Hi - I am maintaining a brute-force attack source IP blocklist at http://sanyalnet-cloud-vps.freeddns.org/blocklist.txt - maybe of use to
others. Entries have a 48 hour expiry. Contains actual ssh, telnet and
smtp failed login attempts. Thanks.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 3 Oct 2016, in the Usenet newsgroup comp.os.linux.security, in
article <MPG.325c46579c9d147e989681@reader80.eternal-september.org>,
Supratim Sanyal wrote:

Hi - I am maintaining a brute-force attack source IP blocklist

Idle curiosity - Why?

Entries have a 48 hour expiry.

Good - but that might be on the long side. I have to laugh at people
using a Self-Denial-of-Service tool like 'blocksshd', 'sshguard',
'fail2ban', "DenyHost[s]" and similar, who wonder why their firewall is
so slow when they have over a thousand /32 DROP rules that never expire.
That's only the tip of the iceberg, as there are about 3.7e9 non-RFC5735
IPv4 addresses out there (3.64e9 of which are allocated/assigned/in-use)
never mind 1.59e34 similar IPv6 addresses (out of 3.37e38 non-RFC6890)
in 30100 blocks. When I was using this style of setup (about 10 years
ago), I expired the address after 720 seconds (12 minutes) as that was
long enough to discourage the id10ts out there. I also had some
"permanent" ranges - ISPs or similar groups that tolerated abusers.
Those blocks (about 20 as I recall) ranged from /17 up to /12 in size.

Contains actual ssh, telnet and smtp failed login attempts.

Do you really NEED to be offering those services to the _entire_ world?
My firewall allows _inbound_ access from a /22 and two /24s "outside"
or a total of 1530 addresses, because I can't see any reason to allow connections from you or anyone else that I haven't approved in advance,
and I really don't expect authorized users to be connecting from
Kazakhstan, Kenya, Kiribati, Korea, Kuwait or Kyrgyzstan and a lot of
other places either. Lest someone from those countries object, I also
don't allow access from nearly all ISPs in the rest of the world Not
expected == not allowed.

The perimeter firewall has few rules.
ALLOW established
ALLOW from 3 blocks outside to 4 ports on 2 servers on the LAN
ALLOW ICMP types 3 (some), 0 and 11 inbound
ALLOW ICMP types 3 (some) and 8 outbound
ALLOW new outbound from the LAN
sh!tcan the rest

It also only accepts connections to itself from three hosts on the
LAN side. I don't even bother logging - the firewall prevented the connection, so what MORE do you need? It's not as if the Internet
Police are going to do anything if you complain. This also reduces
the resources needed on the firewall box - for years, mine was the
remains of a 1990s 386SX laptop with a whopping 4 Megs of RAM and a
105 Meg disk. When it finally died 6-7 years ago, I replaced it with
a similarly retired (~2002) Pentium laptop.

Old guy

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 27 Oct 2016, in the Usenet newsgroup comp.os.linux.security, in article <MPG.327c65692bdf48dc989683@news.eternal-september.org>, Supratim Sanyal wrote:

ibuprofin@painkiller.example.tld.invalid says...

Supratim Sanyal wrote:

Hi - I am maintaining a brute-force attack source IP blocklist

Idle curiosity - Why?

Ummm - got myself a cheapo VPS, have to use it for something

Officially retired earlier this year, but I've been in the business
since the 1980s. While I'm still doing a bit of part-time consulting, networking is of less interest now. I haven't had a publicly visible
service since about 1997 (website on an home ISDN connection).

and revived a fortune-cowsay daemon I wrote in school ... put it on
the telnet port - doubles as a honey pot for telnet spam ... no good
reason really ... :)

Mentioned, I don't even bother to log connection attempts, much less
respond to them. (My upstream doesn't seem to respond with ICMP type
3 code 1 if the customer's modem/router is turned off, so there is no difference between that and a customer's firewall with a DROP rule.) Occasionally, I may turn on logging for a day, just to get a feel for
what's happening, but nothing really scientific. I have seen a
substantial increase (10:1) in attempts to connect to 23/tcp since
about mid-May, but they act more like 'bots (single SYN packet, rather
than up to 3 from a conventional network stack if there was no
response to the first). Last weekend, I saw a flurry of hits (Hmmm...
why is the network activity light blinking so much on the WAN side?
Lessee, "/usr/sbin/tcpdump -ni eth1 -s 512 -w /tmp/dump") on 23/tcp,
but they looked more like a DDOS attack (up to 6 hits per minute with
obviously faked source IPs) than an actual connection attempt. That
went on for several hours Saturday and Sunday during the day before
dropping back to the (current) normal of about 1 per minute. For
every ten hits on 23/tcp, there is also one to 2323/tcp, usually from
one of the same sources with an otherwise identical TCP header. In
July and August, I was also seeing frequent hits (about 1 per minute)
to 53413/udp (attempt to exploit a Chinese chip-set in a home router),
but that seems to have died down lately. Hits on 22/tcp have been
relatively low for over a year (average about 1.5 attempts per hour).

Old guy

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <slrnnv84fd.9g.ibuprofin@planck.phx.az.us>, ibuprofin@painkiller.example.tld.invalid says...

On Mon, 3 Oct 2016, in the Usenet newsgroup comp.os.linux.security, in article <MPG.325c46579c9d147e989681@reader80.eternal-september.org>,
Supratim Sanyal wrote:

Hi - I am maintaining a brute-force attack source IP blocklist

Idle curiosity - Why?

