FYI an person from this IP address 66.70.247.19 has been actively trying to hack my personal accounts ... you may want to keep an eye on your logs or put 66.70.247.19 in your ip.can file
On 2019 Feb 21 12:01:54, you wrote to All:
FYI an person from this IP address 66.70.247.19 has been actively trying to hack my personal accounts ... you may want to keep an eye on your logs or put 66.70.247.19 in your ip.can file
that's OVH again and that IP and its range appear to have been leased to someone in Muzaffarpur, India... i'd block the whole range if they are actively
trying to hack you...
66.70.247.16
FYI an person from this IP address 66.70.247.19 has been actively
trying to hack my personal accounts ... you may want to keep an eye on
your logs or put 66.70.247.19 in your ip.can file
that's OVH again and that IP and its range appear to have been leased to someone in Muzaffarpur, India... i'd block the whole range if they are actively trying to hack you...
that's OVH again and that IP and its range appear to have been leased to
someone in Muzaffarpur, India... i'd block the whole range if they are
actively
trying to hack you...
66.70.247.16
It's just been the one ip address directly connecting to alleycat.synchro.net:81
I had done a whois and saw it was a host based in Quebec.
I had no problem blocking the whole 66.70.247.* before I posted :-)
my asmf-etrucker.com site blocks every ip not originating in the US or Canada but since these VPN's and/hosts are in North America they stilltry
to slip through.
i don't know if the culprit in india is using a VPN or not... the whoisdata
i posted doesn't seem to indicate that at all... especially since it says the 66.70.247.16/28 block has been reassigned to India... so no need to block legitimate canadian connections just to knock out a small /28 range ;)
does ip.can and friends accept CIDR notation?
Re: Active User Hacking Attempt
By: mark lewis to Mortifis on Thu Feb 21 2019 12:03 pm
does ip.can and friends accept CIDR notation?
Yes.
http://wiki.synchro.net/config:filter_files#ipv4_cidr_notation
digital man
Re: Active User Hacking Attempt
By: mark lewis to Mortifis on Thu Feb 21 2019 12:03 pm
does ip.can and friends accept CIDR notation?
Yes.
http://wiki.synchro.net/config:filter_files#ipv4_cidr_notation
digital man
Re: Active User Hacking Attempt
By: mark lewis to Mortifis on Thu Feb 21 2019 12:03 pm
does ip.can and friends accept CIDR notation?
Yes.
http://wiki.synchro.net/config:filter_files#ipv4_cidr_notation
digital man
I am very layman ... so my original was hey this dude is actively trying to hack me, 66.70.247.19, beware... and Mark gum shoe'd a range of ip's ... 66.70.247.16 ... 31
so to black just the range how would I enter that in ip.can effectively ... that is if I really cared that anyone inside of 66.70.247.* might be legit?
2 wrongs don't make a right, but 3 left turns will get you back on the freeway!2 wrongs don't make a right, but 3 left turns will get you back on the freeway!
does ip.can and friends accept CIDR notation?
Yes.
http://wiki.synchro.net/config:filter_files#ipv4_cidr_notation
so to black just the range how would I enter that in ip.can
effectively ... that is if I really cared that anyone inside of 66.70.247.* might be legit?
FYI an person from this IP address 66.70.247.19 has been actively trying to M>hack my personal accounts ... you may want to keep an eye on your logs or put
66.70.247.19 in your ip.can file
I am very layman ... so my original was hey this dude is actively trying to M>hack me, 66.70.247.19, beware... and Mark gum shoe'd a range of ip's ... M>66.70.247.16 ... 31
so to black just the range how would I enter that in ip.can effectively ... M>that is if I really cared that anyone inside of 66.70.247.* might be legit?
Originally to a reply to Mortifis, but I had another issue develop,cps)
that I felt could go under the same topic...so I addressed it to ALL.
***
FYI an person from this IP address 66.70.247.19 has been actively trying to M>hack my personal accounts ... you may want to keep an eye on your logs or put M>66.70.247.19 in your ip.can file
Done.
On another note, every so often, in the FTP server, I see something
like this -- all Occurred on Feb. 22, 2019 in about a minute of time. I deleted those date and time stamps from the log file excerpt posted
here.
**
1420 CTRL connection accepted from: 89.238.162.147 port 57848
1420 Hostname: 89-238-162-147.uk1.lunarnetwork.net
1420 Guest: <admin123>
1420 <Guest> logged in (1 today, 36251 total)
1420 <Guest> detailed listing: root in passive mode
1420 <Guest> DATA Transfer successful: 297 bytes sent in 0 seconds (594
1420 <Guest> downloading 00index.html for / in passive mode
1420 <Guest> DATA Transfer successful: 3263 bytes sent in 0 seconds (6526 cps) 1420 <Guest> file (/Photo.scr) not found for SIZE command
Yet, when I was constantly getting stuff like this, was when I "locked down" the file areas. I've even debated REMOVING the Guest User account
(no more browsing the BBS without an official application for access,
and logon)...and I believe some Sysops have done such.
The bottom line is, when this occurs, are they actually uploading a
file, or just trying to see if it's "online". And, aside from blocking
said IP address after the fact, is there any harm being done to the
system with this??
The bottom line is, when this occurs, are they actually uploading a
file, or just trying to see if it's "online". And, aside from blocking said IP address after the fact, is there any harm being done to the
system with this??
