The Day the Telnet Died

Posted by pjf 2 hours ago

The Day the Telnet Died(www.labs.greynoise.io)

127 points | 67 comments

trebligdivad 1 hour ago|

Why are people still using telnet across the internet in this century? Was this _all_ attack traffic?

(OK, I know one ancient talker that uses it - but on a very non-standard port so a port 23 block wouldn't be relevant)

jaredsohn 1 hour ago||

To watch Star Wars in ASCII.

telnet towel.blinkenlights.nl https://www.youtube.com/watch?v=Mhcf6tc2jeQ

(Remember hearing about this many years ago and verified some instance of it still exists/works.)

mmooss 49 minutes ago||

  Connection failed

Maybe we should give the kind person who hosts it a break. Try it out tomorrow. (Yes, I should have thought of that before I tried.)

accrual 11 minutes ago||

It might be the telnet filtering in action. The host responds to ping but I get nothing back on TCP/23, not even a reset.

iamnothere 36 minutes ago|||

Hams use it over packet radio sometimes since encryption is forbidden on the amateur bands.

IMHO we need a good telnet replacement that sends signed data. Most people interpret signatures as allowed under FCC rules, just not encryption.

rcakebread 20 minutes ago|||

One? All the talkers still use it and all the MUDs/MOOs etc. far out number the talkers.

mcpherrinm 1 hour ago|||

As I understand it, greynoise is monitoring scanner traffic, so yes this would all be scans or attacks

catskull 1 hour ago||

When I was an intern for some reason they issued me a voip phone for my desk. One day I got bored and figured out I could telnet into it. Nothing interesting but it was still a fun moment for me!

Animats 1 hour ago||

So eleven years ago someone put a backdoor in the Telnet daemon.

Who?

Where's the commit?

greyface- 1 hour ago||

https://codeberg.org/inetutils/inetutils/commit/fa3245ac8c28...

ieie3366 1 hour ago||

That's crazy. This is core business critical software but they just YOLO critical changes without any automated tests? this PR would be insta-rejected in the small SAAS shop I work at.

direwolf20 58 minutes ago|||

If you think you can do better you're welcome to do better. I say this without a hint of sarcasm. This is how open source works. It's a do–ocracy, not a democracy. Whoever makes a telnet server gets to decide how the telnet server works and how much testing it gets before release.

acdha 55 minutes ago||||

Culture has changed a lot since the 20th century and older projects can have antiquated norms around things like testing. I was just listening to a recent podcast talking about how worrisome it is that OpenSSL has a casual culture about testing[1] and was reminded about how normal that used to be. I think in the case of telnetd you also have the problem that it’s been deprecated for multiple decades so I’d bet that they struggle even more than average to find maintainer time.

1. https://securitycryptographywhatever.com/2026/02/01/python-c...

fhub 37 minutes ago||||

Even with automated tests you'd need to think of this exploit right? Perhaps fuzzing would have got it. The mailing lists says they proved it successful on

- OpenIndiana

- FreeBSD

- Debian GNU/Linux

So not complete YOLO.

See https://lists.gnu.org/archive/html/bug-inetutils/2015-03/msg...

FWIW, a well known LLM agent, when I asked for a review of the patch, did suggest it was dodgy but didn't pick up the severity of how dodgy it was.

JCattheATM 3 minutes ago||

> a well known LLM agent

Which one?

wildzzz 44 minutes ago||||

Any business that has a telnet daemon able to be reached by an unauthenticated user is negligent. Just the fact that everything is in the clear is reason enough to never use it outside of protected networks.

dec0dedab0de 8 minutes ago||

unless it doesn’t matter if it’s evesdropped

avaer 1 hour ago||||

There's a famous XKCD about this: https://xkcd.com/2347/

In this case the hero's name is apparently Simon Josefsson (maintainer).

idiotsecant 9 minutes ago||

I feel like we should just start saying 2347. Everyone knows what you mean.

AlienRobot 1 hour ago|||

https://xkcd.com/2347/

Ah, someone beat me to it!

Arubis 1 hour ago|||

Telnet's cleartext and always has been. A backdoor seems like overkill.

direwolf20 55 minutes ago||

You still have to know the password or snoop on someone typing the password. But with this vuln, you don't. You can just get root instantly.

parl_match 1 hour ago|||

It wasn't a backdoor, just a very serious security bug. Congrats on jumping straight to conspiracy and paranoia, though.

alt187 1 hour ago||

It's only a conspiracy and paranoia if it's wrong. 11 years ago was 2015.

mmooss 1 hour ago||

> backdoor

Do you mean that it's intentional? Why do you think so?

keyle 22 minutes ago||

It's nice to not see C being blamed for once! ... Just good old lack of reasoning (which is most C's codebase downfall, agreeably).

accrual 8 minutes ago|

It's also not DNS!