Ummm - got myself a cheapo VPS, have to use it for something - and
revived a fortune-cowsay daemon I wrote in school ... put it on the
telnet port - doubles as a honey pot for telnet spam ... no good reason
really ... :)

Entries have a 48 hour expiry.

Good - but that might be on the long side. I have to laugh at people
using a Self-Denial-of-Service tool like 'blocksshd', 'sshguard',
'fail2ban', "DenyHost[s]" and similar, who wonder why their firewall is
so slow when they have over a thousand /32 DROP rules that never expire. That's only the tip of the iceberg, as there are about 3.7e9 non-RFC5735
IPv4 addresses out there (3.64e9 of which are allocated/assigned/in-use) never mind 1.59e34 similar IPv6 addresses (out of 3.37e38 non-RFC6890)
in 30100 blocks. When I was using this style of setup (about 10 years
ago), I expired the address after 720 seconds (12 minutes) as that was
long enough to discourage the id10ts out there. I also had some
"permanent" ranges - ISPs or similar groups that tolerated abusers.
Those blocks (about 20 as I recall) ranged from /17 up to /12 in size.

Contains actual ssh, telnet and smtp failed login attempts.

Do you really NEED to be offering those services to the _entire_ world?
My firewall allows _inbound_ access from a /22 and two /24s "outside"
or a total of 1530 addresses, because I can't see any reason to allow connections from you or anyone else that I haven't approved in advance,
and I really don't expect authorized users to be connecting from
Kazakhstan, Kenya, Kiribati, Korea, Kuwait or Kyrgyzstan and a lot of
other places either. Lest someone from those countries object, I also
don't allow access from nearly all ISPs in the rest of the world Not expected == not allowed.

The perimeter firewall has few rules.
ALLOW established
ALLOW from 3 blocks outside to 4 ports on 2 servers on the LAN
ALLOW ICMP types 3 (some), 0 and 11 inbound
ALLOW ICMP types 3 (some) and 8 outbound
ALLOW new outbound from the LAN
sh!tcan the rest

It also only accepts connections to itself from three hosts on the
LAN side. I don't even bother logging - the firewall prevented the connection, so what MORE do you need? It's not as if the Internet
Police are going to do anything if you complain. This also reduces
the resources needed on the firewall box - for years, mine was the
remains of a 1990s 386SX laptop with a whopping 4 Megs of RAM and a

Again doing "something" with a cheapo VPS is the goal ... at this point,
this VPS also does the following (for no particular reason):

- ad-blocking dns server on udp/53 and tcp/53
- TOR web proxy on TCP/8080 - (password protected)
- varnish httpd reverse proxy (love varnish!)
- ntp server on port udp/123 (listed in ntp.org!)
- stunnel remote logging server for all of my other hobbyist servers and
VMs ...
- runs seti@home/boinc ... :)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <slrno17fn7.raa.ibuprofin@planck.phx.az.us>, ibuprofin@painkiller.example.tld.invalid says...

On Thu, 27 Oct 2016, in the Usenet newsgroup comp.os.linux.security, in article
<MPG.327c65692bdf48dc989683@news.eternal-september.org>, Supratim Sanyal wrote:

ibuprofin@painkiller.example.tld.invalid says...

Supratim Sanyal wrote:

Hi - I am maintaining a brute-force attack source IP blocklist

Idle curiosity - Why?

Ummm - got myself a cheapo VPS, have to use it for something

Officially retired earlier this year, but I've been in the business
since the 1980s. While I'm still doing a bit of part-time consulting, networking is of less interest now. I haven't had a publicly visible
service since about 1997 (website on an home ISDN connection).

and revived a fortune-cowsay daemon I wrote in school ... put it on
the telnet port - doubles as a honey pot for telnet spam ... no good
reason really ... :)

Mentioned, I don't even bother to log connection attempts, much less
respond to them. (My upstream doesn't seem to respond with ICMP type
3 code 1 if the customer's modem/router is turned off, so there is no difference between that and a customer's firewall with a DROP rule.) Occasionally, I may turn on logging for a day, just to get a feel for
what's happening, but nothing really scientific. I have seen a
substantial increase (10:1) in attempts to connect to 23/tcp since
about mid-May, but they act more like 'bots (single SYN packet, rather
than up to 3 from a conventional network stack if there was no
response to the first). Last weekend, I saw a flurry of hits (Hmmm...
why is the network activity light blinking so much on the WAN side?
Lessee, "/usr/sbin/tcpdump -ni eth1 -s 512 -w /tmp/dump") on 23/tcp,
but they looked more like a DDOS attack (up to 6 hits per minute with obviously faked source IPs) than an actual connection attempt. That
went on for several hours Saturday and Sunday during the day before
dropping back to the (current) normal of about 1 per minute. For
every ten hits on 23/tcp, there is also one to 2323/tcp, usually from
one of the same sources with an otherwise identical TCP header. In
July and August, I was also seeing frequent hits (about 1 per minute)
to 53413/udp (attempt to exploit a Chinese chip-set in a home router),
but that seems to have died down lately. Hits on 22/tcp have been
relatively low for over a year (average about 1.5 attempts per hour).

Old guy

iptables + ipset with public blocklists has kept port 22 spam in control
for my internet-facing servers for over a decade now (your experience is
far longer than mine)- but these blocklists are missing a vast number of
port 23 bots. I think my list is the only one which documents port 23
spam - I have done numerous spot checks and find IPs in my list are
unique. Yes of course I send them on to blocklist.de too. thanks for
pinging my host and discovering the unusual ICMP response.

