use of mobile devices. I wonder if it goes like this: bring a phone to a building, manage to connect to a purely secured wireless network, find a device that has port 23 open, ..., profit!

Of course, if you van get to it from the wireless network, it is not really safely tucked away.

Re:

[Archangel Michael]

If you allow unknown machines on your wireless in your office,you're not properly secure. We have unsecured wireless in our offices, but they are all on a VLAN that can only go out to the iNet.No corporate networks are accessible. And if you need more security than that, multiple firewalls and DMZs and Intrusion Detection Systems.

Re:

[Carewolf]

When bring a wire and connected to your wired network. If you can have a security breach simply by someone being on the same network you have security problem.. Ohh. look: Your manager just downloaded a trojan he thought was porn == hacked.

Re:People stopped using Telnet?

[vagabond_gr]

I'm using telnet for ssh too. Doing RSA in your head is a bit tricky at first, but once you get used to it it's really convenient.

PS. For a real challenge try to PPP authenticate over dial-up using your voice.

Re:

[enec]

That's easy play. I surf the web by licking the ethernet cable.

Re:

[Dunbal]

Ahh but can you whistle 300 baud?

Re:

[trollertron3000]

Of course I can. I got a captain crunch whistle embedded in my larynx.

Re:

[nblender]

You joke... When I was a kid, my 300 baud acoustic coupler had a little lever you had to lift up and pivot to simultaneously clamp down the handset and if you lifted it further, it would initiate outgoing carrier instead of listening for carrier... The contacts on the second level were trashed by some previous knucklehead so if you were trying to initiate a dialup session with someone calling you (a friend to trade some Apple-][ warez), I couldn't get my coupler to initiate... So I had to figure out how to

Re:People stopped using Telnet?

[LordLimecat]

So you mean telnet the program, not telnet the protocol-- what the article was about?

Re:

[annodomini]

You might want to look into using Netcat [wikipedia.org] (or socat [dest-unreach.org]) for this purpose; more flexible if you want to pipe the output through something like grep or tee, and it won't mistakenly try to interpret certain characters according to the Telnet protocol.

Re:

[The Moof]

Port 110 to check for a broken email header, Port 25 to check for SMTP auth errors

If you're testing user accounts, or logging into your POP3 box to check those mail headers, you may want to consider not using the telnet client anymore. You're potentially compromising any accounts you log into the same as you would with telnet accounts. Your server should be configured to use TLS/SSL for clients, and you can debug them telnet-style with the s_client [openssl.org] (in the OpenSSL suite).

Re:

[Securityemo]

You might want to look into NMaps scripting features [nmap.org] if you have the time. It's designed to implement exactly that kind of stuff.

Re:

[1s44c]

I use telnet constantly. Port 110 to check for a broken email header, Port 25 to check for SMTP auth errors, Port 3200 to check for the present of a NetGen DSS unit, etc, etc... I love telnet. Simple 3-way handshake and boom, datastream.

But you don't use it to telnet to port 23 and login to a system with a username and password. That appears to be what this story is about.

Yes the telnet binary is still very useful just not for carrying passwords though public networks.

Re:People stopped using Telnet?

[XorNand]

netcat ("nc" on most Linux distros) provides the same functionality. However, it's also more flexible in that it allows you to test UDP ports and you can easily set it up to listen for incoming connections on an arbitrary port. It's a great tool for troubleshooting firewall issues.

Re:

[TheRaven64]

Telnet is fine for testing whether a port is open, but most of the time you want to use SSL. openssl s_client -connect is roughly equivalent to telnet, but also does the TLS handshake for you.

A tip for management

[goodmanj]

If you manage your company or institution's IT department, please do the following:

Step 1: Turn on "telnet" on your PC. [microsoft.com] (Of course you Windows, you're management, right?)
Step 2: Try to "telnet" to your company's website, or to any other machine or service names your underlings bandy about.
Step 3: If you don't see "Connection refused" every time, FIRE EVERYONE WHO REPORTS TO YOU.

Re:A tip for management

[dr2chase]

I think it would be ok if it said, "Hello, I am Eliza."

Re:

[marcosdumay]

And how do you feel about GET / HTTP/1.1?

