1. Forum
  2. Fsxnet Message
  3. FSX MYS

  • Possible hack attempt

    From Distorted@21:2/102 to All on Tuesday, March 14, 2017 14:03:00
    The last two days I am getting tons of these in my email on the BBS. It looks like all different email addresses. It would take me forever to add them all
    to the firewall. I thought MIS was supposed to automatically block certain
    IPs?

    What causes this mail to get generated?

    Distorted

    --- Mystic BBS v1.12 A31 (Linux)
    * Origin: Cartel BBS * cartelbbs.keene.co:23 (21:2/102)
  • From Skuz@21:1/105 to Distorted on Tuesday, March 14, 2017 15:52:00

    Hello Distorted!

    14 Mar 17 14:03, you wrote to all:

    The last two days I am getting tons of these in my email on the BBS.
    It looks like all different email addresses. It would take me forever
    to add them all to the firewall. I thought MIS was supposed to automatically block certain IPs?

    Your correct, but it depends on what your Mystic -cfg Servers | Server setting options for Auto IP blocking = #of connections and within how many Seconds. Mine is set for 5 connections with 180 seconds. Log should show it is working

    Mar 14 14:58:17 0 Connection from Spain
    Mar 14 14:58:17 0 Connect: 84.121.83.39 (84.121.83.39.dyn.user.ono.com)
    Mar 14 14:58:17 1 Creating telnet process
    Mar 14 14:58:20 0 Connection from Spain
    Mar 14 14:58:20 0 MULTI 84.121.83.39 (84.121.83.39.dyn.user.ono.com)
    Mar 14 14:58:20 0 Connection from Spain
    Mar 14 14:58:20 0 MULTI 84.121.83.39 (84.121.83.39.dyn.user.ono.com)
    Mar 14 14:58:21 1 Closing telnet process
    Mar 14 14:58:21 0 Connection from Spain
    Mar 14 14:58:21 0 Connect: 84.121.83.39 (84.121.83.39.dyn.user.ono.com)
    Mar 14 14:58:21 1 Creating telnet process
    Mar 14 14:58:53 0 Connection from Viet Nam
    Mar 14 14:58:53 0 BLOCKED 123.26.1.26 (localhost)
    Mar 14 14:58:53 0 Connection from Viet Nam
    Mar 14 14:58:53 0 BLOCKED 123.26.1.26 (localhost)
    Mar 14 14:58:54 0 Connection from Viet Nam
    Mar 14 14:58:54 0 BLOCKED 123.26.1.26 (localhost)
    Mar 14 14:58:57 1 Closing telnet process
    Mar 14 14:58:58 0 Connection from Viet Nam
    Mar 14 14:58:58 0 BLOCKED 123.26.1.26 (localhost)
    Mar 14 14:58:59 0 Connection from Viet Nam
    Mar 14 14:58:59 0 BLOCKED 123.26.1.26 (localhost)
    Mar 14 14:59:00 0 Connection from Viet Nam
    Mar 14 14:59:00 0 BLOCKED 123.26.1.26 (localhost)
    Mar 14 14:59:00 0 Connection from Spain
    Mar 14 14:59:00 0 Auto banning IP 84.121.83.39 <- <Notice> this guy in Spain Mar 14 14:59:00 0 BLOCKED 84.121.83.39 (84.121.83.39.dyn.user.ono.com)
    Mar 14 14:59:00 0 BLOCKED 84.121.83.39 (84.121.83.39.dyn.user.ono.com)
    Mar 14 14:59:01 0 BLOCKED 84.121.83.39 (84.121.83.39.dyn.user.ono.com)
    Mar 14 14:59:01 0 BLOCKED 84.121.83.39 (84.121.83.39.dyn.user.ono.com)
    Mar 14 14:59:01 0 BLOCKED 84.121.83.39 (84.121.83.39.dyn.user.ono.com)
    Mar 14 14:59:02 0 BLOCKED 84.121.83.39 (84.121.83.39.dyn.user.ono.com)
    Mar 14 14:59:02 0 BLOCKED 84.121.83.39 (84.121.83.39.dyn.user.ono.com)

    What causes this mail to get generated?

