Curious about a conversation of some weeks ago regarding noise on the
default telnet port (port 23), I downloaded the latest BBS list from the
Telnet BBS Guide and did a count of the most popular ports bulletin board systems were listening on.

Over 70% of BBSes on this list use the standard port 23. The next most
popular ports are 32, and 2323 (variants of "23"). A surprising number of systems (54 of them) run on the cheeky FTP data port [20].

Anyway, I took the top bunch and set up listeners on these ports for about 6 days using netcat (traditional) on a system which shouldn't have any inbound connections. Netcat hands inbound connections to a script which prints fake Login: and Password: prompts, and then, regardless of what is entered here, displays a fake # or $ shell prompt, depending on whether they're using root as the login or not.

My purpose was to get a sense of what the cost is of running on port 23, and also to see what these systems were doing when they did connect.

Port 23 is almost exclusively scripts, but these scripts are intended to log
in via telnet to deliver their payload. If this seems like an obvious statement, I make it because most of the other ports logged http GET
requests, which I take to mean they're trying to log into compromised
devices with web interfaces (or are simply spiders). I didn't detect inbound connections intending to establish a shell session on the other ports.

In six days, then, these are the unique number of IP addresses attempting to connect on these popular BBS ports:

23 - 1886 unique hosts
8888 - 2 unique hosts
1337 - 1 unique host
20 - 1 unique host
2002 - 1 unique host
2323 - 1 unique host
24 - 1 unique host
800 - 1 unique host
2300 - 1 unique host
28 - 0 unique hosts
30 - 0 unique hosts
32 - 0 unique hosts
513 - 0 unique hosts
6400 - 0 unique hosts
64128 - 0 unique hosts
6502 - 0 unique hosts

Unsurprisingly (but perhaps dramatically), port 23 is nearly constantly
pounded by what appear to be botnets.

A typical payload of a port 23 connection, and I didn't detect this on any of the other ports I was listening on, looks like this:

==================================================
LISTENING AT: 2023-01-28_11:37:12_UTC
TOTAL HOSTS: [ 252 ] since 1.14 days (27.53 hours) ===================================================

TIME/DATE.....2023-01-28_11:52:20_UTC
IP............89.22.39.162
HOSTNAME......auto.89-22-39-162.matrix-net.pl
CITY..........Suwalki
SUBDIV........Woiwodschaft Podlachien, Podlasie
COUNTRY.......Poland
ASN...........MATRIX Cezary Taraszkiewicz
CREDENTIALS...root / 666666

# enable
# system
# shell
# sh
# cat /proc/mounts; /bin/busybox YUYHC

Note that nearly every system which connects through and runs commands at the shell prompt is remarkably consistent in what it attempts to do. My script doesn't actually print responses to those commands (mocking some up is the next step) so I am unsure if there if there is IF-THEN logic which will trigger other things if those commands return something interesting to the script.

They all end with an attempt to run a compromised busybox executable, but the "YUYHC" string is different for every login. It is unclear what a compromised busybox executable would do, although a fair guess is, among other things, it would begin to try to log into other systems similarly. Perhaps the compromised busybox downloads a remote payload and installs it.

Anyway if you wondered what all of that was on your port 23, it is almost certainly a lot of this sort of thing.

I also captured all of the credential pairs these scripts think will get them in. I assume the scripts are intended to find known compromised appliances like security cameras, routers, switches, and so forth.

Most of these hits come from China. It is unclear whether these are coordinated attacks from a central authority or whether there are just a lot of compromised machines in China (it's a huge country) reaching out.

It does make me wish that when BBSes went online, they standardized on a different service port than 23. 23 is a cesspool.

My router at home monitors all ports from /etc/services - none of which have ever allowed ingress - just to see what's knocking on my residential internet connection's door (don't judge, we all have hobbies. Some dudes surf. Some work on classic cars. I monitor my ports. Chicks. Dig me. For this. Like surfers. I...I'm cool.)

For the month of January 2002, these are the top ports in /etc/services that machines on the Internet are trying to connect to:

Port 23 - 13116 hits [telnet]
Port 22 - 5067 hits [ssh]
Port 8080 - 4378 hits [http-alt]
Port 80 - 2864 hits [http]
Port 443 - 2032 hits [https]
Port 1433 - 1426 hits [ms-sql-s]
Port 123 - 815 hits [ntp]
Port 8081 - 800 hits [tproxy]
Port 53 - 686 hits [dns]
Port 3306 - 465 hits [mysql]
Port 21 - 453 hits [ftp cmd]

It's interesting to me that in 2023, telnet is the most thwacked of all ports, when it is largely considered deprecated. Not only that, it is the top port by a very large margin.

If you ever read a tech forum in which anyone even mentions 23, there's a pile-on from forum participants immediately attempting to discourage the poster from running anything on that port; the disdain for it is almost pathological, and the assumption is that whatever the poster is attempting to do with telnet should almost certainly be done with ssh instead.

Yet for all that, here we are, port 23, the trashy reigning king of all ports. The most popular person in school. Somehow.

