Groups | Search | Server Info | Login | Register
Groups > comp.os.linux.security > #709
| From | Supratim Sanyal <supratim@riseupnet.invalid.com> |
|---|---|
| Newsgroups | comp.os.linux.security |
| Subject | Re: yet another IP blocklist (mine!) |
| Date | 2016-11-26 17:59 -0500 |
| Organization | albasani.net |
| Message-ID | <MPG.32a3ddc17009d6e5989683@news.albasani.net> (permalink) |
| References | (3 earlier) <slrno17fn7.raa.ibuprofin@planck.phx.az.us> <MPG.327d9502ab733f6f989682@reader80.eternal-september.org> <slrno1a8cn.q8v.ibuprofin@planck.phx.az.us> <MPG.329ea37bff320fd4989681@news.albasani.net> <slrno3cfo3.gb2.ibuprofin@planck.phx.az.us> |
In article <slrno3cfo3.gb2.ibuprofin@planck.phx.az.us>,
ibuprofin@painkiller.example.tld.invalid says...
>
> On Tue, 22 Nov 2016, in the Usenet newsgroup comp.os.linux.security, in article
> <MPG.329ea37bff320fd4989681@news.albasani.net>, Supratim Sanyal wrote:
>
> >ibuprofin@painkiller.example.tld.invalid says...
>
> >> Supratim Sanyal wrote:
>
> >>> but these blocklists are missing a vast number of port 23 bots.
>
> >> I'm not sure it's even possible to come up with a reasonably accurate
> >> list - it changes so frequently. It's getting worse even now due to
> >> the "Internet of Things" (commonly written as "IoT") which includes
> >> all of the poorly designed devices in the modern home. Most of the
> >> current crop of 'bots are unprotected DVD players, Internet-enabled
> >> cameras, and similar.
>
> >interesting - looks like mirai would have eventually got into your DVD
> >players
>
> Not likely mine - the firewall here blocks those unwanted inbounds, and
> the DVD players are intentionally not networked. If you want a simple
> hint about the prevalence of 'bots, set your firewall to "IGNORE" or
> "DROP" TCP connection attempts to ports 23 (and 2323), and then look at
> the values of the variables in the SYN packet headers received (the
> initial packet used to set up a TCP connection) - source port number is
> one, TCP window size is another (see a good networking textbook such as
> "TCP/IP Illustrated - Volume 1" by the late W. Richard Stevens for what
> is "normal" and notice the differences in what's hitting your address
> now). Also note the 'bots make a single SYN (in the absence of a reply)
> rather than 3 spaced several seconds apart. Last month, I enabled
> logging on the firewall for a day, and was seeing an _average_ of 81
> rather obvious 'bots per hour during the entire period. Based on the
> RFC defined protocols, more than 95% of the connection attempts I saw
> (1953 of 2029 in 24 hours) were 'bots. My firewall normally drops all
> "new" inbounds (not just to 23/tcp) and does not bother logging the
> idiots - which would be a waste of CPU cycles and disk space.