    Good question might be your pop3 server, if you have that enabled? can't really

    say for sure because I've never used the pop3 server option.

    --- GoldED+/W32-MSVC 1.1.5-b20160201
    * Origin: flupH * fluph.darktech.org (21:1/105)
  • From Distorted@21:2/102 to Skuz on Tuesday, March 14, 2017 17:19:00
    Thanks. Mine was at 6 in 120 seconds. I bumped that down to 3 to have less tolerance for this.

    I'll check the logs. Is there a log level setting somewhere?

    Distorted

    --- Mystic BBS v1.12 A31 (Linux)
    * Origin: Cartel BBS * cartelbbs.keene.co:23 (21:2/102)
  • From Distorted@21:2/102 to Skuz on Tuesday, March 14, 2017 17:19:00
    By the way, the pop server is disabled. It's pretty much Telnet and BinkP
    only.

    Distorted

    --- Mystic BBS v1.12 A31 (Linux)
    * Origin: Cartel BBS * cartelbbs.keene.co:23 (21:2/102)
  • From Skuz@21:1/105 to Distorted on Tuesday, March 14, 2017 18:02:00

    Hello Distorted!

    14 Mar 17 17:19, you wrote to me:

    Thanks. Mine was at 6 in 120 seconds. I bumped that down to 3 to have
    less tolerance for this.
    I'll check the logs. Is there a log level setting somewhere?

    Yes, you'll find the log level in the multi.ini stanza that tosses the mail.

    --- GoldED+/W32-MSVC 1.1.5-b20160201
    * Origin: flupH * fluph.darktech.org (21:1/105)
  • From Avon@21:1/101 to Distorted on Wednesday, March 15, 2017 13:01:00
    On 03/14/17, Distorted pondered and said...

    The last two days I am getting tons of these in my email on the BBS. It looks like all different email addresses. It would take me forever to
    add them all to the firewall. I thought MIS was supposed to
    automatically block certain IPs?

    What causes this mail to get generated?

    This occurs when a user logins in to the BBS incorrectly X number of times. X is defined as the max number of allowed attempts per login session. The
    system sends an email to the user concerned - is this what you are seeing?

    There is a template file that allow you to alter the contents of this message.

    Best, Paul

    --- Mystic BBS v1.12 A31 (Windows)
    * Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)
  • From Avon@21:1/101 to Skuz on Wednesday, March 15, 2017 13:02:00
    On 03/14/17, Skuz pondered and said...

    to add them all to the firewall. I thought MIS was supposed to automatically block certain IPs?

    Your correct, but it depends on what your Mystic -cfg Servers | Server setting options for Auto IP blocking = #of connections and within how
    many Seconds. Mine is set for 5 connections with 180 seconds. Log should show it is working

    This is all good advice but relates to the auto banning feature at a server level but does not (I think) relate to the emails Distorted is talking about.
    I may be wrong :)

    Best, Paul

    --- Mystic BBS v1.12 A31 (Windows)
    * Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)
  • From Avon@21:1/101 to Skuz on Wednesday, March 15, 2017 13:03:00
    On 03/14/17, Skuz pondered and said...

    I'll check the logs. Is there a log level setting somewhere?

    Yes, you'll find the log level in the multi.ini stanza that tosses the mail.

    Logging for events, binkp, telnet I think is hard coded the log level etc. settings in the opening stanza of mutil.ini relates to the functions that ini runs.

    Best, Paul

    --- Mystic BBS v1.12 A31 (Windows)
    * Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)
  • From Malthous@21:1/189 to Avon on Tuesday, March 14, 2017 16:48:00
    I too have been getting several of these. If its the same message as below
    you get them when someone tries to login with an incorrect password to your account. I'm working on a snort signature that will detected the failed password attempt and block the IP if its triggered 2 or more times in a
    1 minute interval.



    ---------------

    This is an automated E-mail sent to users when an unsuccessful attempt to login has occured. This could have been your own error, or possibly someone attempting to access your account without your knowledge.

    Here is some information our system has logged from this attempt:

    Date: 03/13/17
    Time: 08:36p
    IP Address: 62.217.234.2
    Hostname: Unknown

    --- Mystic BBS v1.12 A31 (Linux)
    * Origin: KernelError Networks BBS (21:1/189)
  • From Distorted@21:2/102 to Avon on Wednesday, March 15, 2017 10:57:00
    Here's the exact text of one such email.

