FYI an person from this IP address 66.70.247.19 has been actively trying to hack my personal accounts ... you may want to keep an eye on your logs or put 66.70.247.19 in your ip.can file

Just sayin'

2 wrongs don't make a right, but 3 left turns will get you back on the freeway!

---
þ Synchronet þ AlleyCat! BBS - http://alleycat.synchro.net:81
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

On 2019 Feb 21 12:01:54, you wrote to All:

FYI an person from this IP address 66.70.247.19 has been actively trying to hack my personal accounts ... you may want to keep an eye on your logs or put 66.70.247.19 in your ip.can file

that's OVH again and that IP and its range appear to have been leased to someone in Muzaffarpur, India... i'd block the whole range if they are actively trying to hack you...

;NetRange: 66.70.247.16 - 66.70.247.31
;CIDR: 66.70.247.16/28
;NetName: OVH-CUST-9037703
;NetHandle: NET-66-70-247-16-1
;Parent: HO-2 (NET-66-70-128-0-1)
;NetType: Reassigned
;OriginAS: AS16276
;Customer: Amaze Internet Services Private Limited (C07246867)
;RegDate: 2018-11-13
;Updated: 2018-11-13
;Ref: https://rdap.arin.net/registry/ip/66.70.247.16
66.70.247.16
66.70.247.17
66.70.247.18
66.70.247.19
66.70.247.20
66.70.247.21
66.70.247.22
66.70.247.23
66.70.247.24
66.70.247.25
66.70.247.26
66.70.247.27
66.70.247.28
66.70.247.29
66.70.247.30
66.70.247.31


----- snip -----
$ whois 66.70.247.19

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/whois_reporting/index.html
#
# Copyright 1997-2019, American Registry for Internet Numbers, Ltd.
#



# start

NetRange: 66.70.128.0 - 66.70.255.255
CIDR: 66.70.128.0/17
NetName: HO-2
NetHandle: NET-66-70-128-0-1
Parent: NET66 (NET-66-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: OVH Hosting, Inc. (HO-2)
RegDate: 2017-02-13
Updated: 2017-02-13
Ref: https://rdap.arin.net/registry/ip/66.70.128.0



OrgName: OVH Hosting, Inc.
OrgId: HO-2
Address: 800-1801 McGill College
City: Montreal
StateProv: QC
PostalCode: H3A 2N4
Country: CA
RegDate: 2011-06-22
Updated: 2017-01-28
Ref: https://rdap.arin.net/registry/entity/HO-2


OrgAbuseHandle: ABUSE3956-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-855-684-5463
OrgAbuseEmail: abuse@ovh.ca
OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3956-ARIN

OrgTechHandle: NOC11876-ARIN
OrgTechName: NOC
OrgTechPhone: +1-855-684-5463
OrgTechEmail: noc@ovh.net
OrgTechRef: https://rdap.arin.net/registry/entity/NOC11876-ARIN

# end


# start

NetRange: 66.70.247.16 - 66.70.247.31
CIDR: 66.70.247.16/28
NetName: OVH-CUST-9037703
NetHandle: NET-66-70-247-16-1
Parent: HO-2 (NET-66-70-128-0-1)
NetType: Reassigned
OriginAS: AS16276
Customer: Amaze Internet Services Private Limited (C07246867)
RegDate: 2018-11-13
Updated: 2018-11-13
Ref: https://rdap.arin.net/registry/ip/66.70.247.16


CustName: Amaze Internet Services Private Limited
Address: Bhabhanagar, Bhagwanpur
City: Muzaffarpur
StateProv:
PostalCode: 842001
Country: IN
RegDate: 2018-11-13
Updated: 2018-11-13
Ref: https://rdap.arin.net/registry/entity/C07246867

OrgAbuseHandle: ABUSE3956-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-855-684-5463
OrgAbuseEmail: abuse@ovh.ca
OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3956-ARIN

OrgTechHandle: NOC11876-ARIN
OrgTechName: NOC
OrgTechPhone: +1-855-684-5463
OrgTechEmail: noc@ovh.net
OrgTechRef: https://rdap.arin.net/registry/entity/NOC11876-ARIN

# end



#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/whois_reporting/index.html
#
# Copyright 1997-2019, American Registry for Internet Numbers, Ltd.
#
----- snip -----

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... Like Gerald, Lord Sandwich, had...? Yes, a few rounds of Geralders.
---
* Origin: (1:3634/12.73)

On 2019 Feb 21 12:01:54, you wrote to All:

FYI an person from this IP address 66.70.247.19 has been actively trying to hack my personal accounts ... you may want to keep an eye on your logs or put 66.70.247.19 in your ip.can file

that's OVH again and that IP and its range appear to have been leased to someone in Muzaffarpur, India... i'd block the whole range if they are actively
trying to hack you...

