Telnet

A list of thousands of fully working Telnet credentials has been sitting online on Pastebin since June 11, credentials that can be used by botnet herders to increase the size of their DDoS cannons.

The list — spotted by Ankit Anubhav, a security researcher with New Sky Security — includes an IP address, device username, and a password, and is mainly made up of default device credentials in the form of "admin:admin", "root:root", and other formats. The Pastebin list includes 143 credential combos, including the 60 admin-password combos from the Mirai Telnet scanner.

There are 33,138 entries on the list, which recently became viral on Twitter after several high-profile security experts retweeted a link to it. When we took the screenshot below, the list had been viewed 11,000 times, but now, the list view counter is at 22,000+.

Pastebin list

Victor Gevers, chairman of the GDI Foundation, has analyzed the list and shared results with Bleeping Computer in a private conversation on Friday afternoon.

Only 1,775 Telnet credentials still work, as of today

The researcher told Bleeping Computer that the list contained duplicates and there were in reality only 8,233 unique IP addresses.

Most of these IPs do not allow access via their Telnet port anymore. Gevers says that 2,174 still allow an attacker to log on via its Telnet port, and 1,775 of the published credentials still work.

Since mid-week, the researcher has been working on notifying device owners about the exposed devices.

Researcher contacting device owners, ISPs

"I am going to try to see if I can locate the owner. Otherwise, I will contact the ISP," Gevers told Bleeping about his process.

"I am going through these on a per country basis. I started in Europe slowly moving toward US, and as for last, Asia," he added. "China is the biggest to check."

"I already got a few ISPs to confirm our reports and they have already taken action in Europe," the researcher added. "I will run a new scan tonight to see how many got fixed in the last 24 hours."

Gevers said that most IPs that still respond to queries are routers. "There are devices on the list of which I never heard of," Gevers said, "and that makes the identification process much slower."

The researcher is verifying how many of these devices are part of botnets by checking their IP addresses against IP blacklists. As Gevers told Bleeping in another conversation today, his searches are hobbled by rate limiting restrictions that have reduced the efficiency of his automated process.

Gevers — and everyone else — hopes to have these devices secured or taken offline before they're hijacked by some botnet operator.