    ---
    This is an automated E-mail sent to users when an unsuccessful attempt to
    login has occured. This could have been your own error, or possibly someone attempting to access your account without your knowledge.

    Here is some information our system has logged from this attempt:

    Date: 03/15/17
    Time: 12:21a
    IP Address: 113.190.6.46
    Hostname: dynamic.vdc.vn
    ---

    I should also point out that since this began, mis is crashing every night.
    So I'm not sure if they are penetrating the system, or just inadvertently exploiting a weakness in mis.

    I receive about 35 of these per day now. I used to receive 0.

    Distorted

    --- Mystic BBS v1.12 A31 (Linux)
    * Origin: Cartel BBS * cartelbbs.keene.co:23 (21:2/102)
  • From Distorted@21:2/102 to Malthous on Wednesday, March 15, 2017 11:02:00
    I too have been getting several of these. If its the same message as
    below you get them when someone tries to login with an incorrect
    password to your account. I'm working on a snort signature that will detected the failed password attempt and block the IP if its triggered 2 or more times in a 1 minute interval.

    If it's easy to install in Linux, I would be interested in this script when you're done.

    Distorted

    --- Mystic BBS v1.12 A31 (Linux)
    * Origin: Cartel BBS * cartelbbs.keene.co:23 (21:2/102)
  • From Malthous@21:1/189 to Distorted on Wednesday, March 15, 2017 16:27:00
    If it's easy to install in Linux, I would be interested in this script when you're done.


    Its not really a script, I run a program on my firewall that is an IDS (Intrusion Detection System) it looks at all the packets coming into and out of the network and inspects them for certain strings etc. When it matches a defined signature it intercepts and blocks the connection. On a side note I have started seeing a lot of incoming connects trying to connect to miria and busybox, a linux IOT botnet. All of which get dropped by the IDS. The internet is a dirty place.

    --- Mystic BBS v1.12 A31 (Linux)
    * Origin: KernelError Networks BBS (21:1/189)
  • From karl@21:1/161 to Malthous on Wednesday, March 15, 2017 20:33:00
    Its not really a script, I run a program on my firewall that is an IDS (Intrusion Detection System) it looks at all the packets coming into

    What firewall are you using?

    --
    Karl
    The Search BBS

    --- Mystic BBS v1.12 A31 (Raspberry Pi)
    * Origin: The Search BBS (21:1/161)
  • From Distorted@21:2/102 to Malthous on Thursday, March 16, 2017 18:04:00
    And Telnet is just about the dirtiest place of all.

    Distorted

    --- Mystic BBS v1.12 A31 (Linux)
    * Origin: Cartel BBS * cartelbbs.keene.co:23 (21:2/102)
  • From Richard Menedetter@21:1/104 to Malthous on Saturday, March 18, 2017 15:18:00
    Hi Malthous!

    15 Mar 2017 16:27, from Malthous -> Distorted:

    I run a program on my firewall that is an IDS

    What are you using?
    Snort?

    CU, Ricsi

    --- GoldED+/LNX
    * Origin: My kingdom for a beer; half my beer for a woman. (21:1/104)
  • From Malthous@21:1/189 to Richard Menedetter on Saturday, March 18, 2017 07:07:00
    What are you using?
    Snort?

    CU, Ricsi

    Something Similar I run suricata. I Have a custom linux build that is the firewall. Runs firewall and IDS.

    --Malthous--

    --- Mystic BBS v1.12 A31 (Linux)
    * Origin: KernelError Networks BBS (21:1/189)
  • From Richard Menedetter@21:1/104 to Malthous on Saturday, March 18, 2017 17:04:00
    Hi Malthous!

    18 Mar 2017 07:07, from Malthous -> Richard Menedetter:

    What are you using? Snort?
    Something Similar I run suricata. I Have a custom linux build that
    is the firewall. Runs firewall and IDS.

    Very interesting.
    Did not know that one.
    Thanx for sharing!

    CU, Ricsi

    --- GoldED+/LNX
    * Origin: Stressed is just desserts backwards. (21:1/104)