Twisol 1 hour ago||

> Someone upstream of a significant chunk of the internet’s transit infrastructure apparently decided telnet traffic isn’t worth carrying anymore. That’s probably the right call.

Does this impact traffic for MUDs at all? I know several MUDs operate on nonstandard Telnet ports, but many still allow connection on port 23. Does this block end-to-end Telnet traffic, or does it only block attempts to access Telnet services on the backbone relays themselves?

RupertSalt 1 hour ago||

Most MUDs do not use Telnet.

MUDs use plaintext TCP protocols that are accessible to a wide range of clients.

The Telnet protocol is well-defined and not completely plaintext. There are in-band signaling methods and negotiations. Telnet is defined to live on 23/tcp as an IANA well-known, privileged, reserved port.

MUDs do none of this. You can usually connect to a MUD using a Telnet client, but most players hate the experience and often deride this method in favor of a dedicated, programmable client.

The fact that MUDs inhabit higher 4-digit ports is an artifact from their beginnings as unprivileged, user-run servers without a standardized protocol or an assigned “well-known port” presence. If you want your MUD to be particularly inaccessible, you could certainly run on port 23 now!

Twisol 1 hour ago||

As a MUD enthusiast of two decades, this is not accurate. Where are you getting this information?

Most MUDs implement RFC 854, and a number of non-standard Telnet option subnegotiation protocols have been adopted for compression (MCCP2), transmission of unrendered data (ATCP, GMCP, ZMP), and even a mechanism for enabling marking up the normal content using XML-style tags (MXP). These telopts build on the subnegotiation facility in standard Telnet, whose designers knew that the base protocol would be insufficient for many needs; there are a great number of IANA-controlled and standardized telopt codes that demonstrate this, and the MUD community has developed extensions using that same mechanism.

> You can usually connect to a MUD using a Telnet client, but most players hate the experience and often deride this method in favor of a dedicated, programmable client.

I think you are confusing "telnet" the program with "telnet" the protocol. I am speaking here of the protocol, defined at base in RFC 854, for which "telnet" the program is but one particularly common implementation. You look at any of those "dedicated, programmable clients" and they will contain an implementation of RFC 854, probably also an implementation of RFC 1143 (which nails down the rules of subnegotiation in order to prevent negotiation loops), and an implementation of the RFCs for several standard telopts as well as non-standardized MUD community telopts. I can speak for the behavior of MUSHclient in especial regard here, though I am also familiar with the underlying Telnet nature of Mudlet, ZMud, and CMUD, not to mention my very own custom-made prototype client for which I very much needed to implement Telnet as described above.

RupertSalt 4 minutes ago||

Yes, perhaps we should define “MUD” and your incomplete experience of “most”.

As a MUD enthusiast for 37 years, I learned to program in C and Unix through TinyMUD, MUCK, and MUSH derived servers. From the beginning, none of these codebases implemted Telnet. There was nothing but a raw transparent TCP connection. In fact, I facilitated the introduction of a grand innovation: the "port concentrator" system which multiplexed TCP connections. Unix processes had a hard rlimit of 64 file descriptors, which crimped our style as an emerging MMORPG. The multiplexer increased this to 4096, for the biggest games of the era.

You mention MUSHclient, and I do not know about later revisions of the TinyMUSH server, but I can assure you that every MUSH I found from Larry Foard on, was not implementing Telnet. (I was privileged to help Larry "test" new features as I red-teamed his server with bizarre edge cases!)

Now as for the Diku, LP, and other “combat” type games, I’ve no idea. Perhaps they did. We never cared. I was aware that some of them had a pesky “prompt” that violated the line-mode assumptions of conventional clients and needed workarounds.

telnet(1), the program, was historically the only program that implemented the protocol. If you use Tinyfugue or Tinywar or tinymud.el, they are not, and no, I am not confused, because I was giving an example of why the Telnet-implementation, the program, the client, was so inadequate for playing on MUD servers.

It wouldn’t have been difficult to retrofit the Telnet RFC 854 into any MUD server, but none of us wizards had any use for it, seeing that our clients were mature and capable of much more processing without it.

If modern MUD servers have mostly implemented Telnet, then that is cool, but what surprises me is that it is mandatory, and your clients don’t seem to interoperate without it? That is a strange reversal!