Re:

[Skater]

Unfortunately I use a software package that requires telnet. Their SSH solution is basically unusable, and it's not feasible to switch away from that package. Pretty annoying, actually, because every new server is set up with telnet disabled (naturally), and we have to get it re-enabled, and they always put it on a random port number.

Re:

[hedwards]

I take it that tunneling the telnet session via SSH isn't a reasonable option. Telnet at this point is antiquated and anybody that's providing software that requires it needs to be barred from the industry. It hasn't been a reasonable option in my memory, and it wasn't a reasonable option for quite some time when I started picking up FreeBSD in '99 or so.

Re:

[dr2chase]

Tunnelling is a fabulous suggestion, but it's not intuitively obvious (I figure it out when I need it, and retain the info just long enough to get the shell script working). If you can provide the incantation, that would be very helpful.

Re:

[vegiVamp]

Sooo... port forwarding over SSH ?

Re:

[Ephemeriis]

One of the things that makes a telnet client so handy is that it'll take a datastream from just about anything. It's great for troubleshooting SMTP servers and things like that.

The point that the parent was trying to make is that there is absolutely no reason you should be running a telnet server on any public-facing server.

Telnet itself answers on port 23. You could use a telnet connection to port 80 to maybe do some troubleshooting or something... But if you just try to telnet into your company website

Re:

[ediron2]

Try typing 'Global Thermonuclear War' instead of 'hello'.

Re:

[zach_the_lizard]

telnet google.com 80
Trying 72.14.204.104...
Connected to google.com.
Escape character is '^]'.
Global Thermonuclear War

HTTP/1.0 400 Bad Request
Content-Type: text/html; charset=UTF-8
Content-Length: 1350
Date: Thu, 27 Jan 2011 14:58:35 GMT
Server: GFE/2.0

But I just wanted to play a game!

Re:

[goodmanj]

"websites run on port 80, right?)"

If you know this, you are not an IT manager. Nice try!

Misleading headline

[antifoidulus]

Um, the reason they are using telnet is because it's trivial to hack, in other words the headline should read "hackers hacking easiest to hack service on poorly configured machines, also water is wet, details at 11"

Re:

[Ngarrang]

Um, the reason they are using telnet is because it's trivial to hack, in other words the headline should read "hackers hacking easiest to hack service on poorly configured machines, also water is wet, details at 11"

If I had a mod point, you would have it. This is so true. The hackers can only hack what you've left connected and unsecured. What happened to the policy of closing every port, then open up the one's you actually need.

Re:

[Securityemo]

A surge in connection attempts like this obviously indicates that someone's found a remote pre-auth hole in a popular telnet service. Apart from coders presumably putting in a lot more effort to write secure code for the SSH server, telnet is only easier to hack compared to an SSH server in terms of MITM/sniffing attacks.

Re:

[antifoidulus]

Though you sort of get into conditional probabilities there. If an attacker does a sweep looking for targets, anything with telnet is going to stand out as a something potentially juicy. If telnet is configured more than likely there are other services that aren't up to snuff and it's probably easier to find a way in.

Re:

[John Hasler]

> Um, the reason they are using telnet is because it's trivial to hack,

No, it is trivial to intercept telnet passwords (which are sent in the clear) if you have access to a channel over which someone is logging in via telnet. A telnet deamon just sitting there unused creates a vulnerability only to the extent that it is a channel for attacking bad passwords (which is surely what these kids are doing).

However, there is no good reason to run a telnet daemon these days, especially on the public Internet.

Re:

[kbielefe]

However, there is no good reason to run a telnet daemon these days, especially on the public Internet.

Interesting you should say that, because the article actually says they don't know if it's brute force login attempts or botnet traffic. A largely unused port with traffic that most people ignore makes sense to park a botnet on. It makes a lot more sense than a sudden spike in system administrator incompetence, which means most of the comments on this story are likely off the mark.

Re:

[DavidTC]

Actually, ice and water vapor are both pretty wet if people interact with them, as the part of them touching a person rapidly changes to the person's temperature and turns into water. And 'wet' means 'gets liquid on a person'.

So standing in steam or touching ice in normal room temperature, you'll find they are, indeed, 'wet', as they will get liquid on you.

