Hi everyone, seen the issue of telnet attacks mentioned a number of times.

I use pfsense firewall at home. Easy to install and configure. And with the pfBlockerNG package installed, turned on with a bunch of the normal countries blocked, my attacks have gone down by at least 98%.

Adding additional blocking lists (ie: Spamhaus) reduced it once again. It's
on my list of things to do to try to figure out how to incorporate the badip.txt automatically, but for now the "out of the box" configuration has drastically helped. No need to change from port 23 now.

Just an FYI
Cheers
J

--- Mystic BBS v1.12 A31 (Raspberry Pi)
* Origin: The Gatehouse BBS (bbs.digitaglatehouse.com) (21:1/159)

On 11/02/16, John Riley said the following...

Hi everyone, seen the issue of telnet attacks mentioned a number of times.
I use pfsense firewall at home. Easy to install and configure. And
with the pfBlockerNG package installed, turned on with a bunch of the normal countries blocked, my attacks have gone down by at least 98%.

Adding additional blocking lists (ie: Spamhaus) reduced it once again. It's on my list of things to do to try to figure out how to incorporate the badip.txt automatically, but for now the "out of the box" configuration has drastically helped. No need to change from port 23 now.

just disable ascii logins and you wont see them and they will get blocked via mis

|08 .|05ú|13ù|15Dr|07e|08am Ma|07st|15er|13ù|05ú|08.
|08 øù|05ú|13ùø |13øù|05ú|08ùø
|11 DoRE|03!|11ACiDiC|03!|11Demonic |08[|15dreamland|09.|15darktech|09.|15org|08]

--- Mystic BBS v1.12 A31 (Windows)
* Origin: |08--[|15!|07dreamland BBS dreamland.darktech.org (21:1/163)

On 11/02/16, John Riley pondered and said...

Hi everyone, seen the issue of telnet attacks mentioned a number of times.

I use pfsense firewall at home. Easy to install and configure. And

Thanks for this :)

I went looking to see if I could run it on my Pi but it look like that's a no go :(

Best, Paul

--- Mystic BBS v1.12 A31 (Windows)
* Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)

On 11/02/16, John Riley said the following...

I use pfsense firewall at home. Easy to install and configure. And
with the pfBlockerNG package installed, turned on with a bunch of the normal countries blocked, my attacks have gone down by at least 98%.

Took a quick look after finding a browser that would work there, It shows AMD and 32bit x86 install only. Most of us are on Linux/Pi including me, can't be used.

--- Mystic BBS v1.12 A31 (Raspberry Pi)
* Origin: Mystic Pi BBS bcw142.zapto.org (21:1/145)

just disable ascii logins and you wont see them and they will get
blocked via mis

Yes, but I'm trying to block even before they come in and use up a session :) Cheers
J

--- Mystic BBS v1.12 A31 (Raspberry Pi)
* Origin: The Gatehouse BBS (bbs.digitaglatehouse.com) (21:1/159)

I went looking to see if I could run it on my Pi but it look like that's
a no go :(

No unfortunately. And I'd strongly recommend intel NIC's as well.
J

--- Mystic BBS v1.12 A31 (Raspberry Pi)
* Origin: The Gatehouse BBS (bbs.digitaglatehouse.com) (21:1/159)

shows AMD and 32bit x86 install only. Most of us are on Linux/Pi
including me, can't be used.

So am I. I have it as a seperate box/firewall for the house.
J

--- Mystic BBS v1.12 A31 (Raspberry Pi)
* Origin: The Gatehouse BBS (bbs.digitaglatehouse.com) (21:1/159)

On 11/04/16, John Riley pondered and said...

No unfortunately. And I'd strongly recommend intel NIC's as well.

Why is that John, are they just more robust etc.?

Best, Paul

--- Mystic BBS v1.12 A31 (Windows)
* Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)

The system was brought down by an attack this morning via a worm, PDM:Worm.win32. Kaspersky total security detected these, cleaned the files
and were in quarantine, still I felt it best to restore the entire system
from the back up on the thumb drive. The worm attempted to delete several key files, mis.exe, nodespy.exe Luckily I am back and running. Something has to be done to stop these attacks, once and for all, they are getting tiring. But that I guess why that is one of the reasons why a backup is recommended.

_ _
{° Greg {°

--- Mystic BBS v1.12 A31 (Windows)
* Origin: Capital Station BBS (21:1/127)

On 11/04/16, Gregory Deyss pondered and said...