>
> >looked up the password list it uses, it covers the ones your
> >DVD players came with
>
> I ceased to be amazed at the gross stupidity of some manufacturers
> long ago. For a while in 2005, I was browsing a Usenet newsgroup
> named "alt.privacy.spyware" (still exists, but I haven't bothered with
> it since), and there were semi-regular posts with pointers to large
> lists of default passwords used by manufacturers who should have known
> better. "admin" with "admin" was very common, as was "admin with ""
> (just hit Enter). and "admin" with "password" - the lead engineer and
> managers of those products should be lined up and shot _repeatedly_
> with a rusty keyboard. But they don't care, so I'm not sure it would
Made some progress. Looked deeper at one of my internet-facing OpenVMS
VMs, clearly see "/bin/busybox MIRAI" forced right after the attempted
password. I have OpenVMS logs already forwarded to a central linux
syslog server, wrote a bash script to parse these and spoof pam privlog
lines. fail2ban picks them up, and bans them as well as reports to
blocklist.de ... spam has gone down but will not disappear because
OpenVMS logs the hostname after a lookup and reverse-DNS does not work
for all of the hostnames it logs. Kind of interesting to see it starting
to work: https://www.google.com/webhp?sourceid=chrome-instant&ion=1
&espv=2&ie=UTF-8#q=qcocal%20abuse
LISTENING ON PORT 23
CLIENT CONNECTION RECEIVED
SERVER CONNECTION ESTABLISHED
SERVER IAC WILL 1 (ECHO)
SERVER IAC WILL 3 (SGA)
SERVER DATA: <0x0D><0x0A>
WELCOME TO<0x0D>
SERVER DATA: <0x0A>
___ _ _ _ __ __ _ _ _ _ ___ _____
<0x0D><0x0A>
/ __| /_\ | \| | \ \ / / /_\ | | | \| | | __| |_ _|
<0x0D><0x0A>
\__ \ / _ \ | .` | \ V / / _ \ | |__ | .` | | _| | |
<0x0D>
SERVER DATA: <0x0A>
|___/ /_/_\_\_|_|\_| |_| /_/ \_\ |____| |_|\_| |___|_ |_|
<0x0D><0x0A>
<0x0D><0x0A>
<0x0D><0x0A>
VAX-11/780 | OpenVMS V7.3<0x0D><0x0A>
<0x0D><0x0A>
+--<0x0D><0x0A>
+ This is a private hobbyist OpenVMS/VAX server. All connections are
<0x0D><0x0A>
+ monitored and recorded. Disconnect NOW if you are not an authorized
<0x0D><0x0A>
+ user.<0x0D><0x0A>
+<0x0D><0x0A>
+ GUEST Account: Login as GUEST with password WELCOME123<0x0D><0x0A>
+--<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT IAC DO 1 (ECHO)
CLIENT DATA: root
SERVER DATA: r
SERVER DATA: oot
CLIENT DATA: <0x0D><0x0A>
anko<0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: enable<0x00>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: <0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Username:
CLIENT DATA: system<0x00><0x0D><0x0A>
SERVER DATA: s
SERVER DATA: ystem<0x0D><0x0A>
<0x0D>Password:
CLIENT DATA: shell<0x00><0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: sh<0x00>
SERVER DATA: s
SERVER DATA: h
CLIENT DATA: <0x0D><0x0A>
/bin/busybox MIRAI<0x00><0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DISCONNECTED
BOTH CONNECTIONS CLOSED
LISTENING ON PORT 23
CLIENT CONNECTION RECEIVED
SERVER CONNECTION ESTABLISHED
SERVER IAC WILL 1 (ECHO)
SERVER IAC WILL 3 (SGA)
SERVER DATA: <0x0D><0x0A>
WELCOME TO<0x0D>
SERVER DATA: <0x0A>
___ _ _ _ __ __ _ _ _ _ ___ _____
<0x0D><0x0A>
