Subj : Bug in Renegade's Renemail To : Nick Andre From : mark lewis Date : Thu Jun 28 2018 08:31 am On 2018 Jun 26 15:09:12, you wrote to Sean Dennis: NA> If a non-ANSI user calls here, I know that 99% of the time its a NA> script-kid. So I added a CAPTCHA; meaning, type the phrase you see. If NA> you answer wrong, your IP address is blacklisted in the NET2BBS "kill" NA> file. A blacklisted system is trapped and disconnected before the BBS NA> loads. I write a seperate process that resets the kill file once a NA> week in the case of a false-positive. that's similar to what i do here except i use an IDS on my firewall... ISP issued modems are shit... just barely enough to call them a modem/firewall/router... we use our's in bridge mode and have our own dedicated firewall/router machine protecting the three networks here... this firewall being one of smoothwall, ipfire, pfSense and similar... we chose ours because we can customize it if we choose... the IDS comes with but the automated dropping of unwanted connections is our custom addition... since i have frontdoor running and answering the connection requests on telnet, it answers and logs the "DFRS" (data from ring signal)... that should be the caller-id stuff but on telnet, with these automated mirai variants, they just spew their credentials and then try to set up their shell... it is because of frontdoor that i was able to see what was going on... most bbses hide that data... so anyway, once i knew what was going on, i wrote a few IDS rules to detect these connections... i followed a few rules, though... 1. we don't care what name and password they spew. 2. we DO care if they try to set up their shell. 3. shell setup is generally always the same enable.system.shell.sh (dots used for spaces so as to not trip IDS) 4. after the above they generally try to load busybox with some fake module or program call. this call is simply a delimeter so they can see when their attempt is finished. 5. sometimes, instead of loading busybox, they try to download scripts from somewhere else via tools like fgrep, curl, wget, ftpget, tftp, and even echo. so with the above, we have five IDS rules... one to detect each stage of the command shell setup attempt... that's really all it takes but we do track the fake module or program names they try to initiate... that's how the thing got its name and how the skiddies keep them separated... in 2016, there were 12 unique variants. in 2017, there were 30 new unique variants. in 2018, there have been at least 73 new unique variants. the most notable thing is that by running the IDS, we're able to detect these attempts and stop them in the firewall before they even get a chance to get into the network... sure, the initial part is being feed to the mailer but as soon as the IDS qualifies the traffic as a mirai variant, it drops the connection via iptables rules... right now we have rules for each of the unique modules which we used as our trigger to block the connection but it is just about to the point where we don't even care about them any more... we could drop the connection just based on the attempt to set up the shell which would reduce our rules set to only 4 rules instead of the current 115 we have in place... there used to be a lot more attempts as the skiddies attempted to build their botnets... those attempts have dropped a lot since the beginning... there's only maybe 5 unique variants that are active... at least going by what is seen over here... sometimes an older one will come around and we still see some mirai attempts... one of the funniest ones is using "anarchy" as their fake module but the actual funny part is they're trying to load "SH" for their shell instead of "sh"... we all know how *nix systems are case sensitive so we know this won't work but it could be a second round attempt where the first round may have gotten in and created a "SH" shell... i dunno but i'm glad to be having my firewall performing this analysis and blocking rather than submitting my server to the abuse... that one IDS installation on the firewall is protecting a number of bbses and they're very happy they don't have to do the work of analyzing and blocking these skiddie attempts... at one point in time, our firewall was blocking over 4000 unique IPs that were known to be infected with a mirai variant... the attempts have fallen off a whole lot and today we're tracking less than 1000 unique IPs hitting here... i want to suspect the skids are actually reading their logs and seeing what BBS and mailer logons look like... i want to suspect they are adjusting their code to detect those and drop the connection on their own since they can't get in and do anything... i dunno... maybe it is all just a dream... )\/(ark Always Mount a Scratch Monkey Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong... .... be kind to your four footed friends... --- * Origin: (1:3634/12.73) .