Now, if the air temperature is too extreme it won't, if you stand in steam at 300 degrees air temp or in ice cold enough that the water on your skin re

Hackers Bringing Telnet Back?

[crow_t_robot]

How can hackers bring telnet attacks back if admins don't run telnet? Should the headline say "Admins are bringing telnet back and getting bitten in the ass for it?"

Re:

[gsslay]

Probably less a case of admins "bringing it back" and more a case of admins forgetting, or being oblivious to it being there in the first place. More and more admins will have scarcely used telnet ever in their professional lives, and so will overlook its presence on their servers. Ideal for hackers.

Re:

[heathen_01]

Its stretching credibility that admins won't know about telnet, but sure I can accept that. However I can't accept an admin missing that an unknown service is running and accepting connections on port 23 that the admin is oblivious about.

Re:

[greed]

Or an admin that has carefully secured a Solaris 10 machine, starting with shutting down telnet and the r* daemons, fingerd and all the other cruft. But then he installs a patch cluster... ...and suddenly all that crap is running again.

Don't ask me how I know that.

Re:

[John Hasler]

> ...overlook its presence on their servers.

Why are there any services running on their servers that they did not explicitly configure to run?

Re:

[SuricouRaven]

Ever seen the default services on a Windows box? A lot of linux distros are almost as bad.

Re:

[scorp1us]

What has happened here, is only the outdated, maintained systems are still running telnet. This corresponds to a likely weak password. And if no one is obsoleting it, then no one is really watching it either. It has now become the forgotten-about low-hanging fruit.

Re:

[scorp1us]

"outdated, UNmaintained systems" - FTFM

Duh

[SJ2000]

Too many networking manufacturer's still only have their gear accessibly only by telnet. Duh.

Get your hackin' on

[llManDrakell]

I'm bringin' telnet back.
Them other protocols don't know how to act.
I think it's special what's inside your rack.
So enable the service and I'll begin to hack.

They are forgetting something...

[CoolVibe]

Seeing traffic on port 23 does not mean telnet is involved. I know some people who run their SSH daemon on that port to lessen the stupid ssh scans.

Printers?

[Culture20]

I just realized; almost every network printer out there uses telnet for remote configuration. Maybe there was a new vulnerability found on a specific type of printer that allows forwarding of the printed pages back to the script kiddies?

Re:

[TheRaven64]

Does it even count as hacking? Running a telnet service should count as granting random people authorised access.

Re:

[Rob Kaper]

Does it even count as hacking? Running a telnet service should count as granting random people authorised access.

No more than running an FTP, SMTP, POP, IMAP or HTTP service without proper SSL/TLS/digest enhancements. All of them still industry standards, even the bare versions. But that's okay, the more ICT incompetence on this planet the more money I/we can make, right?

Re:

[CastrTroy]

Well, to be a little more precise, FTP, SMTP, POP and IMAP don't give you command line (root) access to the computer you happen to get access too. If you break into an FTP Server, you only have access to the files that are put up on the FTP directories of that server. And possibly the right to upload new files. Which is a little less problem then having root access to the entire server. Same goes for all the other services you mention. I will have to give you this. I don't think Telnet is really that bad

Re:

[Rob Kaper]

The telnet protocol itself doesn't give you access either, that all depends on what kind of shell (if any) and privileges (if any) you attach to it.

The reason why I mentioned the other protocols is that access to the files and data available through those can be harmful enough to an organisation. Potentially more harmful than user privileges on a server with resource limits and no exploitable software installed.

Re:

[multisync]

Does it even count as hacking?

No.

I saw the headline, and thought the story was about hackers finding some new and novel use for telnet. You know, hacking.

But it's just another article about infected Windows machines using brute force attacks on port 445 and - apparently - 23. You know, "hacking."

Here's my favorite part:

Administrators are generally advised to disable Telnet if the protocol is not used to prevent attacks targeting it, but some forget.

As Steve Martin once said, "I'm sorry officer, I forgot a

Re:who still uses telnet?

[SirGarlon]

I use telnet clients from time to time, in the lab. You can use it connect and send data to any old port, not just 23. I would never run the telnet daemon though, and seven times never on a box that's exposed to the public Internet.