66.70.247.16

It's just been the one ip address directly connecting to alleycat.synchro.net:81
I had done a whois and saw it was a host based in Quebec.

I had no problem blocking the whole 66.70.247.* before I posted :-)

my asmf-etrucker.com site blocks every ip not originating in the US or Canada but since these VPN's and/hosts are in North America they still try to slip through.

2 wrongs don't make a right, but 3 left turns will get you back on the freeway!

---
þ Synchronet þ AlleyCat! BBS - http://alleycat.synchro.net:81
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

On 2019 Feb 21 11:21:24, I wrote to you:

FYI an person from this IP address 66.70.247.19 has been actively
trying to hack my personal accounts ... you may want to keep an eye on
your logs or put 66.70.247.19 in your ip.can file

that's OVH again and that IP and its range appear to have been leased to someone in Muzaffarpur, India... i'd block the whole range if they are actively trying to hack you...

i've just seen that IP trying to hit my system, too, so i've blocked the whole range by the CIDR in my perimeter firewall ;)

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... Behind every successful man you'll find a woman who has nothing to wear. ---
* Origin: (1:3634/12.73)

On 2019 Feb 21 12:45:50, you wrote to me:

that's OVH again and that IP and its range appear to have been leased to
someone in Muzaffarpur, India... i'd block the whole range if they are
actively
trying to hack you...

66.70.247.16

It's just been the one ip address directly connecting to alleycat.synchro.net:81
I had done a whois and saw it was a host based in Quebec.

yeah, that's just the host but the IP, as previously noted, is assigned to India...

I had no problem blocking the whole 66.70.247.* before I posted :-)

that works but it blocks more than the 66.70.247.16/28 culprit range...

does ip.can and friends accept CIDR notation? that would be a lot better than listing each IP in a range when it is part of a larger range that has been leased out...

my asmf-etrucker.com site blocks every ip not originating in the US or Canada but since these VPN's and/hosts are in North America they still

try

to slip through.

i don't know if the culprit in india is using a VPN or not... the whois data i posted doesn't seem to indicate that at all... especially since it says the 66.70.247.16/28 block has been reassigned to India... so no need to block legitimate canadian connections just to knock out a small /28 range ;)

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... All of my voices listen to different radio stations.
---
* Origin: (1:3634/12.73)

i don't know if the culprit in india is using a VPN or not... the whois

data

i posted doesn't seem to indicate that at all... especially since it says the 66.70.247.16/28 block has been reassigned to India... so no need to block legitimate canadian connections just to knock out a small /28 range ;)

If I had more than one legitimate connection a week I'd concern myself LOL

As for asmf-etrucker.com I use two blocking methods, 1st I block everything but
US and Canadian IP country codes ... I do this because my transportation management suite only suppots US/Canada Regulations ... the 2 blocking mechanism is to search a merged ip.can and full_blacklist_database.txt for an ip entery if it exists 'poof' ... but then again, since I closed my trucking company and became a company driver I only have 3 clients left using etrucker and they have satic ips so I could just block every ip in the universe but theirs, would make for a smaller file LOL


2 wrongs don't make a right, but 3 left turns will get you back on the freeway!

---
þ Synchronet þ AlleyCat! BBS - http://alleycat.synchro.net:81
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Active User Hacking Attempt
By: mark lewis to Mortifis on Thu Feb 21 2019 12:03 pm

does ip.can and friends accept CIDR notation?

Yes.
http://wiki.synchro.net/config:filter_files#ipv4_cidr_notation


digital man

Synchronet/BBS Terminology Definition #24:
DTE = Data Terminal Equipment
Norco, CA WX: 39.6øF, 87.0% humidity, 4 mph SE wind, 0.29 inches rain/24hrs
--- SBBSecho 3.06-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Active User Hacking Attempt
By: mark lewis to Mortifis on Thu Feb 21 2019 12:03 pm

does ip.can and friends accept CIDR notation?

Yes.
http://wiki.synchro.net/config:filter_files#ipv4_cidr_notation

digital man

That's helpful, I didn't know that existed in SBBS ... TY

2 wrongs don't make a right, but 3 left turns will get you back on the freeway!

---
þ Synchronet þ AlleyCat! BBS - http://alleycat.synchro.net:81
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Active User Hacking Attempt
By: mark lewis to Mortifis on Thu Feb 21 2019 12:03 pm

does ip.can and friends accept CIDR notation?

