* An ongoing debate between Janis Kracht and All rages on ...

If you've been 'locked out' of the telnet server and you need to use
it, let me know. I'll check your ip wasn't marked as 'bad'.
I've been trapping large numbers of nodes here who seem to just log-on/log-off

I'm getting quite a few myself, probably part of a new Telnet "attack" which I am getting from dozens of different IP addresses weekly that try to login with the following sequence:

=== Snip ===
Unknown
ENABLE
SYSTEM
SHELL
=== Snip ===

I am blocking some with multiple hits, but I ignore the rest {chuckle}

-+-
Keep the faith :^)

Ben aka cMech Web: http|ftp|binkp|telnet://cmech.dynip.com
Email: fido4cmech(at)lusfiber.net
Home page: http://cmech.dynip.com/homepage/
WildCat! Board 24/7 +1-337-984-4794 any BAUD 8,N,1

... Part #3 of 3, others are missing.
--- GoldED+/W32-MSVC v1.1.5 via Mystic BBS
* Origin: FIDONet - The Positronium Repository (1:393/68)

* An ongoing debate between Janis Kracht and All rages on ...

If you've been 'locked out' of the telnet server and you need to use
it, let me know. I'll check your ip wasn't marked as 'bad'.
I've been trapping large numbers of nodes here who seem to just
log-on/log-off

I'm getting quite a few myself, probably part of a new Telnet "attack" which I >am getting from dozens of different IP addresses weekly that try to login with
the following sequence:

=== Snip ===
Unknown
ENABLE
SYSTEM
SHELL
=== Snip ===

I am blocking some with multiple hits, but I ignore the rest {chuckle}

<sigh>... sign of the times, that's for sure. I'm sure if I check some of the system logs I'll see similarly named attempts. My favorites: ADMIN, ROOT.. Lol

What losers :)

Take care,
Janis

--- BBBS/Li6 v4.10 Dada-2
* Origin: Prism bbs (1:261/38)

03 Oct 16 14:33, you wrote to All:

If you've been 'locked out' of the telnet server and you need to use
it, let me know. I'll check your ip wasn't marked as 'bad'.

I've been trapping large numbers of nodes here who seem to just log-on/log-off

logon/logoff or connect/disconnect? ;)

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... We must be doing something right.
---
* Origin: (1:3634/12.73)

03 Oct 16 15:10, you wrote to Janis Kracht:

If you've been 'locked out' of the telnet server and you need to use
it, let me know. I'll check your ip wasn't marked as 'bad'. I've
been trapping large numbers of nodes here who seem to just
log-on/log-off

I'm getting quite a few myself, probably part of a new Telnet "attack" which I am getting from dozens of different IP addresses weekly that
try to

have you seen the links i shared earlier? i dropped them in several conferences
by cross posting a reply to janis...

login with the following sequence:

=== Snip ===
Unknown
ENABLE
SYSTEM
SHELL
=== Snip ===

actually, it is roughly two or three months old... the first portion (which you
left one out) is a user name... your "unknown" is actually the password but not
that sequence of letters... they are transmitted normal-like with the CFLF after them... the rest of the string sequences you posted are each followed by a nul (0x00) character and then the CRLF... you're missing the last two parts, "sh" and a call to busybox with a command name which is the main tracking and detection signature...

I am blocking some with multiple hits, but I ignore the rest {chuckle}

the order of the above was different in the beginning... there is always the user name and password but one or the other may be empty (just a CRLF sequence)... it started as only three commands followed by the call to busybox with its command name... then it changed to four commands with "enable" being first as you show above...

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... Correction does much, but encouragement does more.
---
* Origin: (1:3634/12.73)

03 Oct 16 17:29, you wrote to Ben Ritchey:

I am blocking some with multiple hits, but I ignore the rest {chuckle}

<sigh>... sign of the times, that's for sure. I'm sure if I check
some of the system logs I'll see similarly named attempts. My
favorites: ADMIN, ROOT.. Lol

in a demented way, i kinda enjoy watching my frontdoor wait-for-call when these
bots connect... i see all their commands up to the point where they send the busybox command and then "no carrier" because the IDS/IPS on the perimeter has dropped their connection for a rules violation... it really is funny... especially since they're blocked from causing the server to be overworked... why do i want to subject my server(s) to that when they can be dropped at the perimeter and never even traverse my network at all? ;)

What losers :)

they took down brian krebs' web site that was protected (pro bono) by akamai...
more than 620G per second and it was too much... google's "Project Shield" is covering his site now...

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... Bald spot? No - solar panel for brain power.
---
* Origin: (1:3634/12.73)

I've been trapping large numbers of nodes here who seem to just
log-on/log-off

logon/logoff or connect/disconnect? ;)

No real "login".. more like connect/disconnect.

Iptables takes them out according to the rule I have set.

--- BBBS/Li6 v4.10 Dada-2
* Origin: Prism bbs (1:261/38)