Detecting Mirai Botnet Scans>
Extreme Networks – Michael Rash
At Extreme Networks, since we try to help customers instead of attacking them, letâs dive into how to detect Mirai network communications. Broadly speaking, there are two classes of activities that Mirai performs: Compromising new hosts to force them into the botnet (including command and control once they are compromised). Attacking systems worldwide with various types of DDoS attacks. Mirai scans the Internet looking for open telnet servers running on either port 23 or port 2323. When it finds one, it then tries to authenticate via a set of known default credentials. If the authentication is successful, it has just found a new device to compromise and bring into the existing botnet. The first step in detecting Mirai botnet scanning is to look for port sweeps on ports 23 and 2323. However, in a quirk unique to Mirai, scanning nodes do not scan for these two ports on an equal basis. As you can see from the connection counter âiâ in the following code snippet, Mirai scans for port 23 vs. 2323 in a 1/10th ratio.

Now, what happens when a Mirai scanner finds a new reachable telnet daemon. It then tries a series of default administrative credentials to see if it is able to authenticate to the target. These default credentials can be found here, and a screenshot of a few of them is included below:
Link: https://www.extremenetworks.com/extreme-networks-blog/detecting-mirai-botnet-scans/