It is interesting my fortune/cowsay daemon spits out a quote as soon as
someone connects and enters anything, including just enter; but I see
actual humans trying "test test" maybe once a month. as you said, I also
see a pure DOS attempt maybe twice a day from numerous IPs in the same
subnet (usually 20x.x.x.x/16), with idiotic password-guessing bots going
in circles - about three to five of them - all the time.

Whatever little contribution it may be, I am hoping folks who use the blocklist.de list for perimeter defense may see a wee bit of benefit.

Other ideas on interesting uses for VPSs welcome. I am working on
putting on a 2nd SIMH VAX online running OpenVMS 7.3.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 28 Oct 2016, in the Usenet newsgroup comp.os.linux.security, in article <MPG.327d9502ab733f6f989682@reader80.eternal-september.org>, Supratim Sanyal wrote:

ibuprofin@painkiller.example.tld.invalid says...

Hits on 22/tcp have been relatively low for over a year (average
about 1.5 attempts per hour).

iptables + ipset with public blocklists has kept port 22 spam in
control for my internet-facing servers for over a decade now

A man page to look at (from 'tar -tvzf tcp_wrappers_7.6.tar.gz')

-r--r--r-- 309/326 15225 1995-01-30 11:51
tcp_wrappers_7.6/hosts_access.5

Notice the date. Then try 'man 5 hosts_access' It's part of the
tcp_wrappers or lib_wrap package from the last (April 1997) release
of that now unmaintained (but still useful) program. Look down at the
EXAMPLES section (about 9/10 of the way down the man-page). Either you
are "MOSTLY CLOSED" or "MOSTLY OPEN". Do you check the identity of
everyone trying to enter your house and only block them if they are on
a list? Or do you block everyone, and only allow those on a different
list in? Slight difference in practicality. Mentioned, I only
allow blocks where I know authorized users might be located. When I
(or other authorized users) were traveling to unknown places, the
firewall here would have port-knocking enabled (user tries to connect
to closed port $FOO and then $BAR - and the firewall would open from
that IP for 30 seconds to allow establishing a connection to 22/tcp).
That trick has been in use for over 30 years. Biggest problem with it
is that some firewalls on the Internet block outbound connections to
"unusual" ports, and that may prevent knocking port $BAZ or $QUX.

(your experience is far longer than mine)

I actually was on DARPA net back in 1976 at NASA Ames, though it was
not a primary part of my job then.

but these blocklists are missing a vast number of port 23 bots.

I'm not sure it's even possible to come up with a reasonably accurate
list - it changes so frequently. It's getting worse even now due to
the "Internet of Things" (commonly written as "IoT") which includes
all of the poorly designed devices in the modern home. Most of the
current crop of 'bots are unprotected DVD players, Internet-enabled
cameras, and similar. Search the Risks digest of the ACM (Association
for Computing Machinery) which you can find as the Usenet newsgroup "news://comp.risks" on most news servers:

[euclid news/comp.risks]$ zgrep -l IoT risks-29.[78]* | column
risks-29.72.gz risks-29.81.gz risks-29.85.gz
risks-29.75.gz risks-29.82.gz risks-29.86.gz
risks-29.80.gz risks-29.84.gz risks-29.88.gz
[euclid news/comp.risks]$

It's a pretty well documented problem. Another word to search for at
the moment is "Mirai".

The malware, dubbed *Mirai*, spreads to vulnerable devices by
continuously scanning the Internet for IoT systems protected by
factory default or hard-coded usernames and passwords.

When we got our first DVD player with an network interface, I did a
quick NMAP scan of it. After it got an IP (via DHCP), I found it was
listening for connections on two port. One was 23/tcp, and it accepted
a login as "admin" with a password of "pass" - no, I don't think this
is going to remain connected to my network. The second one we bought
accepted "admin" with a password of "admin". Such clever security!
The current redeeming feature is that the 'bot software isn't loaded
to disk (or equal), and the 'bot software goes away when the device is power-cycled. The problem is that everyone is buying this crap, and
installing it while unaware that it's so vulnerable.

thanks for pinging my host and discovering the unusual ICMP response.

??? Not me.

I also see a pure DOS attempt maybe twice a day from numerous IPs in
the same subnet (usually 20x.x.x.x/16),

Well, 20x.x* covers a lot of territory. Looking in the Regional
Internet Registry delegation files for 10/15/16 (essentialy, the data
you see from a "whois" query), I see 10 blocks in AFRINIC, 10982 in
APNIC, 12706 in ARIN, 3487 in LACNIC, and 4 in RIPENCC with an overall
total of 167,768,528 (out of 167,772,160 possible) addresses. Those
~27000 blocks are registered in 116 countries. The last two log files
I have (2 24 hour periods from this month) show a relatively flat
distribution of IPs (173 of the 220 usable /8s). No single dominant
block, although a significant (~4% ?) amount came from blocks assigned
to LG Datacom (.kr), Kyivstar (.ua), and two Brazilian telcos.

Old guy

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <slrno1a8cn.q8v.ibuprofin@planck.phx.az.us>, ibuprofin@painkiller.example.tld.invalid says...

On Fri, 28 Oct 2016, in the Usenet newsgroup comp.os.linux.security, in article
<MPG.327d9502ab733f6f989682@reader80.eternal-september.org>, Supratim Sanyal wrote:

ibuprofin@painkiller.example.tld.invalid says...

