06 Oct 16 10:10, you wrote to Janis Kracht:

 JK>> I switched back to net2bbs on my ezycom box, and for the most part it
 JK>> Last night when even iptables failed for the telnet port (some
 JK>> weirdness there because it works on the http port), I switched to a
 JK>> different telnet port.. I've probably got maybe a week before the
 JK>> 'sniffers' find it .

 SH> I took a beating last night. ;)  They are able to bring the whole
 SH> thing down to a halt after they hammer it about a million times in a
 SH> minute. hahaha

i'm just not seeing that kind of traffic over here...

 SH> I'm just glad we use binkp to transfer mail... If people were still
 SH> using mailer over telnet we'd all be in a pickle. ;)

them beating on my FrontDoor mailer is exactly how i started tracking them back
in june or july... that was when i wrote my first IDS/IPS rules to try catching
and blocking them... i was seeing their character strings in FD's DFRS (Data
From Ring Signal aka CallerID) logging on the WFC screen... it was early august
when i posted to the "emerging threats" mailing list with the rule inquiring
about possible better and more efficient ways to go... they published my rules
after testing them in their honeypots... one was adjusted and the others
accepted as is... since then, i've gone a bit of another way but still retain
the base detection technique...

the only ones i haven't been able to fire an alert on are those that do not
emit any character strings when they connect... i'm not sure they are the same
but they may be... i need to spend a ""bit"" more time analysing the telnet
data they are sending but i don't think there's anything going on there...
binary protocol analysis can be rather tedious, if you know what i mean ;)

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it
wrong...
... Sneaker Net - walk floppies between 2 computers.
---