/ __| /_\ | \| | \ \ / / /_\ | | | \| | | __| |_ _|
<0x0D><0x0A>
\__ \ / _ \ | .` | \ V / / _ \ | |__ | .` | | _| | |
<0x0D><0x0A>
|___/ /_/_\_\_|_|\_| |_| /_/ \_\ |____| |_|\_| |___|_ |_|
<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D><0x0A>
VAX-11/780 | OpenVMS V7.3<0x0D><0x0A>
<0x0D><0x0A>
+--<0x0D><0x0A>
+ This is a private hobbyist OpenVMS/VAX server. All connections are
<0x0D><0x0A>
+ monitored and recorded. Disconnect NOW if you are not an authorized
<0x0D><0x0A>
+ user.<0x0D><0x0A>
+<0x0D><0x0A>
+ GUEST Account: Login as GUEST with password WELCOME123<0x0D><0x0A>
+--<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT IAC DO 1 (ECHO)
CLIENT DATA: default<0x0D><0x0A>
tluafed<0x0D><0x0A>
SERVER DATA: d
SERVER DATA: efault<0x0D><0x0A>
SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: enable<0x00>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: <0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Username:
CLIENT DATA: system<0x00><0x0D><0x0A>
SERVER DATA: s
SERVER DATA: ystem<0x0D><0x0A>
<0x0D>Password:
CLIENT DATA: shell<0x00>
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: <0x0D><0x0A>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: sh<0x00><0x0D><0x0A>
SERVER DATA: s
SERVER DATA: h<0x0D><0x0A>
SERVER DATA: <0x0D>Password:
CLIENT DATA: /bin/busybox MIRAI<0x00>
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DISCONNECTED
BOTH CONNECTIONS CLOSED
LISTENING ON PORT 23
CLIENT CONNECTION RECEIVED
SERVER CONNECTION ESTABLISHED
SERVER IAC WILL 1 (ECHO)
SERVER IAC WILL 3 (SGA)
SERVER DATA: <0x0D><0x0A>
WELCOME TO<0x0D>
SERVER DATA: <0x0A>
___ _ _ _ __ __ _ _ _ _ ___ _____
<0x0D><0x0A>
/ __| /_\ | \| | \ \ / / /_\ | | | \| | | __| |_ _|
<0x0D><0x0A>
\__ \ / _ \ | .` | \ V / / _ \ | |__ | .` | | _| | |
<0x0D><0x0A>
|___/ /_/_\_\_|_|\_| |_| /_/ \_\ |____| |_|\_| |___|_ |_|
<0x0D><0x0A>
<0x0D><0x0A>
<0x0D><0x0A>
VAX-11/780 | OpenVMS V7.3<0x0D>
SERVER DATA: <0x0A>
<0x0D><0x0A>
+--<0x0D><0x0A>
+ This is a private hobbyist OpenVMS/VAX server. All connections are
<0x0D><0x0A>
+ monitored and recorded. Disconnect NOW if you are not an authorized
<0x0D><0x0A>
+ user.<0x0D><0x0A>
+<0x0D><0x0A>
+ GUEST Account: Login as GUEST with password WELCOME123<0x0D><0x0A>
+--<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT IAC DO 1 (ECHO)
CLIENT DATA: admin
SERVER DATA: a
SERVER DATA: dmin
CLIENT DATA: <0x0D><0x0A>
4321<0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: enable<0x00>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: <0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Username:
CLIENT DATA: system<0x00><0x0D><0x0A>
SERVER DATA: s
SERVER DATA: ystem<0x0D><0x0A>
<0x0D>Password:
CLIENT DATA: shell<0x00><0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: sh<0x00>
SERVER DATA: s
SERVER DATA: h
CLIENT DATA: <0x0D><0x0A>
/bin/busybox MIRAI<0x00><0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DISCONNECTED
BOTH CONNECTIONS CLOSED
LISTENING ON PORT 23
CLIENT CONNECTION RECEIVED
SERVER CONNECTION ESTABLISHED
SERVER IAC WILL 1 (ECHO)
SERVER IAC WILL 3 (SGA)
SERVER DATA: <0x0D><0x0A>
WELCOME TO<0x0D>
SERVER DATA: <0x0A>
___ _ _ _ __ __ _ _ _ _ ___ _____
<0x0D><0x0A>