Re:

[Chapter80]

I use telnet clients from time to time, in the lab. You can use it connect and send data to any old port, not just 23. I would never run the telnet daemon though, and seven times never on a box that's exposed to the public Internet.

Telnet to other ports is a GREAT way to learn how protocols work.

Here are some exercises: From a DOS prompt, try:

C:> telnet www.google.com 80
GET

GET won't be echoed, but you can see the retrieval of a web page. You can try all commands that are part of the HTTP protocol, including the exchange of cookies, posting data, etc.

Or try telnet-ing into a pop server. [santovec.us]

Re:

[hydrofix]

You might have better success with even a semi-valid HTTP/1.1 request such as

GET / HTTP/1.1
Host: www.google.com

Also, using telnet here is redundant. You should consider using one [sourceforge.net] of [openbsd.org] the [sourceforge.net] several [nmap.org] netcats [deepspace6.net] available [dest-unreach.org]. Some even support nice features like SSL encryption, so you can make encrypted requests to to the https port (443).

Re:

[MrVictor]

Just a nitpick but that HTTP request is still invalid.

GET / HTTP\1.1 Host: www.google.com

Re:

[nharmon]

People who don't know how to set up SSH.

Re:who still uses telnet?

[peragrin]

SSH isn't always an available option.

At work our primary application is a telenet app that logs into a specific server. Of course we aren't stupid enough not to use VPN's, and packet filtering to go outside the network(or back in). We tried to upgrade to more secure connection but found the clients to be lacking about 1/2 the features found in the simple telenet client. We were told some of those features might be in the next release or two in three - five years.

Since businesses get locked into vendor lock-in pretty hard it is very tough to move out. You get stuck doing things insecurely or working around bad security because upgrading isn't possible without millions of dollars being spent uselessly(paying a vendor to bring their applications up to the year 2000 standards).

I know of one company that used Win16 subsytem as a vital part of their application up until last year. they refused to upgrade it because it worked even though in order to install the application on windows XP often required rebooting into safe mode to bypass enough security to let it install. This Application was the only way to work with their product line too with quarterly updates to the data it contained. Oh and you have to upgrade the entire application in order to update the data inside.

It is those kinds of practices that make obsolete tech like telenet still exist.

Re:

[morgan_greywolf]

In addition, a lot of switches and other network equipment still don't have SSH. Even switches only a couple of years old.

Re:who still uses telnet?

[zach_the_lizard]

This is the case with certain Cisco IOS versions. It has to be a crypto version of IOS to support SSH.

Re:

[hesiod]

I know it's not always a realistic option because of politics or policy, but if your switches can't do SSH, I suggest you change brands.

Re:

[sglewis100]

I know it's not always a realistic option because of politics or policy, but if your switches can't do SSH, I suggest you change brands.

Why? Heck, in some small companies even telnet is too sophisticated. Not everyone needs managed switches. My house lives without 'em.

Re:

[arose]

A couple years old? Who made that buying decision?

Re:who still uses telnet?

[ThatMegathronDude]

There are laws controlling the export and import of encryption technology in many countries. These laws restrict the sale and use of SSH; therefore, you have to differentiate your products if you want to sell in certain markets.

Re:

[Yvanhoe]

We were told some of those features might be in the next release or two in three - five years.

I may sound like a preacher, but that is exactly why you want to use open source software in as many aspects of your company as possible : to develop the features you lack at a given point without depending on a dozen of third parties who can't agree with each others. I know you probably aren't the one making the decision, but that is a point to regularly make : "if you had used the open alternative, we could have added this feature. Now we can't and need to wait for another company's goodwill".

Re:

[peragrin]

Let's see spend $100,000 every 20 years to upgrade the software or spend $50,000 a year to pay someone to do it in house, and still get a vendor locked in solution, but only now you are the vendor.

Re:who still uses telnet?

[SuricouRaven]

Would you like to drop the firewalls, then? Perimeter security isn't a complete security solution, but it's still a major part.

Re:

[Onuma]

I have to post this anonymously for the safety of my job.

If you're worried about potentially losing your job over that type of comment, then I hope you're not posting this from work ...

Re:who still uses telnet?

[Runaway1956]

Right on target. I've witnessed many a clerk in a shipping/receiving department using telnet to connect to a server. Not just in-house, but often times across the country. People put those computers in place, and set up their systems 20 years ago, or more, and they aren't about to change. "Don't fix what ain't broke!"