If anyone is interested in more details about this, I put the logs online. They include some nice credential pairs, if you want to blacklist them or at least audit your system for them (it is unlikely anyone here has these login/password pairs since they appear to be limited to known compromised devices, rather than normal system account defaults on PC-based operating systems). However, a blacklist on the login names themselves should blunt nearly all of this traffic since presumably no one here allows "root" or "admin" as a username on their system:

http://shibboleths.org/ibr/

When I have time, I am going to punch up these scripts so they look like more convincing honeypots, returning bogus but plausible data for each of the commands.

--- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
* Origin: Shipwrecks & Shibboleths [San Francisco, CA - USA] (21:1/227)

On 05 Feb 2023, DustCouncil said the following...

Curious about a conversation of some weeks ago regarding noise on the default telnet port (port 23), I downloaded the latest BBS list from the Telnet BBS Guide and did a count of the most popular ports bulletin board systems were listening on.

Nice insights, thanks for sharing! I'll certainly have a look at the list you posted, if only out of curiosity. I just started a new BBS and as you describe, my disdain for port 23 got the better of me, using 2323 instead. Good to know there's not many knocks on that port as opposed to all the standard ports.

Cheers,

dozo

--- Mystic BBS v1.12 A48 (Linux/64)
* Origin: (21:1/238)

Curious about a conversation of some weeks ago regarding noise on the default telnet port (port 23), I downloaded the latest BBS list from the Telnet BBS Guide and did a count of the most popular ports bulletin board systems were listening on.

<snip>

Love the honeypot writeup. I did something similar years ago and my results were largely the same. The way I mitigate these botnets myself on my BBS are through country denylists (you mention China - yep, they're blocked) as well as smart IP blocking. It's not a 100% solution but my nodes aren't typically tied up by these botnets so I must be doing something right. *shrug*

I agree that having a community-adopted "new default" port (vs 23) would be ideal. Particularly for Sysops that want to use some sort of legacy BBS platform which does not have all the auto blocking logic of Synchronet or Mystic built-in.

hobbies. Some dudes surf. Some work on classic cars. I monitor my ports. Chicks. Dig me. For this. Like surfers. I...I'm cool.)

Here, here! Hey, I build honeypots /and/ work on classic cars! Kudos to me! hehe

For the month of January 2002, these are the top ports in /etc/services

January 2022? or 2023?

It's interesting to me that in 2023, telnet is the most thwacked of all ports, when it is largely considered deprecated. Not only that, it is
the top port by a very large margin.

I think 23 is a huge IOT vulnerability, which is what these botnets seek to exploit. All the toasters that are online for absolutely no reason at all provide an entrypoint to botnets to infiltrate homes. It's pretty disturbing.

If anyone is interested in more details about this, I put the logs
online. They include some nice credential pairs, if you want to

Sweet deal, I'm curious about this for sure.

http://shibboleths.org/ibr/

Also kudos for the domain here :) Having worked in product support, we had a running joke about shibboleth...

--- Mystic BBS v1.12 A48 (Linux/64)
* Origin: m O N T E R E Y b B S . c O M (21:4/173)

On 05 Feb 2023, DustCouncil said the following...

When I have time, I am going to punch up these scripts so they look like more convincing honeypots, returning bogus but plausible data for each
of the commands.

I like the sound this.

... System halted - Press all keys at once to continue

--- Mystic BBS v1.12 A48 (Raspberry Pi/32)
* Origin: Bad Poetry Blues - centralontarioremote.com:2300 (21:1/159)

For the month of January 2002, these are the top ports in /etc/servic

January 2022? or 2023?

2023; I am tired. 2023 :)

--- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
* Origin: Shipwrecks & Shibboleths [San Francisco, CA - USA] (21:1/227)

Re: Port 23, Telnet, and Internet Background Radiation
By: DustCouncil to All on Sun Feb 05 2023 08:51 pm

Howdy,

Anyway, I took the top bunch and set up listeners on these ports for about 6 days using netcat (traditional) on a system which shouldn't have any inbound connections. Netcat hands inbound connections to a script which prints fake Login: and Password: prompts, and then, regardless of what is entered here, displays a fake # or $ shell prompt, depending on whether they're using root as the login or not.

So I have port 23 open, and while I see a lot of probing, for the best part I ignore it. I also wrote a tool that parsed the known active IP subnets by country (IPv4 and IPv6 - there is a github project that has this), so that I can create an optimised firewall rule that banned specific countries. (By optimised I mean joining subnets together so two adjacent /24's could be combined to a /23, etc).

So even though I have some countries banned, I still see some probing from "good" countries - maybe tools or people trying (or compromised machines).

Is your script available? I often thought of spinning up a honey pot - my goal is to waste their time if it was actually people behind the attempt.


...����
--- SBBSecho 3.15-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

On 2023-02-05 19:51 DustCouncil said...

A typical payload of a port 23 connection, and I didn't detect this on any of the other ports I was listening on, looks like this:

Thanks for sharing this, and for such a well written post all in all.
I'm checking out the files you provided, very interesting.