Yes.
http://wiki.synchro.net/config:filter_files#ipv4_cidr_notation

digital man

I am very layman ... so my original was hey this dude is actively trying to hack me, 66.70.247.19, beware... and Mark gum shoe'd a range of ip's ... 66.70.247.16 ... 31

so to black just the range how would I enter that in ip.can effectively ... that is if I really cared that anyone inside of 66.70.247.* might be legit?




2 wrongs don't make a right, but 3 left turns will get you back on the freeway!

---
þ Synchronet þ AlleyCat! BBS - http://alleycat.synchro.net:81
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Active User Hacking Attempt
By: mark lewis to Mortifis on Thu Feb 21 2019 12:03 pm

does ip.can and friends accept CIDR notation?

Yes.
http://wiki.synchro.net/config:filter_files#ipv4_cidr_notation

digital man

I am very layman ... so my original was hey this dude is actively trying to hack me, 66.70.247.19, beware... and Mark gum shoe'd a range of ip's ... 66.70.247.16 ... 31

so to black just the range how would I enter that in ip.can effectively ... that is if I really cared that anyone inside of 66.70.247.* might be legit?

2 wrongs don't make a right, but 3 left turns will get you back on the freeway!

2 wrongs don't make a right, but 3 left turns will get you back on the freeway!

---
þ Synchronet þ AlleyCat! BBS - http://alleycat.synchro.net:81
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

On 2019 Feb 21 15:39:24, you wrote to me:

does ip.can and friends accept CIDR notation?

Yes.
http://wiki.synchro.net/config:filter_files#ipv4_cidr_notation

cool! i hadn't run across that page yet :)

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... Great. Really great. Elephant sandwiches for the next two months!
---
* Origin: (1:3634/12.73)

On 2019 Feb 21 22:34:10, you wrote to you:

so to black just the range how would I enter that in ip.can
effectively ... that is if I really cared that anyone inside of 66.70.247.* might be legit?

look in my gumshoe post and you'll see the CIDR notation...

66.70.247.16/28

that covers the range i manually entered below that comment section in that post before the whois gumshoe output ;)

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... Bureau of Firearms, Alcohol, Religion and Tobacco.
---
* Origin: (1:3634/12.73)

Originally to a reply to Mortifis, but I had another issue develop,
that I felt could go under the same topic...so I addressed it to ALL.

***

FYI an person from this IP address 66.70.247.19 has been actively trying to M>hack my personal accounts ... you may want to keep an eye on your logs or put
66.70.247.19 in your ip.can file

Done.

On another note, every so often, in the FTP server, I see something
like this -- all Occurred on Feb. 22, 2019 in about a minute of time. I
deleted those date and time stamps from the log file excerpt posted
here.