/ __| /_\ | \| | \ \ / / /_\ | | | \| | | __| |_ _|
<0x0D><0x0A>
\__ \ / _ \ | .` | \ V / / _ \ | |__ | .` | | _| | |
<0x0D><0x0A>
|___/ /_/_\_\_|_|\_| |_| /_/ \_\ |____| |_|\_| |___|_ |_|
<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D><0x0A>
VAX-11/780 | OpenVMS V7.3<0x0D><0x0A>
<0x0D><0x0A>
+--<0x0D><0x0A>
+ This is a private hobbyist OpenVMS/VAX server. All connections are
<0x0D><0x0A>
+ monitored and recorded. Disconnect NOW if you are not an authorized
<0x0D><0x0A>
+ user.<0x0D><0x0A>
+<0x0D><0x0A>
+ GUEST Account: Login as GUEST with password WELCOME123<0x0D><0x0A>
+--<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT IAC DO 1 (ECHO)
CLIENT DATA: root
SERVER DATA: r
SERVER DATA: oot
CLIENT DATA: <0x0D><0x0A>
admin<0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: enable<0x00>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: <0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Username:
CLIENT DATA: system<0x00>
SERVER DATA: s
SERVER DATA: ystem
CLIENT DATA: <0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password:
CLIENT DATA: shell<0x00><0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: sh<0x00>
SERVER DATA: s
SERVER DATA: h
CLIENT DATA: <0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password:
CLIENT DATA: /bin/busybox MIRAI<0x00><0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DISCONNECTED
BOTH CONNECTIONS CLOSED
LISTENING ON PORT 23
CLIENT CONNECTION RECEIVED
SERVER CONNECTION ESTABLISHED
SERVER IAC WILL 1 (ECHO)
SERVER IAC WILL 3 (SGA)
SERVER DATA: <0x0D><0x0A>
WELCOME TO<0x0D>
SERVER DATA: <0x0A>
___ _ _ _ __ __ _ _ _ _ ___ _____
<0x0D><0x0A>
/ __| /_\ | \| | \ \ / / /_\ | | | \| | | __| |_ _|
<0x0D>
SERVER DATA: <0x0A>
\__ \ / _ \ | .` | \ V / / _ \ | |__ | .` | | _| | |
<0x0D><0x0A>
|___/ /_/_\_\_|_|\_| |_| /_/ \_\ |____| |_|\_| |___|_ |_|
<0x0D><0x0A>
<0x0D><0x0A>
<0x0D><0x0A>
VAX-11/780 | OpenVMS V7.3<0x0D><0x0A>
<0x0D><0x0A>
+--<0x0D><0x0A>
+ This is a private hobbyist OpenVMS/VAX server. All connections are
<0x0D><0x0A>
+ monitored and recorded. Disconnect NOW if you are not an authorized
<0x0D><0x0A>
+ user.<0x0D><0x0A>
+<0x0D><0x0A>
+ GUEST Account: Login as GUEST with password WELCOME123<0x0D><0x0A>
+--<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT IAC DO 1 (ECHO)
CLIENT DATA: admin
SERVER DATA: a
SERVER DATA: dmin
CLIENT DATA: <0x0D><0x0A>
<0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: enable<0x00>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: <0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Username:
CLIENT DATA: system<0x00><0x0D><0x0A>
SERVER DATA: s
SERVER DATA: ystem<0x0D><0x0A>
<0x0D>Password:
CLIENT DATA: shell<0x00><0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: sh<0x00>
SERVER DATA: s
SERVER DATA: h
CLIENT DATA: <0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password:
CLIENT DATA: /bin/busybox MIRAI<0x00><0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DISCONNECTED
BOTH CONNECTIONS CLOSED
LISTENING ON PORT 23
CLIENT CONNECTION RECEIVED
SERVER CONNECTION ESTABLISHED
SERVER IAC WILL 1 (ECHO)
SERVER IAC WILL 3 (SGA)
SERVER DATA: <0x0D><0x0A>
