• Telnet at <

    From Janis Kracht@1:261/38 to All on Monday, October 03, 2016 14:33:18
    If you've been 'locked out' of the telnet server and you need to use it, let me
    know. I'll check your ip wasn't marked as 'bad'.

    I've been trapping large numbers of nodes here who seem to just log-on/log-off

    Take care,
    Janis

    --- BBBS/Li6 v4.10 Dada-2
    * Origin: Prism bbs (1:261/38)
  • From Ben Ritchey@1:393/68 to Janis Kracht on Monday, October 03, 2016 15:10:56
    * An ongoing debate between Janis Kracht and All rages on ...

    If you've been 'locked out' of the telnet server and you need to use
    it, let me know. I'll check your ip wasn't marked as 'bad'.
    I've been trapping large numbers of nodes here who seem to just log-on/log-off

    I'm getting quite a few myself, probably part of a new Telnet "attack" which I am getting from dozens of different IP addresses weekly that try to login with the following sequence:

    === Snip ===
    Unknown
    ENABLE
    SYSTEM
    SHELL
    === Snip ===

    I am blocking some with multiple hits, but I ignore the rest {chuckle}

    -+-
    Keep the faith :^)

    Ben aka cMech Web: http|ftp|binkp|telnet://cmech.dynip.com
    Email: fido4cmech(at)lusfiber.net
    Home page: http://cmech.dynip.com/homepage/
    WildCat! Board 24/7 +1-337-984-4794 any BAUD 8,N,1

    ... Part #3 of 3, others are missing.
    --- GoldED+/W32-MSVC v1.1.5 via Mystic BBS
    * Origin: FIDONet - The Positronium Repository (1:393/68)
  • From Janis Kracht@1:261/38 to Ben Ritchey on Monday, October 03, 2016 17:29:30
    * An ongoing debate between Janis Kracht and All rages on ...

    If you've been 'locked out' of the telnet server and you need to use
    it, let me know. I'll check your ip wasn't marked as 'bad'.
    I've been trapping large numbers of nodes here who seem to just
    log-on/log-off

    I'm getting quite a few myself, probably part of a new Telnet "attack" which I >am getting from dozens of different IP addresses weekly that try to login with
    the following sequence:

    === Snip ===
    Unknown
    ENABLE
    SYSTEM
    SHELL
    === Snip ===

    I am blocking some with multiple hits, but I ignore the rest {chuckle}

    <sigh>... sign of the times, that's for sure. I'm sure if I check some of the system logs I'll see similarly named attempts. My favorites: ADMIN, ROOT.. Lol

    What losers :)

    Take care,
    Janis

    --- BBBS/Li6 v4.10 Dada-2
    * Origin: Prism bbs (1:261/38)
  • From mark lewis@1:3634/12.73 to Janis Kracht on Monday, October 03, 2016 17:26:00

    03 Oct 16 14:33, you wrote to All:

    If you've been 'locked out' of the telnet server and you need to use
    it, let me know. I'll check your ip wasn't marked as 'bad'.

    I've been trapping large numbers of nodes here who seem to just log-on/log-off

    logon/logoff or connect/disconnect? ;)

    )\/(ark

    Always Mount a Scratch Monkey
    Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
    ... We must be doing something right.
    ---
    * Origin: (1:3634/12.73)
  • From mark lewis@1:3634/12.73 to Ben Ritchey on Monday, October 03, 2016 17:26:46

    03 Oct 16 15:10, you wrote to Janis Kracht:

    If you've been 'locked out' of the telnet server and you need to use
    it, let me know. I'll check your ip wasn't marked as 'bad'. I've
    been trapping large numbers of nodes here who seem to just
    log-on/log-off

    I'm getting quite a few myself, probably part of a new Telnet "attack" which I am getting from dozens of different IP addresses weekly that
    try to

    have you seen the links i shared earlier? i dropped them in several conferences
    by cross posting a reply to janis...

    login with the following sequence:

    === Snip ===
    Unknown
    ENABLE
    SYSTEM
    SHELL
    === Snip ===

    actually, it is roughly two or three months old... the first portion (which you
    left one out) is a user name... your "unknown" is actually the password but not
    that sequence of letters... they are transmitted normal-like with the CFLF after them... the rest of the string sequences you posted are each followed by a nul (0x00) character and then the CRLF... you're missing the last two parts, "sh" and a call to busybox with a command name which is the main tracking and detection signature...

    I am blocking some with multiple hits, but I ignore the rest {chuckle}

    the order of the above was different in the beginning... there is always the user name and password but one or the other may be empty (just a CRLF sequence)... it started as only three commands followed by the call to busybox with its command name... then it changed to four commands with "enable" being first as you show above...

    )\/(ark

    Always Mount a Scratch Monkey
    Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
    ... Correction does much, but encouragement does more.
    ---
    * Origin: (1:3634/12.73)
  • From mark lewis@1:3634/12.73 to Janis Kracht on Monday, October 03, 2016 19:22:30

    03 Oct 16 17:29, you wrote to Ben Ritchey:

    I am blocking some with multiple hits, but I ignore the rest {chuckle}

    <sigh>... sign of the times, that's for sure. I'm sure if I check
    some of the system logs I'll see similarly named attempts. My
    favorites: ADMIN, ROOT.. Lol

    in a demented way, i kinda enjoy watching my frontdoor wait-for-call when these
    bots connect... i see all their commands up to the point where they send the busybox command and then "no carrier" because the IDS/IPS on the perimeter has dropped their connection for a rules violation... it really is funny... especially since they're blocked from causing the server to be overworked... why do i want to subject my server(s) to that when they can be dropped at the perimeter and never even traverse my network at all? ;)

    What losers :)

    they took down brian krebs' web site that was protected (pro bono) by akamai...
    more than 620G per second and it was too much... google's "Project Shield" is covering his site now...

    )\/(ark

    Always Mount a Scratch Monkey
    Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
    ... Bald spot? No - solar panel for brain power.
    ---
    * Origin: (1:3634/12.73)
  • From Janis Kracht@1:261/38 to mark lewis on Monday, October 03, 2016 20:46:22
    I've been trapping large numbers of nodes here who seem to just
    log-on/log-off

    logon/logoff or connect/disconnect? ;)

    No real "login".. more like connect/disconnect.

    Iptables takes them out according to the rule I have set.

    --- BBBS/Li6 v4.10 Dada-2
    * Origin: Prism bbs (1:261/38)