Hits on 22/tcp have been relatively low for over a year (average
about 1.5 attempts per hour).

iptables + ipset with public blocklists has kept port 22 spam in
control for my internet-facing servers for over a decade now

A man page to look at (from 'tar -tvzf tcp_wrappers_7.6.tar.gz')

-r--r--r-- 309/326 15225 1995-01-30 11:51
tcp_wrappers_7.6/hosts_access.5

Notice the date. Then try 'man 5 hosts_access' It's part of the tcp_wrappers or lib_wrap package from the last (April 1997) release
of that now unmaintained (but still useful) program. Look down at the EXAMPLES section (about 9/10 of the way down the man-page). Either you
are "MOSTLY CLOSED" or "MOSTLY OPEN". Do you check the identity of
everyone trying to enter your house and only block them if they are on
a list? Or do you block everyone, and only allow those on a different
list in? Slight difference in practicality. Mentioned, I only
allow blocks where I know authorized users might be located. When I
(or other authorized users) were traveling to unknown places, the
firewall here would have port-knocking enabled (user tries to connect
to closed port $FOO and then $BAR - and the firewall would open from
that IP for 30 seconds to allow establishing a connection to 22/tcp).
That trick has been in use for over 30 years. Biggest problem with it
is that some firewalls on the Internet block outbound connections to "unusual" ports, and that may prevent knocking port $BAZ or $QUX.

(your experience is far longer than mine)

I actually was on DARPA net back in 1976 at NASA Ames, though it was
not a primary part of my job then.

but these blocklists are missing a vast number of port 23 bots.

I'm not sure it's even possible to come up with a reasonably accurate
list - it changes so frequently. It's getting worse even now due to
the "Internet of Things" (commonly written as "IoT") which includes
all of the poorly designed devices in the modern home. Most of the
current crop of 'bots are unprotected DVD players, Internet-enabled
cameras, and similar. Search the Risks digest of the ACM (Association
for Computing Machinery) which you can find as the Usenet newsgroup "news://comp.risks" on most news servers:

interesting - looks like mirai would have eventually got into your DVD
players - looked up the password list it uses, it covers the ones your
DVD players came with

--
Supratim Sanyal
DECnet VMSMAIL: QCOCAL::SANYAL (via HECnet)
Internet email: http://mcaf.ee/sdlg9f
QCOCAL - VAXserver 3900/OpenVMS 7.3 - telnet://sanyalnet-openvms- vax.freeddns.org
CLOUDY - VAX-11/780/OpenVMS 7.3 - SET HOST from QCOCAL
JUICHI - PDP-11/24/RSX-11M-PLUS - SET HOST from QCOCAL
SunOS 5.11/Solaris 11 OpenIndiana: ssh sanyal.duckdns.org
SanyalCraft Minecraft Server: sanyal.duckdns.org:25565
NTP servers: sanyalnet-ntp.freeddns.org,sanyalnet-cloud- vps.freeddns.org,sanyalnet-cloudvps2.freeddns.org
Ad-Blocking Recursive DNS Servers: sanyalnet-cloud- vps.freeddns.org,sanyalnet-cloudvps2.freeddns.org
WBRi Radio Stream: banglaradio.homeip.net:8000
Anonymous FTP: sanyal.duckdns.org / HTTP wrapper for FTP: http://sanyal.duckdns.org:81

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, 22 Nov 2016, in the Usenet newsgroup comp.os.linux.security, in article <MPG.329ea37bff320fd4989681@news.albasani.net>, Supratim Sanyal wrote:

ibuprofin@painkiller.example.tld.invalid says...

Supratim Sanyal wrote:

but these blocklists are missing a vast number of port 23 bots.

I'm not sure it's even possible to come up with a reasonably accurate
list - it changes so frequently. It's getting worse even now due to
the "Internet of Things" (commonly written as "IoT") which includes
all of the poorly designed devices in the modern home. Most of the
current crop of 'bots are unprotected DVD players, Internet-enabled
cameras, and similar.

interesting - looks like mirai would have eventually got into your DVD >players

Not likely mine - the firewall here blocks those unwanted inbounds, and
the DVD players are intentionally not networked. If you want a simple
hint about the prevalence of 'bots, set your firewall to "IGNORE" or
"DROP" TCP connection attempts to ports 23 (and 2323), and then look at
the values of the variables in the SYN packet headers received (the
initial packet used to set up a TCP connection) - source port number is
one, TCP window size is another (see a good networking textbook such as
"TCP/IP Illustrated - Volume 1" by the late W. Richard Stevens for what
is "normal" and notice the differences in what's hitting your address
now). Also note the 'bots make a single SYN (in the absence of a reply)
rather than 3 spaced several seconds apart. Last month, I enabled
logging on the firewall for a day, and was seeing an _average_ of 81
rather obvious 'bots per hour during the entire period. Based on the
RFC defined protocols, more than 95% of the connection attempts I saw
(1953 of 2029 in 24 hours) were 'bots. My firewall normally drops all
"new" inbounds (not just to 23/tcp) and does not bother logging the
idiots - which would be a waste of CPU cycles and disk space.

looked up the password list it uses, it covers the ones your
DVD players came with

I ceased to be amazed at the gross stupidity of some manufacturers
long ago. For a while in 2005, I was browsing a Usenet newsgroup
named "alt.privacy.spyware" (still exists, but I haven't bothered with
it since), and there were semi-regular posts with pointers to large
lists of default passwords used by manufacturers who should have known
better. "admin" with "admin" was very common, as was "admin with ""
(just hit Enter). and "admin" with "password" - the lead engineer and
managers of those products should be lined up and shot _repeatedly_
with a rusty keyboard. But they don't care, so I'm not sure it would
do much good. In 2003, there was a windoze worm that went through the
world effortlessly - search for "Deloder" or the CERT Advisory issued
about it ("CA-2003-08 Increased Activity Targeting Windows Shares").
Briefly, it attacked using the premise that every windoze administrator
account was protected by one of just 86 possible passwords that were
really un-guessable like "abc" or "123" (see the CERT Advisory for the
actual list). But using *nix shouldn't make one feel superior as more
than one security professional has pointed out to me - "CA-2003-08
passwords are equally common in the rest of the computer world".