**

1420 CTRL connection accepted from: 89.238.162.147 port 57848
1420 Hostname: 89-238-162-147.uk1.lunarnetwork.net
1420 Guest: <admin123>
1420 <Guest> logged in (1 today, 36251 total)
1420 <Guest> detailed listing: root in passive mode
1420 <Guest> DATA Transfer successful: 297 bytes sent in 0 seconds (594 cps) 1420 <Guest> downloading 00index.html for / in passive mode
1420 <Guest> DATA Transfer successful: 3263 bytes sent in 0 seconds (6526 cps) 1420 <Guest> file (/Photo.scr) not found for SIZE command
1420 <Guest> file (/Photo.scr) not found for RETR command
1780 CTRL connection accepted from: 89.238.162.147 port 57854
1780 Hostname: 89-238-162-147.uk1.lunarnetwork.net
1780 Guest: <admin123>
1780 <Guest> logged in (2 today, 36252 total)
1780 <Guest> detailed listing: bbs.files library in passive mode
1780 <Guest> DATA Transfer successful: 369 bytes sent in 0 seconds (738 cps) 1780 <Guest> downloading 00index.html for /bbs.files/ in passive mode
1780 <Guest> DATA Transfer successful: 1663 bytes sent in 0 seconds (3326 cps) 1780 <Guest> file (/bbs.files/Photo.scr) not found for SIZE command
1780 <Guest> file (/bbs.files/Photo.scr) not found for RETR command
1888 CTRL connection accepted from: 89.238.162.147 port 57861
1888 Hostname: 89-238-162-147.uk1.lunarnetwork.net
1888 Guest: <admin123>
1888 <Guest> logged in (3 today, 36253 total)
1888 <Guest> detailed listing: /bbs.files/BBSFILES directory in passive mode 1888 <Guest> detailed listing (1761 bytes) of /bbs.files/BBSFILES (21 files) cr
1888 <Guest> DATA Transfer successful: 1761 bytes sent in 0 seconds (3522 cps) 1888 <Guest> downloading 00index.html for /bbs.files/BBSFILES/ in passive mode 1888 <Guest> JavaScript array of /bbs.files/BBSFILES (21 files) created in 0 se
1888 <Guest> DATA Transfer successful: 10352 bytes sent in 0 seconds (20704 cps
1888 <Guest> file (/bbs.files/BBSFILES/Photo.scr) not in database for SIZE comm
1888 <Guest> file (/bbs.files/BBSFILES/Photo.scr) not in database for RETR comm
1888 <Guest> logged off
1888 CTRL thread terminated (2 clients and 3 threads remain, 3 served)
1964 CTRL connection accepted from: 89.238.162.147 port 57867
1964 Hostname: 89-238-162-147.uk1.lunarnetwork.net
1964 Guest: <admin123>
1964 <Guest> logged in (4 today, 36254 total)
1964 <Guest> detailed listing: /bbs.files/UPLOADS directory in passive mode (em
1964 <Guest> DATA Transfer successful: 149 bytes sent in 0 seconds (298 cps) 1964 <Guest> downloading 00index.html for /bbs.files/ in passive mode
1964 <Guest> DATA Transfer successful: 1663 bytes sent in 0 seconds (3326 cps) 1964 <Guest> file (/bbs.files/Photo.scr) not found for SIZE command
1964 <Guest> file (/bbs.files/Photo.scr) not found for RETR command
1964 <Guest> logged off
1964 CTRL thread terminated (2 clients and 3 threads remain, 4 served)
1864 CTRL connection accepted from: 89.238.162.147 port 57875
1864 Hostname: 89-238-162-147.uk1.lunarnetwork.net
1864 Guest: <admin123>
1864 <Guest> logged in (5 today, 36255 total)
1864 <Guest> detailed listing: /bbs.files/SYSOP directory in passive mode (empt
1864 <Guest> DATA Transfer successful: 149 bytes sent in 0 seconds (298 cps) 1864 <Guest> downloading 00index.html for /bbs.files/ in passive mode
1864 <Guest> DATA Transfer successful: 1663 bytes sent in 0 seconds (3326 cps) 1864 <Guest> file (/bbs.files/Photo.scr) not found for SIZE command
1864 <Guest> file (/bbs.files/Photo.scr) not found for RETR command
1420 <Guest> logged off
1780 <Guest> logged off
1420 CTRL thread terminated (2 clients and 3 threads remain,

**

Because of stuff like this, I decided to LIMIT access to the file
areas for Guest callers or Anonymous FTP logons to just file board 1,
file area 1. I also originally had the majority of the file boards OPEN
(except for selected areas meant only for verified users). Uploads are
also set to go to the Sysop directory, and you have to be a verified
user to upload files.

Yet, when I was constantly getting stuff like this, was when I "locked
down" the file areas. I've even debated REMOVING the Guest User account
(no more browsing the BBS without an official application for access,
and logon)...and I believe some Sysops have done such.

The bottom line is, when this occurs, are they actually uploading a
file, or just trying to see if it's "online". And, aside from blocking
said IP address after the fact, is there any harm being done to the
system with this??

Daryl

===
þ OLX 1.53 þ "Ignore Previous Cookie" - Message in fortune cookie.
--- SBBSecho 3.06-Win32
* Origin: FIDONet: The Thunderbolt BBS - tbolt.synchro.net (1:19/33)

I am very layman ... so my original was hey this dude is actively trying to M>hack me, 66.70.247.19, beware... and Mark gum shoe'd a range of ip's ... M>66.70.247.16 ... 31

so to black just the range how would I enter that in ip.can effectively ... M>that is if I really cared that anyone inside of 66.70.247.* might be legit?

I have India also BLOCKED in the PeerBlock utility, but I use the same wildcard syntax for my ip.can strings. While there might be a slight
chance of a legit user (as it were), it seems they are far outnumbered
by the hackers and bots.

Daryl

===
þ OLX 1.53 þ "Installs In Minutes" doesn't say how many minutes!!
--- SBBSecho 3.06-Win32
* Origin: FIDONet: The Thunderbolt BBS - tbolt.synchro.net (1:19/33)

Originally to a reply to Mortifis, but I had another issue develop,
that I felt could go under the same topic...so I addressed it to ALL.

***

FYI an person from this IP address 66.70.247.19 has been actively trying to M>hack my personal accounts ... you may want to keep an eye on your logs or put M>66.70.247.19 in your ip.can file

Done.

