During January, Turris routers saw a significant increase in attacks on port 1035. It was used by various Trojan horses in the past. According to the CZ.NIC association, this indicates that another clone of them is spreading on the Internet. It follows from the Sentinel Report Summarywhich the association publishes every month.
In January, the Sentinel system recorded attacks from 85,747 IP addresses. Head of the CZ.NIC hardware team Michal Hrušecký confirmed that this is an increase compared to December. “Compared to November, the number of attackers per device increased significantly. On average, one attacker targets 20 Turris devices,” said Hrušecký.
From detailed statistics, the most popular port for scanning is port 6881 and 6889 used for BitTorrent. Furthermore, the attackers check the accessibility of port 445 for the Samba protocol used for network sharing. According to CZ.NIC, this is not surprising. Focusing on this goal is quite logical given the achievable benefits.
Turrisy also captures passwords used by outside computers to access SMTP and other services. However, passwords such as F7Nd1c0c or K06z4G, which appear to be random, started to get to the top of this statistic. “Most of these attacks come from a single segment – from one Iranian Internet provider,” explains Hrušecký.
Complete results are available from the website Sentinel View.