Old guy

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <slrno3cfo3.gb2.ibuprofin@planck.phx.az.us>, ibuprofin@painkiller.example.tld.invalid says...

On Tue, 22 Nov 2016, in the Usenet newsgroup comp.os.linux.security, in article
<MPG.329ea37bff320fd4989681@news.albasani.net>, Supratim Sanyal wrote:

ibuprofin@painkiller.example.tld.invalid says...

Supratim Sanyal wrote:

but these blocklists are missing a vast number of port 23 bots.

I'm not sure it's even possible to come up with a reasonably accurate
list - it changes so frequently. It's getting worse even now due to
the "Internet of Things" (commonly written as "IoT") which includes
all of the poorly designed devices in the modern home. Most of the
current crop of 'bots are unprotected DVD players, Internet-enabled
cameras, and similar.

interesting - looks like mirai would have eventually got into your DVD >players

Not likely mine - the firewall here blocks those unwanted inbounds, and
the DVD players are intentionally not networked. If you want a simple
hint about the prevalence of 'bots, set your firewall to "IGNORE" or
"DROP" TCP connection attempts to ports 23 (and 2323), and then look at
the values of the variables in the SYN packet headers received (the
initial packet used to set up a TCP connection) - source port number is
one, TCP window size is another (see a good networking textbook such as "TCP/IP Illustrated - Volume 1" by the late W. Richard Stevens for what
is "normal" and notice the differences in what's hitting your address
now). Also note the 'bots make a single SYN (in the absence of a reply) rather than 3 spaced several seconds apart. Last month, I enabled
logging on the firewall for a day, and was seeing an _average_ of 81
rather obvious 'bots per hour during the entire period. Based on the
RFC defined protocols, more than 95% of the connection attempts I saw
(1953 of 2029 in 24 hours) were 'bots. My firewall normally drops all
"new" inbounds (not just to 23/tcp) and does not bother logging the
idiots - which would be a waste of CPU cycles and disk space.

looked up the password list it uses, it covers the ones your
DVD players came with

I ceased to be amazed at the gross stupidity of some manufacturers
long ago. For a while in 2005, I was browsing a Usenet newsgroup
named "alt.privacy.spyware" (still exists, but I haven't bothered with
it since), and there were semi-regular posts with pointers to large
lists of default passwords used by manufacturers who should have known better. "admin" with "admin" was very common, as was "admin with ""
(just hit Enter). and "admin" with "password" - the lead engineer and managers of those products should be lined up and shot _repeatedly_
with a rusty keyboard. But they don't care, so I'm not sure it would

Made some progress. Looked deeper at one of my internet-facing OpenVMS
VMs, clearly see "/bin/busybox MIRAI" forced right after the attempted password. I have OpenVMS logs already forwarded to a central linux
syslog server, wrote a bash script to parse these and spoof pam privlog
lines. fail2ban picks them up, and bans them as well as reports to
blocklist.de ... spam has gone down but will not disappear because
OpenVMS logs the hostname after a lookup and reverse-DNS does not work
for all of the hostnames it logs. Kind of interesting to see it starting
to work: https://www.google.com/webhp?sourceid=chrome-instant&ion=1 &espv=2&ie=UTF-8#q=qcocal%20abuse



LISTENING ON PORT 23
CLIENT CONNECTION RECEIVED
SERVER CONNECTION ESTABLISHED
SERVER IAC WILL 1 (ECHO)
SERVER IAC WILL 3 (SGA)
SERVER DATA: <0x0D><0x0A>
WELCOME TO<0x0D>
SERVER DATA: <0x0A>
___ _ _ _ __ __ _ _ _ _ ___ _____
<0x0D><0x0A>
/ __| /_\ | \| | \ \ / / /_\ | | | \| | | __| |_ _|
<0x0D><0x0A>
\__ \ / _ \ | .` | \ V / / _ \ | |__ | .` | | _| | |
<0x0D>
SERVER DATA: <0x0A>
|___/ /_/_\_\_|_|\_| |_| /_/ \_\ |____| |_|\_| |___|_ |_|
<0x0D><0x0A>
<0x0D><0x0A>
<0x0D><0x0A>
VAX-11/780 | OpenVMS V7.3<0x0D><0x0A>
<0x0D><0x0A>
+--<0x0D><0x0A>
+ This is a private hobbyist OpenVMS/VAX server. All connections are <0x0D><0x0A>
+ monitored and recorded. Disconnect NOW if you are not an authorized <0x0D><0x0A>
+ user.<0x0D><0x0A>
+<0x0D><0x0A>
+ GUEST Account: Login as GUEST with password WELCOME123<0x0D><0x0A> +--<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT IAC DO 1 (ECHO)
CLIENT DATA: root
SERVER DATA: r
SERVER DATA: oot
CLIENT DATA: <0x0D><0x0A>
anko<0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: enable<0x00>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: <0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Username:
CLIENT DATA: system<0x00><0x0D><0x0A>