On another note, every so often, in the FTP server, I see something
like this -- all Occurred on Feb. 22, 2019 in about a minute of time. I deleted those date and time stamps from the log file excerpt posted
here.

**

1420 CTRL connection accepted from: 89.238.162.147 port 57848
1420 Hostname: 89-238-162-147.uk1.lunarnetwork.net
1420 Guest: <admin123>
1420 <Guest> logged in (1 today, 36251 total)
1420 <Guest> detailed listing: root in passive mode
1420 <Guest> DATA Transfer successful: 297 bytes sent in 0 seconds (594

cps)

1420 <Guest> downloading 00index.html for / in passive mode
1420 <Guest> DATA Transfer successful: 3263 bytes sent in 0 seconds (6526 cps) 1420 <Guest> file (/Photo.scr) not found for SIZE command

Yet, when I was constantly getting stuff like this, was when I "locked down" the file areas. I've even debated REMOVING the Guest User account
(no more browsing the BBS without an official application for access,
and logon)...and I believe some Sysops have done such.

I removed the Guest account and stopped getting connections looking for photo.scr (which incidentally is a trojan) in order to activate that virus

The bottom line is, when this occurs, are they actually uploading a
file, or just trying to see if it's "online". And, aside from blocking
said IP address after the fact, is there any harm being done to the
system with this??

I do not believe there is any harm being done, if you decide to NOT remove the guest account, at least disable guest uploads, espcially to sysop.

and grab the http://myip.ms/files/general/full_blacklist_database.zip and extract/merge it with your ip.can file ... there are over 54,000 known blacklisted ip addresses in it :)

2 wrongs don't make a right, but 3 left turns will get you back on the freeway!

---
þ Synchronet þ AlleyCat! BBS - http://alleycat.synchro.net:81
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

On 2019 Feb 22 13:01:00, you wrote to ALL:

The bottom line is, when this occurs, are they actually uploading a
file, or just trying to see if it's "online". And, aside from blocking said IP address after the fact, is there any harm being done to the
system with this??

do you have photo.scr in your text/file.can?

it looks to me like they're testing to see if the file exists but since it doesn't, SIZE and RETR cannot work...

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... Anticipate trouble but don't go looking for it.
---
* Origin: (1:3634/12.73)

Re: Active User Hacking Attem
By: Daryl Stout to ALL on Fri Feb 22 2019 01:01 pm

The bottom line is, when this occurs, are they actually uploading a
file, or just trying to see if it's "online".

They're checking to see if the file is already there and they will attempt to upload. So long as you don't allow guest-upload to public areas, you should be fine. Also, that filename is in the stock file.can:

; Enter filtered (disallowed) file names in this file
; Wildcard characters (*, ^, ~) are allowed and ! negates the match
; Rejection message file: text/badfile.msg
info.zip
photo.scr

digital man

Synchronet "Real Fact" #42:
Rob Swindell was laughed out of a FidoNet Net103 (OC, Calif.) meeting in 1992. Norco, CA WX: 59.1øF, 45.0% humidity, 4 mph ESE wind, 0.00 inches rain/24hrs --- SBBSecho 3.06-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

On 02-24-19 16:57, mark lewis wrote to Daryl Stout <=-

do you have photo.scr in your text/file.can?

That should the first file you put in there.


... Apathy Error: Strike any key...or none, for that matter.
=== MultiMail/Win v0.51
--- SBBSecho 3.03-Linux
* Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)

Tony Langdon wrote to mark lewis <=-

do you have photo.scr in your text/file.can?

That should the first file you put in there.

It's in there by default on a stock install.


... Internal Error: The system has been taken over by sheep at line 19960
=== MultiMail/Linux v0.51
--- SBBSecho 3.06-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (1:123/115)

On 02-25-19 08:01, Dan Clough wrote to Tony Langdon <=-

That should the first file you put in there.

It's in there by default on a stock install.

Cool. :)


... A bachelor never makes the same mistake once.
=== MultiMail/Win v0.51
--- SBBSecho 3.03-Linux
* Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)

I removed the Guest account and stopped getting connections looking for M>photo.scr (which incidentally is a trojan) in order to activate that virus

I may do that as well...also the info.zip is as bad as photo.scr
(malware). If folks want to login, they'll have to apply for
access...even though they're guests in my home at logon. I already have
the majority of message and file areas to Verified Users In Good
Standing.

I do not believe there is any harm being done, if you decide to NOT remove th
guest account, at least disable guest uploads, espcially to sysop.

