Subj : Telnet at <> If you've been 'locked out' of the telnet server and you need to use JK>> it, let me know. I'll check your ip wasn't marked as 'bad'. I've JK>> been trapping large numbers of nodes here who seem to just JK>> log-on/log-off BR> I'm getting quite a few myself, probably part of a new Telnet "attack" BR> which I am getting from dozens of different IP addresses weekly that BR> try to have you seen the links i shared earlier? i dropped them in several conferences by cross posting a reply to janis... BR> login with the following sequence: BR> === Snip === BR> Unknown BR> ENABLE BR> SYSTEM BR> SHELL BR> === Snip === actually, it is roughly two or three months old... the first portion (which you left one out) is a user name... your "unknown" is actually the password but not that sequence of letters... they are transmitted normal-like with the CFLF after them... the rest of the string sequences you posted are each followed by a nul (0x00) character and then the CRLF... you're missing the last two parts, "sh" and a call to busybox with a command name which is the main tracking and detection signature... BR> I am blocking some with multiple hits, but I ignore the rest {chuckle} the order of the above was different in the beginning... there is always the user name and password but one or the other may be empty (just a CRLF sequence)... it started as only three commands followed by the call to busybox with its command name... then it changed to four commands with "enable" being first as you show above... )\/(ark Always Mount a Scratch Monkey Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong... .... Correction does much, but encouragement does more. --- * Origin: (1:3634/12.73) .