SERVER DATA: s
SERVER DATA: ystem<0x0D><0x0A>
<0x0D>Password:
CLIENT DATA: shell<0x00><0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: sh<0x00>
SERVER DATA: s
SERVER DATA: h
CLIENT DATA: <0x0D><0x0A>
/bin/busybox MIRAI<0x00><0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DISCONNECTED
BOTH CONNECTIONS CLOSED
LISTENING ON PORT 23
CLIENT CONNECTION RECEIVED
SERVER CONNECTION ESTABLISHED
SERVER IAC WILL 1 (ECHO)
SERVER IAC WILL 3 (SGA)
SERVER DATA: <0x0D><0x0A>
WELCOME TO<0x0D>
SERVER DATA: <0x0A>
___ _ _ _ __ __ _ _ _ _ ___ _____
<0x0D><0x0A>
/ __| /_\ | \| | \ \ / / /_\ | | | \| | | __| |_ _|
<0x0D><0x0A>
\__ \ / _ \ | .` | \ V / / _ \ | |__ | .` | | _| | |
<0x0D><0x0A>
|___/ /_/_\_\_|_|\_| |_| /_/ \_\ |____| |_|\_| |___|_ |_|
<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D><0x0A>
VAX-11/780 | OpenVMS V7.3<0x0D><0x0A>
<0x0D><0x0A>
+--<0x0D><0x0A>
+ This is a private hobbyist OpenVMS/VAX server. All connections are <0x0D><0x0A>
+ monitored and recorded. Disconnect NOW if you are not an authorized <0x0D><0x0A>
+ user.<0x0D><0x0A>
+<0x0D><0x0A>
+ GUEST Account: Login as GUEST with password WELCOME123<0x0D><0x0A> +--<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT IAC DO 1 (ECHO)
CLIENT DATA: default<0x0D><0x0A>
tluafed<0x0D><0x0A>

SERVER DATA: d
SERVER DATA: efault<0x0D><0x0A>

SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: enable<0x00>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: <0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Username:
CLIENT DATA: system<0x00><0x0D><0x0A>

SERVER DATA: s
SERVER DATA: ystem<0x0D><0x0A>
<0x0D>Password:
CLIENT DATA: shell<0x00>
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: <0x0D><0x0A>

SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: sh<0x00><0x0D><0x0A>

SERVER DATA: s
SERVER DATA: h<0x0D><0x0A>

SERVER DATA: <0x0D>Password:
CLIENT DATA: /bin/busybox MIRAI<0x00>
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DISCONNECTED
BOTH CONNECTIONS CLOSED
LISTENING ON PORT 23
CLIENT CONNECTION RECEIVED
SERVER CONNECTION ESTABLISHED
SERVER IAC WILL 1 (ECHO)
SERVER IAC WILL 3 (SGA)
SERVER DATA: <0x0D><0x0A>
WELCOME TO<0x0D>
SERVER DATA: <0x0A>
___ _ _ _ __ __ _ _ _ _ ___ _____
<0x0D><0x0A>
/ __| /_\ | \| | \ \ / / /_\ | | | \| | | __| |_ _|
<0x0D><0x0A>
\__ \ / _ \ | .` | \ V / / _ \ | |__ | .` | | _| | |
<0x0D><0x0A>
|___/ /_/_\_\_|_|\_| |_| /_/ \_\ |____| |_|\_| |___|_ |_|
<0x0D><0x0A>
<0x0D><0x0A>
<0x0D><0x0A>
VAX-11/780 | OpenVMS V7.3<0x0D>
SERVER DATA: <0x0A>
<0x0D><0x0A>
+--<0x0D><0x0A>
+ This is a private hobbyist OpenVMS/VAX server. All connections are <0x0D><0x0A>
+ monitored and recorded. Disconnect NOW if you are not an authorized <0x0D><0x0A>
+ user.<0x0D><0x0A>
+<0x0D><0x0A>
+ GUEST Account: Login as GUEST with password WELCOME123<0x0D><0x0A> +--<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT IAC DO 1 (ECHO)
CLIENT DATA: admin
SERVER DATA: a
SERVER DATA: dmin
CLIENT DATA: <0x0D><0x0A>
4321<0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: enable<0x00>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: <0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Username:
CLIENT DATA: system<0x00><0x0D><0x0A>