Right now, the access levels I have are:

0 - Expired (although I don't have accounts that do that, such as for inactivity)

10 - Restricted Access - All they can do is leave Feedback To Sysop.
Basically, one step above banishment...this user is in big trouble. <G>

20 - New User. They have to go through the new user logon process within
48 hours of initial logon, or their account is deleted without comment.
Besides entering the requested info, they have to leave a message to
Sysop, telling where they heard about the BBS, and what they're looking
for it (a message with just HI! or YO! is NOT sufficient)...then go
through the telnet email verifier.

30 - Guest User - VERY LIMITED PRIVILEGES, as follows:

A) READ ONLY access to a select few areas in Message board 1. No QWK
Mail.

B) Download ONLY from File Board 1, File Area 1, the BBS Information
Files. No Uploads allowed.

C) LIMITED doorgame access (information only -- none of the game/score
doors).

40 - Unverified User - Users who have applied, but I have to review
their new user feedback.

50 - Verified User In Good Standing. Majority of message and file areas.

60 - Special Access User. Same as above.

70 - Ham Radio Operator (proof of license required). Additional access
to special ham radio doors and file areas.

80 - Visiting Sysop (proof of such required, such as via a nodelist).
Right now, I just have the Sysop related areas to level 99 (me), but I
had considered making them for Visiting Sysops.

90 - Sysop Staff.

and grab the http://myip.ms/files/general/full_blacklist_database.zip and M>extract/merge it with your ip.can file ... there are over 54,000 known M>blacklisted ip addresses in it :)

I'll make a note of that and get it when I feel better. I've come down
with a bad sore throat, and some other issues...so, I'm just doing the
messages and updating the weather data today.

Daryl

===
þ OLX 1.53 þ A gossip is someone with a great sense of rumor.
--- SBBSecho 3.06-Win32
* Origin: FIDONet: The Thunderbolt BBS - tbolt.synchro.net (1:19/33)

Mark,

do you have photo.scr in your text/file.can?

It, and INFO.ZIP both.

it looks to me like they're testing to see if the file exists but since it ML>doesn't, SIZE and RETR cannot work...

So, there's no harm in those commands showing up??

If that's the case, I could open up the majority of the file areas,
and keep the Guest Account. But, if I do note an IP trying to look for
either one, I go ahead and put it in the ip.can file...and once it's
there, it's permanent.

Daryl

===
þ OLX 1.53 þ A government shutdown is redundant.
--- SBBSecho 3.06-Win32
* Origin: FIDONet: The Thunderbolt BBS - tbolt.synchro.net (1:19/33)

Rob,

They're checking to see if the file is already there and they will attempt DM>upload. So long as you don't allow guest-upload to public areas, you should DM>fine. Also, that filename is in the stock file.can:

That's what my file.can file has.

I don't allow uploads to any area, except for verified users (level
50 or above). Anything less than that can't upload at all.

Daryl

===
þ OLX 1.53 þ A guy who's addicted to brake fluid can stop any time.
--- SBBSecho 3.06-Win32
* Origin: FIDONet: The Thunderbolt BBS - tbolt.synchro.net (1:19/33)

Re: Active User Hacking Attem
By: Daryl Stout to MARK LEWIS on Mon Feb 25 2019 02:55 pm

it looks to me like they're testing to see if the file exists but since it ML>doesn't, SIZE and RETR cannot work...

So, there's no harm in those commands showing up??

Right.

digital man

Synchronet "Real Fact" #81:
Vertrauen has had the FidoNet node number 1:103/705 since 1992.
Norco, CA WX: 61.4øF, 62.0% humidity, 8 mph NE wind, 0.00 inches rain/24hrs
--- SBBSecho 3.06-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

On 02-25-19 14:56, Daryl Stout wrote to DIGITAL MAN <=-

I don't allow uploads to any area, except for verified users (level
50 or above). Anything less than that can't upload at all.

I only allow uploads in "Uploads to the Sysop", but I'm the only user who can view and download files in there.


... Thunderclap - an extremely violent form of VD.
=== MultiMail/Win v0.51
--- SBBSecho 3.03-Linux
* Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)

Tony,

do you have photo.scr in your text/file.can?

That should the first file you put in there.

That's first...info.zip is the second one.

Daryl

===
þ OLX 1.53 þ Adam to Eve-> 'I'll wear the plants in this family'.
--- SBBSecho 3.06-Win32
* Origin: FIDONet: The Thunderbolt BBS - tbolt.synchro.net (1:19/33)

On 02-26-19 12:00, Daryl Stout wrote to TONY LANGDON <=-

That's first...info.zip is the second one.

Agreed.


... This tagline is bi-lingual. English and Australian.
=== MultiMail/Win v0.51
--- SBBSecho 3.03-Linux
* Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)

Rob,

it looks to me like they're testing to see if the file exists but

sinc

it ML>doesn't, SIZE and RETR cannot work...