The system was brought down by an attack this morning via a worm, PDM:Worm.win32. Kaspersky total security detected these, cleaned the
files and were in quarantine, still I felt it best to restore the entire system from the back up on the thumb drive. The worm attempted to
delete several key files, mis.exe, nodespy.exe Luckily I am back and running. Something has to be done to stop these attacks, once and for
all, they are getting tiring. But that I guess why that is one of the reasons why a backup is recommended.

Wow, not good. Apologies too I see I need to reply to another message from you.. will do so shortly.

Best, Paul.

--- Mystic BBS v1.12 A31 (Windows)
* Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)

On 11/05/16, Avon said the following...

On 11/04/16, Gregory Deyss pondered and said...

The system was brought down by an attack this morning via a worm, PDM:Worm.win32. Kaspersky total security detected these, cleaned the files and were in quarantine, still I felt it best to restore the ent system from the back up on the thumb drive. The worm attempted to delete several key files, mis.exe, nodespy.exe Luckily I am back and running. Something has to be done to stop these attacks, once and for all, they are getting tiring. But that I guess why that is one of th reasons why a backup is recommended.

Wow, not good. Apologies too I see I need to reply to another message
from you.. will do so shortly.

Best, Paul.

It happened again this morning as well (very early in the morning hours) mystic.exe mis.exe nodespy.exe all deleted.
I followed the same process to restore these files as I did before.
Followed by a full scan w/ kaspersky.
apparently there were no other files missing or damaged.

I have used bad country and modified it include all countries.
except your country of New Zealand and a few other countries.
All Asian counties will remain banned.

still some think they are slick coming through ip addresses which are not listed on the bad country.txt such as ip's not covered within this list such as ip of 1.34.70.132 I think some also mask their IP or even show an IP address
of which is phony all together.

_ _
{° Greg {°

--- Mystic BBS v1.12 A31 (Windows)
* Origin: Capital Station BBS (21:1/127)

On 11/05/16, Gregory Deyss pondered and said...

On 11/05/16, Avon said the following...

On 11/04/16, Gregory Deyss pondered and said...

The system was brought down by an attack this morning via a worm PDM:Worm.win32. Kaspersky total security detected these, cleaned

It happened again this morning as well (very early in the morning hours) mystic.exe mis.exe nodespy.exe all deleted.
I followed the same process to restore these files as I did before. Followed by a full scan w/ kaspersky.
apparently there were no other files missing or damaged.

So was it reporting the same worm or something new this time?

Best, Paul

--- Mystic BBS v1.12 A31 (Windows)
* Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)

On 11/06/16, Avon said the following...

On 11/05/16, Gregory Deyss pondered and said...

On 11/05/16, Avon said the following...

On 11/04/16, Gregory Deyss pondered and said...

The system was brought down by an attack this morning via a PDM:Worm.win32. Kaspersky total security detected these, cl

It happened again this morning as well (very early in the morning hou mystic.exe mis.exe nodespy.exe all deleted.
I followed the same process to restore these files as I did before. Followed by a full scan w/ kaspersky.
apparently there were no other files missing or damaged.

So was it reporting the same worm or something new this time?

Same attack 2 nights in a row, with the same worm, on occasion it is rare
that I see my mystic configuration menu open, nothing changed within but
kinda scary. I wish there was a better way to block people trying connect
here, it is no surpise I see what they are trying to do by trying connect
here or trying to connect here by running some kind script (shell) so I updated my kaspersky to Total Security 2017 and we will see what happens in the morning.

_ _
{° Greg {°

--- Mystic BBS v1.12 A31 (Windows)
* Origin: Capital Station BBS (21:1/127)

On Nov 6th 2:43 pm Gregory Deyss said...

Same attack 2 nights in a row, with the same worm, on occasion it is rare

Is it possible that the antivirus detected mystic as a worm as a false positive
and quarantined the files (so they were deleted from where they should be)?

Andrew

--- ENiGMA 1/2 v0.0.1-alpha (sunos; x64; 4.6.0)
* Origin: Underland - andrew.homeunix.org:2023 (21:1/140)

On 11/06/16, andrew pondered and said...

Is it possible that the antivirus detected mystic as a worm as a false positive and quarantined the files (so they were deleted from where they should be)?

I was wondering that also...

--- Mystic BBS v1.12 A31 (Windows)
* Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)

On 11/06/16, andrew said the following...