MBCook 1 hour ago|||

It wasn’t clear from the article but I assumed they were filtering for the attack specifically.

Since Telnet is totally plain text that would absolutely be easy to do right?

Mixtape 1 hour ago|||

Wouldn't that imply that >80% of all monitored telnet sessions were exploit attempts for the specific CVE in question? Even with the scale of modern botnets, that seems unrealistic for a single vuln that was undisclosed at the time.

wbl 1 hour ago|||

Not at interconnect speeds

Laforet 1 hour ago||

It seems like they are doing a port based block similar to how residential lines often have their SMTP ports shut off.

That said in this day and age, servers on the public network really ought to use SSH.

charcircuit 1 hour ago||

The design of telnet and ssh where you have a daemon running as root is bad security that as shown here is a liability, a ticking time bomb ready to give attackers root.

nine_k 45 minutes ago||

What do you think proper architecture would be, given that ssh needs a capability to let root logins?

I suppose it could be via a proper PAM module, which is widely supported.

Too bad the first PAM RFC was published about the same time the first be version of ssh was released.

accrual 7 minutes ago||

> ssh needs a capability to let root logins

One can disable root login via SSH in /etc/ssh/sshd_config. sshd also drops root priviledges once it's running IIRC.

I use use sudo or doas as a regular user once logged in.

direwolf20 56 minutes ago||

Literally how else is a remote login daemon supposed to work though?

dragonfax 53 minutes ago|||

1. Start with root to bind the port below 1024.

2. give up root because you don't need it any further.

3. Only accept non-root logins

4. when a user creates a session, if they need root within the session they can obtain it via sudo or su.

acdha 44 minutes ago|||

That still needs a way to change users, and OpenSSH already has privilege separation. That hardens the process somewhat to reduce the amount of code running in the process which can change the uid for a session but fundamentally something needs permission to call setuid() or the equivalent.

accrual 4 minutes ago||

Yes, but changing users is a function of the shell (or maybe more specifically /usr/bin/login), not the SSH daemon.

wiml 40 minutes ago||||

You still need to have privileges to become the userid of the user logging in. Openssh does do privsep, but you still need a privileged daemon.

klempner 35 minutes ago||||

Congratulations, you've created a server that lets people have shells running as the user running telnetd.

You presumably want them to run as any (non root) user. The capability you need for that, to impersonate arbitrary (non-root) users on the system, is pretty damn close to being root.

Aloha 44 minutes ago||||

I'm not sure that you need root because of the port - I think login itself needs to run as root, otherwise it cant login to anything other than the account its running under.

charcircuit 43 minutes ago|||

The remote daemon has its own account and is given a privilege that allows it to connect a network socket to a pseudo terminal.

direwolf20 18 minutes ago|||

Those are already unprivileged operations, but how does it start the initial process in that terminal with the correct privileges for a different user?

charcircuit 1 minute ago||

The kernel could authenticate the user before starting it.

esseph 35 minutes ago|||

Any breach of the daemon will still give access to a system that can approve/deny user logins. Breaching the daemon therefore allows permission escalation, because you can simply jump to an account. Chain with any local vuln of your choice to completely own the box.

It doesn't matter what user it is running as.

If this was so easy to deal with, someone would have done it. Instead, we get endless HN comments about people that act like they can do better but never submit a PR.

charcircuit 7 minutes ago||

Breaching the daemon only allows for the attacker to get access to the login. User accounts should still be secured requiring authentication.

>If this was so easy to deal with, someone would have done it.

Sadly this is not the case. There is a lot of inertia towards solutions like ssh or sudo. It may be easy to delete them, but actually getting such a changed accepted is no trivial task.

iberator 1 hour ago||

Stranger article. I wasn't able to get the main point of this article. Strangely written, but hey - I'm nob native by any means.

ps.

telnet SDF.org

just works...

jwpapi 57 minutes ago|

it was just ai written thats why.. unexpectedly so from greynoise.

jopython 48 minutes ago||

This is about Telnetd. Not telnet itself.

saulpw 44 minutes ago|

...except that port 23 seems to now be filtered across the internet at large, leading to a huge drop-off in telnet traffic over the course of days if not hours. I think it's safe to say that even if you patch telnetd, being able to use telnet over the internet is not possible in many places (including Canada, according to the data).

RonanSoleste 1 hour ago||

I still used telnet today (had to). Unsure of the patching here. But its definitely locked down to a subset of internal use only.

pbhjpbhj 1 hour ago|

Embedded? Ancient? What sort of systems are you telnetting into?

More comments...