So, there's no harm in those commands showing up??

Right.

OK, good deal. I also made a slight change to the Guest account. Now,
they have to logon as GUEST USER with the password of BROWSE -- trying
to logon just as GUEST with no password, doesn't work. The account still
has the same privileges, but they can get access to more of the file
areas.

Mortifis said he had over 58,000 entries in his ip.can file...mine may
get there eventually. :P

That reminds me...I need to FTP in, and get the updated spamblock.cfg
from your site.

Daryl

===
þ OLX 1.53 þ Algebra: What the Little Mermaid wears
--- SBBSecho 3.06-Win32
* Origin: FIDONet: The Thunderbolt BBS - tbolt.synchro.net (1:19/33)

Tony,

I only allow uploads in "Uploads to the Sysop", but I'm the only user who ca
view and download files in there.

That's the way it's set up over here. Plus, guest logons can't upload
at all. And, I modified the Guest account to now have the name of GUEST
USER with a password of BROWSE. Now, anyone trying to logon as GUEST
(with or without a password) or as anonymous, gets the message "Unknown
User". One FTP connect tries anonymous as the user name with googlebot@google.com -- and the Synchronet Control put a temporary ban
on the IP...I made it permanent. <eg>

... Thunderclap - an extremely violent form of VD.

In this case, CG doesn't stand for "cloud to ground"...and you can let
your mind put in whatever you want. <EG>

Daryl

===
þ OLX 1.53 þ All computers wait at the same speed.
--- SBBSecho 3.06-Win32
* Origin: FIDONet: The Thunderbolt BBS - tbolt.synchro.net (1:19/33)

On 02-27-19 09:28, Daryl Stout wrote to TONY LANGDON <=-

Tony,

I only allow uploads in "Uploads to the Sysop", but I'm the only user who

a

view and download files in there.

That's the way it's set up over here. Plus, guest logons can't upload
at all. And, I modified the Guest account to now have the name of GUEST USER with a password of BROWSE. Now, anyone trying to logon as GUEST
(with or without a password) or as anonymous, gets the message "Unknown User". One FTP connect tries anonymous as the user name with googlebot@google.com -- and the Synchronet Control put a temporary ban
on the IP...I made it permanent. <eg>

I only allow the guest user to download via anonymous FTP.

... Thunderclap - an extremely violent form of VD.

In this case, CG doesn't stand for "cloud to ground"...and you can
let your mind put in whatever you want. <EG>

Oh dear. :P


... Jargon is used as a means of succeeding by, not simplifying.
=== MultiMail/Win v0.51
--- SBBSecho 3.03-Linux
* Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)

Re: Re: Active User Hacking A
By: Daryl Stout to TONY LANGDON on Wed Feb 27 2019 09:28 am

Tony,

I only allow uploads in "Uploads to the Sysop", but I'm the only user

who

ca TL>view and download files in there.

That's the way it's set up over here. Plus, guest logons can't upload
at all. And, I modified the Guest account to now have the name of GUEST
USER with a password of BROWSE. Now, anyone trying to logon as GUEST
(with or without a password) or as anonymous, gets the message "Unknown User". One FTP connect tries anonymous as the user name with googlebot@google.com

You sure that's not the password? The google ftp-crawler normally logs in (ftp)
using the name "anonymous" and the password "googlebot@google.com". The best way to filter those logins is to put that email address in your text/email.can file. In fact, this is in the sock email.can file:

; Prevent Google's FTP-crawler by uncommenting the following line:
; googlebot@google.com

digital man

Synchronet "Real Fact" #29:
Rob Swindell first called BBSes (at 300bps) with an Apple II computer in 1982. Norco, CA WX: 65.0øF, 70.0% humidity, 5 mph E wind, 0.01 inches rain/24hrs
--- SBBSecho 3.06-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Tony,

I only allow the guest user to download via anonymous FTP.

Well, in making a CHANGE to the Guest User account...now requiring a
LOGON via the name of GUEST USER and the password of BROWSE -- the
website interface done by echicken NO LONGER WORKS.

So, I went back to a modified version of the default theme. However,
users can still go to http://www.theweatherwonder.com/bbsftlnt.htm to
logon via FTelnet from their web browser.

By making those changes, it has cut down on bots trying to crash the
FTP server with malware, or looking for such. Now, just trying to logon
as GUEST or ANONYMOUS generates an UNKNOWN USER message.

... Thunderclap - an extremely violent form of VD.