Re:

[Tanktalus]

"Don't fix what ain't broke!"

The problem is often that they don't realise it's "broke (sic)". That is often the issue. When you bring in a physical item in more pieces than it's supposed to be, that's easy to tell that it's broken. When it's a stream of digital pulses, not so easy, unless your target is technologically aware, and not always even then. I still have problems convincing otherwise smart people to use placeholders in their SQL instead of concatenation.

Re:

[mlts]

I had to deal with a similar setup a few years ago. What I did was put them on their own Ethernet segment that was completely isolated from everything but one machine. Even the subnet had a separate hardware switch so there was no way (other than physical access or compromise of the telnet server) that the unencrypted traffic could be intercepted. This machine was what people telnetted into, then ssh-ed out from to do work. This way, the only real weak link were the paths from the terminals to the switc

Re:who still uses telnet?

[maotx]

I do whenever I need my Star Wars Fix. Just telnet to towel.blinkenlights.nl.

Re:

[AaxelB]

The only ones I'm aware of are those who play Nethack (or its variants) on a server like nethack.alt.org :)

Re:

[Lumpy]

Godaddy.com

ALL of their hosting has telnet and open FTP you have to specially request SSH and SFTP.

Re:who still uses telnet?

[Tanktalus]

That's not a good reason to use telnet. That's a good reason not to use Godaddy.

(Using dreamhost.com here, and I use ssh and rsync-over-ssh to do all of that... I wonder if sshfs would work, I imagine it would.)

Re:

[hubie]

Yeah, but dreamhost doesn't run commercials suggesting that Danica Patrick will take her top off for you.

Re:

[0123456]

My webcam used to have the telnet port open and would drop you straight into a root shell if you connected to it (no password required). Fortunately the new firmware fixed that.

Re:

[thePowerOfGrayskull]

Telnet clients are useful, especially for testing out text based protocols.

Telnet on the server... well, I run it sandboxed to my LAN for testing BBSSH, but that's about it. However, it's probably safe to say that there are a lot of legacy devices (just just servers) which do provide access via telnet.

Re:

[medv4380]

My Modem has a telnet remote access if it's turned on and way back the Cisco 675 had it as well and someone could attack it and get in if the owner never turned telnet on so I would suspect they maybe hitting devices that have telnet that the user hasn't locked out yet.

Re:

[hardburn]

It's about the only way to config some old office laser printers.

Re:

[Bert64]

The telnet *client* is extremely useful to talk raw protocol to a service, very good for debugging etc...

Running a telnet service on the other hand, is sadly still very common... Lots of networking equipment these days still only has telnet and no ssh support... Even where SSH support is available, sometimes only telnet is enabled by default, sometimes ssh costs extra etc... And there are plenty of people who are used to using telnet and won't consider anything else regardless of what benefits it might prov

Know your RFCs (was Re:who still uses telnet?)

[Xenophon Fenderson,]

Just to be clear, TELNET and TCP are not synonymous. The FTP command channel uses TELNET as a session protocol, transported by TCP with the server usually listening on port 21. Conversely, SMTP and HTTP are their own session protocols, probably because TELNET isn't 8-bit-clean. This is why netcat, which normally uses raw TCP sockets, has a command-line option specifically for interoperation with TELNET and TELNET-based protocols.

Best wishes,
Matthew

Re:

[bball99]

but hey, it's fun to watch on a honeypot under emulation! :-)

Re:What's the problem?

[dkleinsc]

Right, but when you type hunter2, we just see *******.

On another note, anybody who is not currently blocking access port 23, or even worse is running a telnet server, needs to hand in their sysadmin card right now.

Re:

[camperdave]

... anybody who is not currently blocking access port 23, or even worse is running a telnet server, needs to hand in their sysadmin card right now.

Ever hear the term honeypot [wikipedia.org]?

You insensitive clod!

[PPH]

******** IS my password!

Re:Good ole days

[John Hasler]

If telnet reminds you of when you were young you aren't old.

Re:

[zach_the_lizard]

He could very well be. Wikipedia says Telnet was under development in 1969. He could have old enough at the time to have used it.