WELCOME TO<0x0D>
SERVER DATA: <0x0A>
___ _ _ _ __ __ _ _ _ _ ___ _____
<0x0D><0x0A>
/ __| /_\ | \| | \ \ / / /_\ | | | \| | | __| |_ _|
<0x0D><0x0A>
\__ \ / _ \ | .` | \ V / / _ \ | |__ | .` | | _| | |
<0x0D><0x0A>
|___/ /_/_\_\_|_|\_| |_| /_/ \_\ |____| |_|\_| |___|_ |_|
<0x0D><0x0A>
<0x0D><0x0A>
<0x0D><0x0A>
VAX-11/780 | OpenVMS V7.3<0x0D><0x0A>
<0x0D><0x0A>
+--<0x0D><0x0A>
+ This is a private hobbyist OpenVMS/VAX server. All connections are
<0x0D>
SERVER DATA: <0x0A>
+ monitored and recorded. Disconnect NOW if you are not an authorized
<0x0D><0x0A>
+ user.<0x0D><0x0A>
+<0x0D><0x0A>
+ GUEST Account: Login as GUEST with password WELCOME123<0x0D><0x0A>
+--<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT IAC DO 1 (ECHO)
CLIENT DATA: root
SERVER DATA: r
SERVER DATA: oot
CLIENT DATA: <0x0D><0x0A>
admin<0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: enable<0x00>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: <0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Username:
CLIENT DATA: system<0x00>
SERVER DATA: s
SERVER DATA: ystem
CLIENT DATA: <0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password:
CLIENT DATA: shell<0x00><0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: sh<0x00>
SERVER DATA: s
SERVER DATA: h
CLIENT DATA: <0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password:
CLIENT DATA: /bin/busybox MIRAI<0x00><0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DISCONNECTED
BOTH CONNECTIONS CLOSED
LISTENING ON PORT 23
CLIENT CONNECTION RECEIVED
SERVER CONNECTION ESTABLISHED
SERVER IAC WILL 1 (ECHO)
SERVER IAC WILL 3 (SGA)
SERVER DATA: <0x0D><0x0A>
WELCOME TO<0x0D>
SERVER DATA: <0x0A>
___ _ _ _ __ __ _ _ _ _ ___ _____
<0x0D><0x0A>
/ __| /_\ | \| | \ \ / / /_\ | | | \| | | __| |_ _|
<0x0D><0x0A>
\__ \ / _ \ | .` | \ V / / _ \ | |__ | .` | | _| | |
<0x0D><0x0A>
|___/ /_/_\_\_|_|\_| |_| /_/ \_\ |____| |_|\_| |___|_ |_|
<0x0D><0x0A>
<0x0D><0x0A>
<0x0D><0x0A>
VAX-11/780 | OpenVMS V7.3<0x0D>
SERVER DATA: <0x0A>
<0x0D><0x0A>
+--<0x0D><0x0A>
+ This is a private hobbyist OpenVMS/VAX server. All connections are
<0x0D><0x0A>
+ monitored and recorded. Disconnect NOW if you are not an authorized
<0x0D><0x0A>
+ user.<0x0D><0x0A>
+<0x0D><0x0A>
+ GUEST Account: Login as GUEST with password WELCOME123<0x0D><0x0A>
+--<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT IAC DO 1 (ECHO)
CLIENT DATA: admin
SERVER DATA: a
SERVER DATA: dmin
CLIENT DATA: <0x0D><0x0A>
pass<0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: enable<0x00>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: <0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Username:
CLIENT DATA: system<0x00><0x0D><0x0A>
SERVER DATA: s
SERVER DATA: ystem<0x0D><0x0A>
<0x0D>Password:
CLIENT DATA: shell<0x00><0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: sh<0x00>
SERVER DATA: s
SERVER DATA: h
CLIENT DATA: <0x0D><0x0A>
/bin/busybox MIRAI<0x00><0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DISCONNECTED
BOTH CONNECTIONS CLOSED
LISTENING ON PORT 23
CLIENT CONNECTION RECEIVED
SERVER CONNECTION ESTABLISHED
SERVER IAC WILL 1 (ECHO)
SERVER IAC WILL 3 (SGA)
SERVER DATA: <0x0D><0x0A>
WELCOME TO<0x0D>
