Here's my latest fun from the bots or hackers? Any idea what they're trying?


12/10 05:48:20 term 0028 Hostname: <no name>
12/10 05:48:20 term Node 1 attached to local interface 192.168.200.103 port 23 12/10 05:48:20 term Node 1 05:48a Wed Dec 10 2014 Node 1
12/10 05:48:20 term Node 1 Telnet <no name> [27.192.69.233]
12/10 05:48:57 term Node 1 Unknown User 'Root'
12/10 05:49:26 term Node 1 Unknown User 'Sh'
12/10 05:49:31 term Node 1 Unknown User '/bin/busybox;echo -E '\14'
12/10 05:50:04 term Node 1 disconnected
12/10 05:50:05 term Node 1 !JavaScript warning /sbbs/exec/login.js line 20: Disconnected




-=Thumper=-
--SysOp--
The Wastelands BBS

---
þ Synchronet þ -=The Wastelands BBS=- -=wastelands-bbs.net=-

Re: Latest Hacks
By: thumper to All on Wed Dec 10 2014 05:53 am

Just another batch of automated exploits. I set my firewall to block connections from pretty much the entire contintent of Asia and my logs have gotten much quieter.

-McSteve

---
þ Synchronet þ Old habits die hard - Old Habits BBS - oldhabitbbs.com

On Wed, 10 Dec 2014, thumper wrote to All:

Here's my latest fun from the bots or hackers? Any idea what they're trying?

12/10 05:48:20 term 0028 Hostname: <no name>
12/10 05:48:20 term Node 1 attached to local interface
192.168.200.103 port 23 12/10 05:48:20 term Node 1 05:48a Wed Dec
10 2014 Node 1 12/10 05:48:20 term Node 1 Telnet <no
name> [27.192.69.233] 12/10 05:48:57 term Node 1 Unknown User 'Root'
12/10 05:49:26 term Node 1 Unknown User 'Sh'
12/10 05:49:31 term Node 1 Unknown User '/bin/busybox;echo -E '\14'
12/10 05:50:04 term Node 1 disconnected
12/10 05:50:05 term Node 1 !JavaScript warning /sbbs/exec/login.js
line 20: Disconnected

create a rule for your IDS (Intrusion Detection System) that looks for "/bin/busybox;echo -E" inbound over your telnet port in response to your system's login user name request... your rule should cause your IDS to raise an
alert which can then be acted upon by dropping the connection and maybe even blocking that IP for some amount of time ;)

)\/(ark


* Origin: (1:3634/12)

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

Re: Latest Hacks
By: thumper to All on Wed Dec 10 2014 05:53:21

12/10 05:48:20 term 0028 Hostname: <no name>
12/10 05:48:20 term Node 1 attached to local interface 192.168.200.103 port 23 12/10 05:48:20 term Node 1 05:48a Wed Dec 10 2014
Node 1 12/10 05:48:20 term Node 1 Telnet <no name> [27.192.69.233] 12/10 05:48:57 term Node 1 Unknown User 'Root'
12/10 05:49:26 term Node 1 Unknown User 'Sh'
12/10 05:49:31 term Node 1 Unknown User '/bin/busybox;echo -E '\14'
12/10 05:50:04 term Node 1 disconnected
12/10 05:50:05 term Node 1 !JavaScript warning /sbbs/exec/login.js line 20: Disconnected

That one's a router exploit attempt. Ban any IP trying it as it's part of a larger botnet, I'd say.

---
þ Synchronet þ Tinfoil Tetrahedron BBS telnet://tinfoil.synchro.net

Re: Latest Hacks
By: mark lewis to thumper on Wed Dec 10 2014 15:35:04

create a rule for your IDS (Intrusion Detection System) that looks for "/bin/busybox;echo -E" inbound over your telnet port in response to your system's login user name request... your rule should cause your IDS to raise an alert which can then be acted upon by dropping the connection and maybe even blocking that IP for some amount of time ;)

Sorry for butting in here, but I was wondering, what IDS have you tried? I kind of lost my knack with OSSEC between versions 2.6 and 2.7 and still haven't learned the new syntax. Wondering if there isn't something for *NIX a little easier to set up and configure since I'm so crushed on time lately.

---
þ Synchronet þ Tinfoil Tetrahedron BBS telnet://tinfoil.synchro.net

On Wed, 10 Dec 2014, Khelair wrote to mark lewis:

create a rule for your IDS (Intrusion Detection System) that looks
for "/bin/busybox;echo -E" inbound over your telnet port in
response to your system's login user name request... your rule
should cause your IDS to raise an alert which can then be acted
upon by dropping the connection and maybe even blocking that IP
for some amount of time ;)

Sorry for butting in here, but I was wondering, what IDS have you
tried?

i /use/ snort plus a custom app for automatic ban manipulation... it is built into my perimeter firewall ;)

I kind of lost my knack with OSSEC between versions 2.6 and 2.7 and
still haven't learned the new syntax.

i've never used it... one might try security onion if they want something that's got pretty much everything in one but i don't want or need that... plaon
snort with my tool works great with the rules sets i'm using...

