06 Oct 16 10:10, you wrote to Janis Kracht:
JK>> I switched back to net2bbs on my ezycom box, and for the most part it
JK>> Last night when even iptables failed for the telnet port (some
JK>> weirdness there because it works on the http port), I switched to a
JK>> different telnet port.. I've probably got maybe a week before the
JK>> 'sniffers' find it .
SH> I took a beating last night. ;) They are able to bring the whole
SH> thing down to a halt after they hammer it about a million times in a
SH> minute. hahaha
i'm just not seeing that kind of traffic over here...
SH> I'm just glad we use binkp to transfer mail... If people were still
SH> using mailer over telnet we'd all be in a pickle. ;)
them beating on my FrontDoor mailer is exactly how i started tracking them
back in june or july... that was when i wrote my first IDS/IPS rules to try
catching and blocking them... i was seeing their character strings in FD's
DFRS (Data From Ring Signal aka CallerID) logging on the WFC screen... it was
early august when i posted to the "emerging threats" mailing list with the
rule inquiring about possible better and more efficient ways to go... they
published my rules after testing them in their honeypots... one was adjusted
and the others accepted as is... since then, i've gone a bit of another way
but still retain the base detection technique...
the only ones i haven't been able to fire an alert on are those that do not
emit any character strings when they connect... i'm not sure they are the same
but they may be... i need to spend a ""bit"" more time analysing the telnet
data they are sending but i don't think there's anything going on there...
binary protocol analysis can be rather tedious, if you know what i mean ;)
)\/(ark
Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it
wrong...
... Sneaker Net - walk floppies between 2 computers.
---
* Origin: (1:3634/12.73)
|