SERVER DATA: s
SERVER DATA: ystem<0x0D><0x0A>
<0x0D>Password:
CLIENT DATA: shell<0x00><0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: sh<0x00>
SERVER DATA: s
SERVER DATA: h
CLIENT DATA: <0x0D><0x0A>
/bin/busybox MIRAI<0x00><0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DISCONNECTED
BOTH CONNECTIONS CLOSED
LISTENING ON PORT 23
CLIENT CONNECTION RECEIVED
SERVER CONNECTION ESTABLISHED
SERVER IAC WILL 1 (ECHO)
SERVER IAC WILL 3 (SGA)
SERVER DATA: <0x0D><0x0A>
WELCOME TO<0x0D>
SERVER DATA: <0x0A>
___ _ _ _ __ __ _ _ _ _ ___ _____
<0x0D><0x0A>
/ __| /_\ | \| | \ \ / / /_\ | | | \| | | __| |_ _|
<0x0D><0x0A>
\__ \ / _ \ | .` | \ V / / _ \ | |__ | .` | | _| | |
<0x0D><0x0A>
|___/ /_/_\_\_|_|\_| |_| /_/ \_\ |____| |_|\_| |___|_ |_|
<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D><0x0A>
VAX-11/780 | OpenVMS V7.3<0x0D><0x0A>
<0x0D><0x0A>
+--<0x0D><0x0A>
+ This is a private hobbyist OpenVMS/VAX server. All connections are <0x0D><0x0A>
+ monitored and recorded. Disconnect NOW if you are not an authorized <0x0D><0x0A>
+ user.<0x0D><0x0A>
+<0x0D><0x0A>
+ GUEST Account: Login as GUEST with password WELCOME123<0x0D><0x0A> +--<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT IAC DO 1 (ECHO)
CLIENT DATA: root
SERVER DATA: r
SERVER DATA: oot
CLIENT DATA: <0x0D><0x0A>
admin<0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: enable<0x00>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: <0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Username:
CLIENT DATA: system<0x00>
SERVER DATA: s
SERVER DATA: ystem
CLIENT DATA: <0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password:
CLIENT DATA: shell<0x00><0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: sh<0x00>
SERVER DATA: s
SERVER DATA: h
CLIENT DATA: <0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password:
CLIENT DATA: /bin/busybox MIRAI<0x00><0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DISCONNECTED
BOTH CONNECTIONS CLOSED
LISTENING ON PORT 23
CLIENT CONNECTION RECEIVED
SERVER CONNECTION ESTABLISHED
SERVER IAC WILL 1 (ECHO)
SERVER IAC WILL 3 (SGA)
SERVER DATA: <0x0D><0x0A>
WELCOME TO<0x0D>
SERVER DATA: <0x0A>
___ _ _ _ __ __ _ _ _ _ ___ _____
<0x0D><0x0A>
/ __| /_\ | \| | \ \ / / /_\ | | | \| | | __| |_ _|
<0x0D>
SERVER DATA: <0x0A>
\__ \ / _ \ | .` | \ V / / _ \ | |__ | .` | | _| | |
<0x0D><0x0A>
|___/ /_/_\_\_|_|\_| |_| /_/ \_\ |____| |_|\_| |___|_ |_|
<0x0D><0x0A>
<0x0D><0x0A>
<0x0D><0x0A>
VAX-11/780 | OpenVMS V7.3<0x0D><0x0A>
<0x0D><0x0A>
+--<0x0D><0x0A>
+ This is a private hobbyist OpenVMS/VAX server. All connections are <0x0D><0x0A>
+ monitored and recorded. Disconnect NOW if you are not an authorized <0x0D><0x0A>
+ user.<0x0D><0x0A>
+<0x0D><0x0A>
+ GUEST Account: Login as GUEST with password WELCOME123<0x0D><0x0A> +--<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT IAC DO 1 (ECHO)
CLIENT DATA: admin
SERVER DATA: a
SERVER DATA: dmin
CLIENT DATA: <0x0D><0x0A>
<0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: enable<0x00>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: <0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Username:
CLIENT DATA: system<0x00><0x0D><0x0A>

SERVER DATA: s
SERVER DATA: ystem<0x0D><0x0A>
<0x0D>Password:
CLIENT DATA: shell<0x00><0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: sh<0x00>
SERVER DATA: s
SERVER DATA: h
CLIENT DATA: <0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password:
CLIENT DATA: /bin/busybox MIRAI<0x00><0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DISCONNECTED
BOTH CONNECTIONS CLOSED
LISTENING ON PORT 23
CLIENT CONNECTION RECEIVED
SERVER CONNECTION ESTABLISHED
SERVER IAC WILL 1 (ECHO)
SERVER IAC WILL 3 (SGA)
SERVER DATA: <0x0D><0x0A>
WELCOME TO<0x0D>
SERVER DATA: <0x0A>
___ _ _ _ __ __ _ _ _ _ ___ _____
<0x0D><0x0A>
/ __| /_\ | \| | \ \ / / /_\ | | | \| | | __| |_ _|
<0x0D><0x0A>
\__ \ / _ \ | .` | \ V / / _ \ | |__ | .` | | _| | |
<0x0D><0x0A>
|___/ /_/_\_\_|_|\_| |_| /_/ \_\ |____| |_|\_| |___|_ |_|
<0x0D><0x0A>
<0x0D><0x0A>
<0x0D><0x0A>
VAX-11/780 | OpenVMS V7.3<0x0D><0x0A>
<0x0D><0x0A>
+--<0x0D><0x0A>
+ This is a private hobbyist OpenVMS/VAX server. All connections are
<0x0D>
SERVER DATA: <0x0A>
+ monitored and recorded. Disconnect NOW if you are not an authorized <0x0D><0x0A>
+ user.<0x0D><0x0A>
+<0x0D><0x0A>
+ GUEST Account: Login as GUEST with password WELCOME123<0x0D><0x0A> +--<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT IAC DO 1 (ECHO)
CLIENT DATA: root
SERVER DATA: r
SERVER DATA: oot
CLIENT DATA: <0x0D><0x0A>
admin<0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: enable<0x00>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: <0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Username:
CLIENT DATA: system<0x00>
SERVER DATA: s
SERVER DATA: ystem
CLIENT DATA: <0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password:
CLIENT DATA: shell<0x00><0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: sh<0x00>
SERVER DATA: s
SERVER DATA: h
CLIENT DATA: <0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password:
CLIENT DATA: /bin/busybox MIRAI<0x00><0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DISCONNECTED
BOTH CONNECTIONS CLOSED
LISTENING ON PORT 23
CLIENT CONNECTION RECEIVED
SERVER CONNECTION ESTABLISHED
SERVER IAC WILL 1 (ECHO)
SERVER IAC WILL 3 (SGA)
SERVER DATA: <0x0D><0x0A>
WELCOME TO<0x0D>
SERVER DATA: <0x0A>
___ _ _ _ __ __ _ _ _ _ ___ _____
<0x0D><0x0A>
/ __| /_\ | \| | \ \ / / /_\ | | | \| | | __| |_ _|
<0x0D><0x0A>
\__ \ / _ \ | .` | \ V / / _ \ | |__ | .` | | _| | |
<0x0D><0x0A>
|___/ /_/_\_\_|_|\_| |_| /_/ \_\ |____| |_|\_| |___|_ |_|
<0x0D><0x0A>
<0x0D><0x0A>
<0x0D><0x0A>
VAX-11/780 | OpenVMS V7.3<0x0D>
SERVER DATA: <0x0A>
<0x0D><0x0A>
+--<0x0D><0x0A>
+ This is a private hobbyist OpenVMS/VAX server. All connections are <0x0D><0x0A>
+ monitored and recorded. Disconnect NOW if you are not an authorized <0x0D><0x0A>
+ user.<0x0D><0x0A>
+<0x0D><0x0A>
+ GUEST Account: Login as GUEST with password WELCOME123<0x0D><0x0A> +--<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT IAC DO 1 (ECHO)
CLIENT DATA: admin
SERVER DATA: a
SERVER DATA: dmin
CLIENT DATA: <0x0D><0x0A>
pass<0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: enable<0x00>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: <0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Username:
CLIENT DATA: system<0x00><0x0D><0x0A>