On Nov 6th 2:43 pm Gregory Deyss said...

Same attack 2 nights in a row, with the same worm, on occasion it is

Is it possible that the antivirus detected mystic as a worm as a false positive and quarantined the files (so they were deleted from where they should be)?

I don't want you to misunderstand, I am not blaming Mystic at all, just wondering how the worm got in the first place.
I am concerned that there are individuals who care not and do not appreciate what it is that I am providing here by running a bbs.
They see an open port and attack it, their actions and motivations or
anything but good.

_ _
{° Greg {°

--- Mystic BBS v1.12 A31 (Windows)
* Origin: Capital Station BBS (21:1/127)

On Nov 7th 12:05 am Gregory Deyss said...

I don't want you to misunderstand, I am not blaming Mystic at all, just wondering how the worm got in the first place.

I mean, perhaps there was no worm, but the antivirus thought mystic was a worm,
so it deleted it.

Sometimes Anti-Virus software is a little.. overzealous.

I've had antivirus delete all sorts of things in the past.

Andrew

--- ENiGMA 1/2 v0.0.1-alpha (sunos; x64; 4.6.0)
* Origin: Underland - andrew.homeunix.org:2023 (21:1/140)

andrew wrote to Gregory Deyss <=-

I mean, perhaps there was no worm, but the antivirus thought mystic was
a worm,
so it deleted it.

Sometimes Anti-Virus software is a little.. overzealous.

I've had antivirus delete all sorts of things in the past.

That sounds more feasible. To me, the odds of a worm targetting Mystic is very low. Why would someone bother? There's not that many Mystic BBSs out there, compared to softer and more numberous targets out there, that would be more useful to an attacker.

Sometimes the cure is worse than the disease. I find a lot of antivirus software falls into that category.


... Useless Invention: Particle board tent stakes.
--- MultiMail/Win32 v0.49
* Origin: Freeway BBS - freeway.apana.org.au (21:1/109)

That sounds more feasible. To me, the odds of a worm targetting Mystic
is very low. Why would someone bother?

These people have been busy hitting this open port 23, so far in this session of Mystic that has been running continuously it has blocked 6394 and refused 2381.

_ _
{° Greg {°

--- Mystic BBS v1.12 A31 (Windows)
* Origin: Capital Station BBS (21:1/127)

Hi Gregory!

10 Nov 2016 20:10, from Gregory Deyss -> Vk3jed:

That sounds more feasible. To me, the odds of a worm targetting
Mystic is very low. Why would someone bother?

These people have been busy hitting this open port 23, so far in this session of Mystic that has been running continuously it has blocked
6394 and refused 2381.

That is less than 10k.
That is basically nothing. (assumption is that the timeframe is longer than 3 hours)

I had a script kiddy trying to login my Asterisk with theses accounts
0000 - 9999 and everything in between, he was "ready" in much less than 1 hour.

CU, Ricsi

--- GoldED+/LNX
* Origin: A photographic memory with the lens cover glued on (21:1/104)

On 11/14/16, Richard Menedetter said the following...

Hi Gregory!

10 Nov 2016 20:10, from Gregory Deyss -> Vk3jed:

That sounds more feasible. To me, the odds of a worm targetting
Mystic is very low. Why would someone bother?

Why do hackers create viruses and malware.

I had a script kiddy trying to login my Asterisk with theses accounts
0000 - 9999 and everything in between, he was "ready" in much less than
1 hour.

These are all 'scripts' I guess it is just something that has to be allowed
to be attempted, the whole reason why I run a BBS via telnet is for the users to enjoy and interact with one another via messaging, or read about their favorite pastimes or interests.

_ _
{° Greg {°

--- Mystic BBS v1.12 A31 (Windows)
* Origin: Capital Station BBS (21:1/127)

Hi Gregory!

16 Nov 2016 09:59, from Gregory Deyss -> Richard Menedetter:

That sounds more feasible. To me, the odds of a worm

targetting

Mystic is very low. Why would someone bother?

Why do hackers create viruses and malware.

In the old times usually for fame.
In recent times to create botnets. (and to gain money from that through eg click fraud)

For both cases Mystic is a very bad target.
There is only a minimal installed base, and targeting anything else will be much more lucrative for them.

CU, Ricsi

--- GoldED+/LNX
* Origin: Bits, nibbles, bytes ... great hobby for a dieter (21:1/104)