SERVER DATA: <0x0A>
___ _ _ _ __ __ _ _ _ _ ___ _____
<0x0D><0x0A>
/ __| /_\ | \| | \ \ / / /_\ | | | \| | | __| |_ _|
<0x0D><0x0A>
\__ \ / _ \ | .` | \ V / / _ \ | |__ | .` | | _| | |
<0x0D><0x0A>
|___/ /_/_\_\_|_|\_| |_| /_/ \_\ |____| |_|\_| |___|_ |_|
<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D><0x0A>
VAX-11/780 | OpenVMS V7.3<0x0D><0x0A>
<0x0D><0x0A>
+--<0x0D><0x0A>
+ This is a private hobbyist OpenVMS/VAX server. All connections are
<0x0D><0x0A>
+ monitored and recorded. Disconnect NOW if you are not an authorized
<0x0D><0x0A>
+ user.<0x0D><0x0A>
+<0x0D><0x0A>
+ GUEST Account: Login as GUEST with password WELCOME123<0x0D><0x0A>
+--<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT IAC DO 1 (ECHO)
CLIENT DATA: root
SERVER DATA: r
SERVER DATA: oot
CLIENT DATA: <0x0D><0x0A>
realtek<0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: enable<0x00>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: <0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Username:
CLIENT DATA: system<0x00>
SERVER DATA: s
SERVER DATA: ystem
CLIENT DATA: <0x0D><0x0A>
shell<0x00><0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: sh<0x00>
SERVER DATA: s
SERVER DATA: h
CLIENT DATA: <0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password:
CLIENT DATA: /bin/busybox MIRAI<0x00>
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DISCONNECTED
BOTH CONNECTIONS CLOSED
LISTENING ON PORT 23
CLIENT CONNECTION RECEIVED
SERVER CONNECTION ESTABLISHED
SERVER IAC WILL 1 (ECHO)
SERVER IAC WILL 3 (SGA)
SERVER DATA: <0x0D><0x0A>
WELCOME TO<0x0D>
SERVER DATA: <0x0A>
___ _ _ _ __ __ _ _ _ _ ___ _____
<0x0D><0x0A>
/ __| /_\ | \| | \ \ / / /_\ | | | \| | | __| |_ _|
<0x0D><0x0A>
\__ \ / _ \ | .` | \ V / / _ \ | |__ | .` | | _| | |
<0x0D><0x0A>
|___/ /_/_\_\_|_|\_| |_| /_/ \_\ |____| |_|\_| |___|_ |_|
<0x0D><0x0A>
<0x0D><0x0A>
<0x0D><0x0A>
VAX-11/780 | OpenVMS V7.3<0x0D><0x0A>
<0x0D><0x0A>
+--<0x0D>
SERVER DATA: <0x0A>
+ This is a private hobbyist OpenVMS/VAX server. All connections are
<0x0D><0x0A>
+ monitored and recorded. Disconnect NOW if you are not an authorized
<0x0D><0x0A>
+ user.<0x0D><0x0A>
+<0x0D><0x0A>
+ GUEST Account: Login as GUEST with password WELCOME123<0x0D><0x0A>
+--<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT IAC DO 1 (ECHO)
CLIENT DATA: admin
SERVER DATA: a
SERVER DATA: dmin
CLIENT DATA: <0x0D><0x0A>
smcadmin<0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: enable<0x00>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: <0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Username:
CLIENT DATA: system<0x00>
SERVER DATA: s
SERVER DATA: ystem
CLIENT DATA: <0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password:
CLIENT DATA: shell<0x00><0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: sh<0x00>
SERVER DATA: s
SERVER DATA: h
CLIENT DATA: <0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password:
CLIENT DATA: /bin/busybox MIRAI<0x00><0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DISCONNECTED
BOTH CONNECTIONS CLOSED
LISTENING ON PORT 23
CLIENT CONNECTION RECEIVED
SERVER CONNECTION ESTABLISHED
SERVER IAC WILL 1 (ECHO)
SERVER IAC WILL 3 (SGA)