The bottom line is, when this occurs, are they actually uploading a
file, or just trying to see if it's "online".
On 02-24-19 16:57, mark lewis wrote to Daryl Stout <=-
do you have photo.scr in your text/file.can?
Tony Langdon wrote to mark lewis <=-
do you have photo.scr in your text/file.can?
That should the first file you put in there.
On 02-25-19 08:01, Dan Clough wrote to Tony Langdon <=-
That should the first file you put in there.
It's in there by default on a stock install.
I removed the Guest account and stopped getting connections looking for M>photo.scr (which incidentally is a trojan) in order to activate that virus
I do not believe there is any harm being done, if you decide to NOT remove th
guest account, at least disable guest uploads, espcially to sysop.
and grab the http://myip.ms/files/general/full_blacklist_database.zip and M>extract/merge it with your ip.can file ... there are over 54,000 known M>blacklisted ip addresses in it :)
do you have photo.scr in your text/file.can?
it looks to me like they're testing to see if the file exists but since it ML>doesn't, SIZE and RETR cannot work...
They're checking to see if the file is already there and they will attempt DM>upload. So long as you don't allow guest-upload to public areas, you should DM>fine. Also, that filename is in the stock file.can:
it looks to me like they're testing to see if the file exists but since it ML>doesn't, SIZE and RETR cannot work...
So, there's no harm in those commands showing up??
On 02-25-19 14:56, Daryl Stout wrote to DIGITAL MAN <=-
I don't allow uploads to any area, except for verified users (level
50 or above). Anything less than that can't upload at all.
do you have photo.scr in your text/file.can?
That should the first file you put in there.
On 02-26-19 12:00, Daryl Stout wrote to TONY LANGDON <=-
That's first...info.zip is the second one.
sincit looks to me like they're testing to see if the file exists but
it ML>doesn't, SIZE and RETR cannot work...
So, there's no harm in those commands showing up??
Right.
I only allow uploads in "Uploads to the Sysop", but I'm the only user who ca
view and download files in there.
... Thunderclap - an extremely violent form of VD.
On 02-27-19 09:28, Daryl Stout wrote to TONY LANGDON <=-a
Tony,
I only allow uploads in "Uploads to the Sysop", but I'm the only user who
view and download files in there.
That's the way it's set up over here. Plus, guest logons can't upload
at all. And, I modified the Guest account to now have the name of GUEST USER with a password of BROWSE. Now, anyone trying to logon as GUEST
(with or without a password) or as anonymous, gets the message "Unknown User". One FTP connect tries anonymous as the user name with googlebot@google.com -- and the Synchronet Control put a temporary ban
on the IP...I made it permanent. <eg>
... Thunderclap - an extremely violent form of VD.
In this case, CG doesn't stand for "cloud to ground"...and you can
let your mind put in whatever you want. <EG>
Tony,who
I only allow uploads in "Uploads to the Sysop", but I'm the only user
ca TL>view and download files in there.
That's the way it's set up over here. Plus, guest logons can't upload
at all. And, I modified the Guest account to now have the name of GUEST
USER with a password of BROWSE. Now, anyone trying to logon as GUEST
(with or without a password) or as anonymous, gets the message "Unknown User". One FTP connect tries anonymous as the user name with googlebot@google.com
I only allow the guest user to download via anonymous FTP.
... Thunderclap - an extremely violent form of VD.
In this case, CG doesn't stand for "cloud to ground"...and you can let your mind put in whatever you want. <EG>
Oh dear. :P
You sure that's not the password? The google ftp-crawler normally logs in (f
using the name "anonymous" and the password "googlebot@google.com". The best
way to filter those logins is to put that email address in your text/email.c
file. In fact, this is in the sock email.can file:
On 02-28-19 05:30, Daryl Stout wrote to TONY LANGDON <=-
Tony,
I only allow the guest user to download via anonymous FTP.
Well, in making a CHANGE to the Guest User account...now requiring a LOGON via the name of GUEST USER and the password of BROWSE -- the
website interface done by echicken NO LONGER WORKS.
By making those changes, it has cut down on bots trying to crash the
FTP server with malware, or looking for such. Now, just trying to logon
as GUEST or ANONYMOUS generates an UNKNOWN USER message.
... Thunderclap - an extremely violent form of VD.
In this case, CG doesn't stand for "cloud to ground"...and you can let your mind put in whatever you want. <EG>
Oh dear. :P
I will admit that I did steal the tagline. ;)
it has cut down on bots trying to crash the FTP server with
malware, or looking for such. Now, just trying to logon
Well, in making a CHANGE to the Guest User account...now requiring a LOGON via the name of GUEST USER and the password of BROWSE -- the website interface done by echicken NO LONGER WORKS.
Bummer. :(
Useful, though for me there comes a point when security becomes too intrusiv
and starts to interfere with normal use. It's up to each of us to decide wh
the balance between security and usability is. :)
I will admit that I did steal the tagline. ;)
Haha, didn't we all? :D
Folks even tried to use my name at the BBS's domain for a login email.
On 03-01-19 15:09, Daryl Stout wrote to TONY LANGDON <=-
DM convinced me that those "bot scans for photo.scr and info.zip" are basically harmless...since the Guest User account doesn't allow uploads anyway.
I am seeing a ton of IP's doing repeated connects without a logon, so these are going in the ip.can file.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 48:20:35 |
Calls: | 6,648 |
Files: | 12,198 |
Messages: | 5,329,987 |