In this case, CG doesn't stand for "cloud to ground"...and you can let your mind put in whatever you want. <EG>

Oh dear. :P

I will admit that I did steal the tagline. ;)

Daryl

===
þ OLX 1.53 þ X-Modem: A modem on the losing end of a lightning strike.
--- SBBSecho 3.06-Win32
* Origin: FIDONet: The Thunderbolt BBS - tbolt.synchro.net (1:19/33)

Rob,

You sure that's not the password? The google ftp-crawler normally logs in (f
using the name "anonymous" and the password "googlebot@google.com". The best
way to filter those logins is to put that email address in your text/email.c
file. In fact, this is in the sock email.can file:

The line is uncommented...but a bunch of other FTP deals keep trying
to search for and push malware on to the FTP server.

I've also blocked the emails for Internet Explorer, Mozilla (Firefox),
and anonymous. I also saw emails going to alt.synchronet with spam or
nasty sender addresses...so, I had to block those as well.

Folks even tried to use my name at the BBS's domain for a login
email.

Daryl

===
þ OLX 1.53 þ It usually takes weeks to prepare an impromptu speech.
--- SBBSecho 3.06-Win32
* Origin: FIDONet: The Thunderbolt BBS - tbolt.synchro.net (1:19/33)

On 02-28-19 05:30, Daryl Stout wrote to TONY LANGDON <=-

Tony,

I only allow the guest user to download via anonymous FTP.

Well, in making a CHANGE to the Guest User account...now requiring a LOGON via the name of GUEST USER and the password of BROWSE -- the
website interface done by echicken NO LONGER WORKS.

Bummer. :(

By making those changes, it has cut down on bots trying to crash the
FTP server with malware, or looking for such. Now, just trying to logon
as GUEST or ANONYMOUS generates an UNKNOWN USER message.

Useful, though for me there comes a point when security becomes too intrusive and starts to interfere with normal use. It's up to each of us to decide where
the balance between security and usability is. :)

... Thunderclap - an extremely violent form of VD.

In this case, CG doesn't stand for "cloud to ground"...and you can let your mind put in whatever you want. <EG>

Oh dear. :P

I will admit that I did steal the tagline. ;)

Haha, didn't we all? :D


... Bug free, cheap, on time, works. Pick two.
=== MultiMail/Win v0.51
--- SBBSecho 3.03-Linux
* Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)

Re: Re: Active User Hacking A
By: Daryl Stout to TONY LANGDON on Thu Feb 28 2019 05:30:00

it has cut down on bots trying to crash the FTP server with
malware, or looking for such. Now, just trying to logon

they're not trying to crash the server... they are looking for free access storage they can link to so they can infest others with those files...


)\/(ark

---
þ Synchronet þ SouthEast Star Mail HUB - SESTAR
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Tony,

Well, in making a CHANGE to the Guest User account...now requiring a LOGON via the name of GUEST USER and the password of BROWSE -- the website interface done by echicken NO LONGER WORKS.

Bummer. :(

DM convinced me that those "bot scans for photo.scr and info.zip" are basically harmless...since the Guest User account doesn't allow uploads
anyway.

Useful, though for me there comes a point when security becomes too intrusiv
and starts to interfere with normal use. It's up to each of us to decide wh
the balance between security and usability is. :)

I am seeing a ton of IP's doing repeated connects without a logon, so
these are going in the ip.can file.

I will admit that I did steal the tagline. ;)

Haha, didn't we all? :D

Talk about a shot in the dark. :P

Daryl

===
þ OLX 1.53 þ Jury: 12 people deciding which client has the best lawyer
--- SBBSecho 3.06-Win32
* Origin: FIDONet: The Thunderbolt BBS - tbolt.synchro.net (1:19/33)

On 2019 Feb 28 17:04:00, you wrote to DIGITAL MAN:

Folks even tried to use my name at the BBS's domain for a login email.

those are advanced IOT bots like MIRAI... many use the same or very similar base code from MIRAI... they've added new name/password combinations, various dictionary attacks, and additional breeching methods but it is still the same stuff as MIRAI...

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... Well! I'm impressed.
---
* Origin: (1:3634/12.73)

On 03-01-19 15:09, Daryl Stout wrote to TONY LANGDON <=-

DM convinced me that those "bot scans for photo.scr and info.zip" are basically harmless...since the Guest User account doesn't allow uploads anyway.

I'd agree, that's my belief as well.

I am seeing a ton of IP's doing repeated connects without a logon, so these are going in the ip.can file.

Yep that's one way to deal with them. :)


... I watch what I eat... from the plate to the mouth.
=== MultiMail/Win v0.51
--- SBBSecho 3.03-Linux
* Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)