Wondering if there isn't something for *NIX a little easier to set
up and configure since I'm so crushed on time lately.

no matter what you choose, there is no one size fits all... you /always/ have to tuen the rules sets to your network's traffic... it takes time but once it is done, then minor maint is all that's needed...

)\/(ark

If you think it's expensive to hire a professional to do the job, wait until you hire an amateur.

--- FMail/Win32 1.60
* Origin: (1:3634/12.71)
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

On Wed, 10 Dec 2014, Khelair wrote to thumper:

12/10 05:49:26 term Node 1 Unknown User 'Sh'
12/10 05:49:31 term Node 1 Unknown User '/bin/busybox;echo -E '\14'
12/10 05:50:04 term Node 1 disconnected
12/10 05:50:05 term Node 1 !JavaScript warning /sbbs/exec/login.js line 20: Disconnected

That one's a router exploit attempt. Ban any IP trying it as it's
part of a larger botnet, I'd say.

just remember that IPs change and perma-blocking an IP may cost you users in the future... that's why my solution uses configurable time periods for the blocks to be removed if the IP hasn't violated further... if it has, the period
is extended until they stop and the period decays naturally ;)

)\/(ark


* Origin: (1:3634/12)

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

Re: Latest Hacks
By: mark lewis to Khelair on Thu Dec 11 2014 22:11:35

That one's a router exploit attempt. Ban any IP trying it as it's
part of a larger botnet, I'd say.

just remember that IPs change and perma-blocking an IP may cost you users in the future... that's why my solution uses configurable time periods for the blocks to be removed if the IP hasn't violated further... if it has, the period is extended until they stop and the period decays naturally ;)

Very good point. Especially since these things are 99.99% sure to come from a botnet these days. It could be a potential user's computer, they could clean it at some point in the future, and you could ban someone that might otherwise end up on your system, as well.

---
þ Synchronet þ Tinfoil Tetrahedron BBS telnet://tinfoil.synchro.net

Re: Latest Hacks
By: thumper to All on Wed Dec 10 2014 05:53:21

[27.192.69.233]

12/10 05:48:57 term Node 1 Unknown User 'Root'
12/10 05:49:26 term Node 1 Unknown User 'Sh'
12/10 05:49:31 term Node 1 Unknown User '/bin/busybox;echo -E '\14' 12/10 05:50:04 term Node 1 disconnected
12/10 05:50:05 term Node 1 !JavaScript warning /sbbs/exec/login.js
line 20: Disconnected

That one's a router exploit attempt. Ban any IP trying it as it's

part

of a larger botnet, I'd say.

---
þ Synchronet þ Tinfoil Tetrahedron BBS telnet://tinfoil.synchro.net

That is what happened to me after my ISP changed my router. There was a vulnerability, and mine and nine other people were used in an Amplification attack on one of our Military Bases. They've since corrected the problem, but it was a major hassle for a while.....



-=Thumper=-
--SysOp--
The Wastelands BBS

---
þ Synchronet þ -=The Wastelands BBS=- -=wastelands-bbs.net=-

On Fri, 12 Dec 2014, thumper wrote to Khelair:

That is what happened to me after my ISP changed my router. There
was a vulnerability, and mine and nine other people were used in an Amplification attack on one of our Military Bases. They've since
corrected the problem, but it was a major hassle for a while.....

and the thing about amplification attacks is that there's little you can do other than denying access to the service being used to perform the amplification (eg: dns)... you can't block the originating IP because it is spoofed to appear as the IP of the actual target system...

)\/(ark


* Origin: (1:3634/12)

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

Here's my latest fun from the bots or hackers? Any idea what they're
trying?

12/10 05:48:20 term 0028 Hostname: <no name>
12/10 05:48:20 term Node 1 attached to local interface 192.168.200.103 port 23 12/10 05:48:20 term Node 1 05:48a Wed Dec 10 2014 Node 1 12/10 05:48:20 term Node 1 Telnet <no name> [27.192.69.233]
12/10 05:48:57 term Node 1 Unknown User 'Root'
12/10 05:49:26 term Node 1 Unknown User 'Sh'
12/10 05:49:31 term Node 1 Unknown User '/bin/busybox;echo -E '\14'
12/10 05:50:04 term Node 1 disconnected
12/10 05:50:05 term Node 1 !JavaScript warning /sbbs/exec/login.js line 20: Disconnected

-=Thumper=-
--SysOp--
The Wastelands BBS

I have been seeing the same thing for about a month now.

Jim

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

Re: Re: Latest Hacks
By: Warchilin66 to thumper on Fri Dec 19 2014 12:47 am

12/10 05:49:26 term Node 1 Unknown User 'Sh'
12/10 05:49:31 term Node 1 Unknown User '/bin/busybox;echo -E '\14'
12/10 05:50:04 term Node 1 disconnected
12/10 05:50:05 term Node 1 !JavaScript warning /sbbs/exec/login.js line 20: Disconnected

I have been seeing the same thing for about a month now.

it's called being on the internet
---
þ Synchronet þ ::: BBSES.info - free BBS services :::