On 2023-02-05 19:51 DustCouncil said...

My router at home monitors all ports from /etc/services - none of which have ever allowed ingress - just to see what's knocking on my residential internet connection's door (don't judge, we all have hobbies. Some dudes surf. Some work on classic cars. I monitor my ports. Chicks. Dig me. For this. Like surfers. I...I'm cool.)

Indeed you are!

--
Best regards
//beardy
[IRC] beardy [WEB] beardy.se [GPH] gopher://bbs.beardy.se:8070/1
[FSX] 21:3/158 [TQW] 1337:1/115
[BBS] bbs.beardy.se (ssh/wss/telnet) https://beardy.se/bodax-bbs
--- ENiGMA 1/2 v0.0.14-beta (linux; x64; 14.19.1)
* Origin: BodaX BBS ~ bbs.beardy.se:23 / SSH port 22 (21:3/158)

DustCouncil wrote to All <=-

Unsurprisingly (but perhaps dramatically), port 23 is nearly constantly pounded by what appear to be botnets.

This is because they are looking for IoT devices where people never change
the default usernames and passwords. Many of them have an open port 23 for legit reasons, while others have 23 open because the default os install
does not disable it.

Ironically, maybe, I have not had as much trouble with unwanted port 23
traffic tying up the board as I have with unwanted port 22 (ssh) traffic.
They cannot log in, but they tie up multiple sessions trying, so I changed
that one from the default.

... Direct from the Ministry of Silly Walks
--- MultiMail/DOS
* Origin: possumso.fsxnet.nz * SSH:2122/telnet:24/ftelnet:80 (21:4/134)

Anyway, I took the top bunch and set up listeners on these ports for
about 6 days using netcat (traditional) on a system which shouldn't have any inbound connections. Netcat hands inbound connections to a script which prints fake Login: and Password: prompts, and then, regardless of what is entered here, displays a fake # or $ shell prompt, depending on whether they're using root as the login or not.

Hey DC, I grabbed your entire webpage and theres some great data in there - thanks for sharing the whole thing, its appreciated and has made it way to my TODO folder. Thx.



|07p|15AULIE|1142|07o
|08.........

--- Mystic BBS v1.12 A48 (Linux/64)
* Origin: 2o fOr beeRS bbs>>>20ForBeers.com:1337 (21:2/150)

Re: Re: Port 23, Telnet, and Internet Background Radiation
By: Blue White to DustCouncil on Mon Feb 06 2023 04:03 pm

DustCouncil wrote to All <=-

Unsurprisingly (but perhaps dramatically), port 23 is nearly constantly pounded by what appear to be botnets.

This is because they are looking for IoT devices where people never change the default usernames and passwords. Many of them have an open port 23 for legit reasons, while others have 23 open because the default os install
does not disable it.

Ironically, maybe, I have not had as much trouble with unwanted port 23 traffic tying up the board as I have with unwanted port 22 (ssh) traffic. They cannot log in, but they tie up multiple sessions trying, so I changed that one from the default.

... Direct from the Ministry of Silly Walks
--- MultiMail/DOS
* Origin: possumso.fsxnet.nz * SSH:2122/telnet:24/ftelnet:80 (21:4/134)

I would have thought IoT devices would be firewalled. Your (dumb)smart-fridge may have an open telnet port with admin/1234 credentials, but what use is a telnet scanner to find such a thing if it is behind a router? So many default routers use NAT+packet filtering by default that a regular scanner won't do anything on ipv4.

Maybe some old routers with ipv6 capabilities come with ipv6 firewalling off by default, but if crackers are trying to find those holes, they would not be scanning ipv4.

Dunno. It is getting hard as-it-is to run a legit service because your servers are not reachable behind CG-NAT. IoT devices need to call home most often than not because mothership cannot initiate connections to them. Even many IoT that are supposed to work like servers need to call home and use some form of NAT trasversal.

--
gopher://gopher.richardfalken.com/1/richardfalken
--- SBBSecho 3.20-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (21:2/138)

DustCouncil wrote (2023-02-05):

For the month of January 2002, these are the top ports in /etc/services that machines on the Internet are trying to connect to:

Port 23 - 13116 hits [telnet]
Port 22 - 5067 hits [ssh]
Port 8080 - 4378 hits [http-alt]
Port 80 - 2864 hits [http]
Port 443 - 2032 hits [https]
Port 1433 - 1426 hits [ms-sql-s]
Port 123 - 815 hits [ntp]
Port 8081 - 800 hits [tproxy]
Port 53 - 686 hits [dns]
Port 3306 - 465 hits [mysql]
Port 21 - 453 hits [ftp cmd]

It's interesting to me that in 2023, telnet is the most thwacked of all ports, when it is largely considered deprecated. Not only that, it is
the top port by a very large margin.

I'm still using Telnet, but only over TLS. It still works fine for a deprecated protocol.

Interestingly not a single connection on port 24554 (binkp).

⁂

---
* Origin: War is Peace. Freedom is Slavery. Ignorance is Strength. (21:3/102)