Here's my latest fun from the bots or hackers? Any idea what they're trying?
12/10 05:48:20 term 0028 Hostname: <no name>
12/10 05:48:20 term Node 1 attached to local interface
192.168.200.103 port 23 12/10 05:48:20 term Node 1 05:48a Wed Dec
10 2014 Node 1 12/10 05:48:20 term Node 1 Telnet <no
name> [27.192.69.233] 12/10 05:48:57 term Node 1 Unknown User 'Root'
12/10 05:49:26 term Node 1 Unknown User 'Sh'
12/10 05:49:31 term Node 1 Unknown User '/bin/busybox;echo -E '\14'
12/10 05:50:04 term Node 1 disconnected
12/10 05:50:05 term Node 1 !JavaScript warning /sbbs/exec/login.js
line 20: Disconnected
12/10 05:48:20 term 0028 Hostname: <no name>
12/10 05:48:20 term Node 1 attached to local interface 192.168.200.103 port 23 12/10 05:48:20 term Node 1 05:48a Wed Dec 10 2014
Node 1 12/10 05:48:20 term Node 1 Telnet <no name> [27.192.69.233] 12/10 05:48:57 term Node 1 Unknown User 'Root'
12/10 05:49:26 term Node 1 Unknown User 'Sh'
12/10 05:49:31 term Node 1 Unknown User '/bin/busybox;echo -E '\14'
12/10 05:50:04 term Node 1 disconnected
12/10 05:50:05 term Node 1 !JavaScript warning /sbbs/exec/login.js line 20: Disconnected
create a rule for your IDS (Intrusion Detection System) that looks for "/bin/busybox;echo -E" inbound over your telnet port in response to your system's login user name request... your rule should cause your IDS to raise an alert which can then be acted upon by dropping the connection and maybe even blocking that IP for some amount of time ;)
create a rule for your IDS (Intrusion Detection System) that looks
for "/bin/busybox;echo -E" inbound over your telnet port in
response to your system's login user name request... your rule
should cause your IDS to raise an alert which can then be acted
upon by dropping the connection and maybe even blocking that IP
for some amount of time ;)
Sorry for butting in here, but I was wondering, what IDS have you
tried?
I kind of lost my knack with OSSEC between versions 2.6 and 2.7 and
still haven't learned the new syntax.
Wondering if there isn't something for *NIX a little easier to set
up and configure since I'm so crushed on time lately.
12/10 05:49:26 term Node 1 Unknown User 'Sh'
12/10 05:49:31 term Node 1 Unknown User '/bin/busybox;echo -E '\14'
12/10 05:50:04 term Node 1 disconnected
12/10 05:50:05 term Node 1 !JavaScript warning /sbbs/exec/login.js line 20: Disconnected
That one's a router exploit attempt. Ban any IP trying it as it's
part of a larger botnet, I'd say.
That one's a router exploit attempt. Ban any IP trying it as it'sjust remember that IPs change and perma-blocking an IP may cost you users in the future... that's why my solution uses configurable time periods for the blocks to be removed if the IP hasn't violated further... if it has, the period is extended until they stop and the period decays naturally ;)
part of a larger botnet, I'd say.
Re: Latest Hackspart
By: thumper to All on Wed Dec 10 2014 05:53:21
[27.192.69.233]
12/10 05:48:57 term Node 1 Unknown User 'Root'
12/10 05:49:26 term Node 1 Unknown User 'Sh'
12/10 05:49:31 term Node 1 Unknown User '/bin/busybox;echo -E '\14' 12/10 05:50:04 term Node 1 disconnected
12/10 05:50:05 term Node 1 !JavaScript warning /sbbs/exec/login.js
line 20: Disconnected
That one's a router exploit attempt. Ban any IP trying it as it's
of a larger botnet, I'd say.
---
þ Synchronet þ Tinfoil Tetrahedron BBS telnet://tinfoil.synchro.net
That is what happened to me after my ISP changed my router. There
was a vulnerability, and mine and nine other people were used in an Amplification attack on one of our Military Bases. They've since
corrected the problem, but it was a major hassle for a while.....
Here's my latest fun from the bots or hackers? Any idea what they're
trying?
12/10 05:48:20 term 0028 Hostname: <no name>
12/10 05:48:20 term Node 1 attached to local interface 192.168.200.103 port 23 12/10 05:48:20 term Node 1 05:48a Wed Dec 10 2014 Node 1 12/10 05:48:20 term Node 1 Telnet <no name> [27.192.69.233]
12/10 05:48:57 term Node 1 Unknown User 'Root'
12/10 05:49:26 term Node 1 Unknown User 'Sh'
12/10 05:49:31 term Node 1 Unknown User '/bin/busybox;echo -E '\14'
12/10 05:50:04 term Node 1 disconnected
12/10 05:50:05 term Node 1 !JavaScript warning /sbbs/exec/login.js line 20: Disconnected
-=Thumper=-
--SysOp--
The Wastelands BBS
12/10 05:49:26 term Node 1 Unknown User 'Sh'
12/10 05:49:31 term Node 1 Unknown User '/bin/busybox;echo -E '\14'
12/10 05:50:04 term Node 1 disconnected
12/10 05:50:05 term Node 1 !JavaScript warning /sbbs/exec/login.js line 20: Disconnected
I have been seeing the same thing for about a month now.
Sysop: | MCMLXXIX |
---|---|
Location: | Prospect, CT |
Users: | 325 |
Nodes: | 10 (0 / 10) |
Uptime: | 02:05:38 |
Calls: | 510 |
Messages: | 220569 |