SERVER DATA: <0x0D><0x0A>
WELCOME TO<0x0D>
SERVER DATA: <0x0A>
___ _ _ _ __ __ _ _ _ _ ___ _____
<0x0D><0x0A>
/ __| /_\ | \| | \ \ / / /_\ | | | \| | | __| |_ _|
<0x0D><0x0A>
\__ \ / _ \ | .` | \ V / / _ \ | |__ | .` | | _| | |
<0x0D><0x0A>
|___/ /_/_\_\_|_|\_| |_| /_/ \_\ |____| |_|\_| |___|_ |_|
<0x0D><0x0A>
<0x0D><0x0A>
<0x0D><0x0A>
VAX-11/780 | OpenVMS V7.3<0x0D><0x0A>
<0x0D><0x0A>
+--<0x0D><0x0A>
+ This is a private hobbyist OpenVMS/VAX server. All connections are
<0x0D><0x0A>
+ monitored and recorded. Disconnect NOW if you are not an authorized
<0x0D><0x0A>
+ use
SERVER DATA: r.<0x0D><0x0A>
+<0x0D>
SERVER DATA: <0x0A>
+ GUEST Account: Login as GUEST with password WELCOME123<0x0D><0x0A>
+--<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT IAC DO 1 (ECHO)
CLIENT DATA: administrator
SERVER DATA: a
SERVER DATA: dministrator
CLIENT DATA: <0x0D><0x0A>
1234<0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: enable<0x00>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: <0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Username:
CLIENT DATA: system<0x00><0x0D><0x0A>
SERVER DATA: s
SERVER DATA: ystem<0x0D><0x0A>
<0x0D>Password:
CLIENT DATA: shell<0x00><0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: sh<0x00>
SERVER DATA: s
SERVER DATA: h
CLIENT DATA: <0x0D><0x0A>
/bin/busybox MIRAI<0x00><0x0D><0x0A>
SERVER DATA: <0x0D><0x0A>
SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DISCONNECTED
BOTH CONNECTIONS CLOSED
LISTENING ON PORT 23
^C
--
Supratim Sanyal
DECnet VMSMAIL: QCOCAL::SANYAL (via HECnet)
Internet email: http://mcaf.ee/sdlg9f
QCOCAL - VAXserver 3900/OpenVMS 7.3 - telnet://sanyalnet-openvms-
vax.freeddns.org
QCOCAL WASD: http://sanyalnet-openvms-vax.freeddns.org:82/
CLOUDY - VAX-11/780/OpenVMS 7.3 - SET HOST from QCOCAL
JUICHI - PDP-11/24/RSX-11M-PLUS - SET HOST from QCOCAL
SunOS 5.11/Solaris 11 OpenIndiana: ssh sanyal.duckdns.org
SanyalCraft Minecraft Server: sanyal.duckdns.org:25565
NTP servers: sanyalnet-ntp.freeddns.org,sanyalnet-cloud-
vps.freeddns.org,sanyalnet-cloudvps2.freeddns.org
Ad-Malware-Ransomware Blocking Recursive DNS Servers: sanyalnet-cloud-
vps.freeddns.org,sanyalnet-cloudvps2.freeddns.org
WBRi Radio Stream: banglaradio.homeip.net:8000
Anonymous FTP (Solaris 11): sanyal.duckdns.org / HTTP wrapper for FTP:
http://sanyal.duckdns.org:81
Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar
yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-03 11:42 -0400
Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-04 20:32 +0000
Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-27 20:27 -0400
Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-28 21:10 +0000
Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-28 18:02 -0400
Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-29 22:24 +0000
Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseupnet.invalid.com> - 2016-11-22 18:49 -0500
Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-11-24 01:13 +0000
Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseupnet.invalid.com> - 2016-11-26 17:59 -0500
Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-11-28 02:10 +0000
csiph-web