SERVER DATA: s
SERVER DATA: ystem<0x0D><0x0A>
<0x0D>Password:
CLIENT DATA: shell<0x00><0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: sh<0x00>
SERVER DATA: s
SERVER DATA: h
CLIENT DATA: <0x0D><0x0A>
/bin/busybox MIRAI<0x00><0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DISCONNECTED
BOTH CONNECTIONS CLOSED
LISTENING ON PORT 23
CLIENT CONNECTION RECEIVED
SERVER CONNECTION ESTABLISHED
SERVER IAC WILL 1 (ECHO)
SERVER IAC WILL 3 (SGA)
SERVER DATA: <0x0D><0x0A>
WELCOME TO<0x0D>
SERVER DATA: <0x0A>
___ _ _ _ __ __ _ _ _ _ ___ _____
<0x0D><0x0A>
/ __| /_\ | \| | \ \ / / /_\ | | | \| | | __| |_ _|
<0x0D><0x0A>
\__ \ / _ \ | .` | \ V / / _ \ | |__ | .` | | _| | |
<0x0D><0x0A>
|___/ /_/_\_\_|_|\_| |_| /_/ \_\ |____| |_|\_| |___|_ |_|
<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D><0x0A>
VAX-11/780 | OpenVMS V7.3<0x0D><0x0A>
<0x0D><0x0A>
+--<0x0D><0x0A>
+ This is a private hobbyist OpenVMS/VAX server. All connections are <0x0D><0x0A>
+ monitored and recorded. Disconnect NOW if you are not an authorized <0x0D><0x0A>
+ user.<0x0D><0x0A>
+<0x0D><0x0A>
+ GUEST Account: Login as GUEST with password WELCOME123<0x0D><0x0A> +--<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT IAC DO 1 (ECHO)
CLIENT DATA: root
SERVER DATA: r
SERVER DATA: oot
CLIENT DATA: <0x0D><0x0A>
realtek<0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: enable<0x00>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: <0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Username:
CLIENT DATA: system<0x00>
SERVER DATA: s
SERVER DATA: ystem
CLIENT DATA: <0x0D><0x0A>
shell<0x00><0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: sh<0x00>
SERVER DATA: s
SERVER DATA: h
CLIENT DATA: <0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password:
CLIENT DATA: /bin/busybox MIRAI<0x00>
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DISCONNECTED
BOTH CONNECTIONS CLOSED
LISTENING ON PORT 23
CLIENT CONNECTION RECEIVED
SERVER CONNECTION ESTABLISHED
SERVER IAC WILL 1 (ECHO)
SERVER IAC WILL 3 (SGA)
SERVER DATA: <0x0D><0x0A>
WELCOME TO<0x0D>
SERVER DATA: <0x0A>
___ _ _ _ __ __ _ _ _ _ ___ _____
<0x0D><0x0A>
/ __| /_\ | \| | \ \ / / /_\ | | | \| | | __| |_ _|
<0x0D><0x0A>
\__ \ / _ \ | .` | \ V / / _ \ | |__ | .` | | _| | |
<0x0D><0x0A>
|___/ /_/_\_\_|_|\_| |_| /_/ \_\ |____| |_|\_| |___|_ |_|
<0x0D><0x0A>
<0x0D><0x0A>
<0x0D><0x0A>
VAX-11/780 | OpenVMS V7.3<0x0D><0x0A>
<0x0D><0x0A>
+--<0x0D>
SERVER DATA: <0x0A>
+ This is a private hobbyist OpenVMS/VAX server. All connections are <0x0D><0x0A>
+ monitored and recorded. Disconnect NOW if you are not an authorized <0x0D><0x0A>
+ user.<0x0D><0x0A>
+<0x0D><0x0A>
+ GUEST Account: Login as GUEST with password WELCOME123<0x0D><0x0A> +--<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT IAC DO 1 (ECHO)
CLIENT DATA: admin
SERVER DATA: a
SERVER DATA: dmin
CLIENT DATA: <0x0D><0x0A>
smcadmin<0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: enable<0x00>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: <0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Username:
CLIENT DATA: system<0x00>
SERVER DATA: s
SERVER DATA: ystem
CLIENT DATA: <0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password:
CLIENT DATA: shell<0x00><0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: sh<0x00>
SERVER DATA: s
SERVER DATA: h
CLIENT DATA: <0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password:
CLIENT DATA: /bin/busybox MIRAI<0x00><0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DISCONNECTED
BOTH CONNECTIONS CLOSED
LISTENING ON PORT 23
CLIENT CONNECTION RECEIVED
SERVER CONNECTION ESTABLISHED
SERVER IAC WILL 1 (ECHO)
SERVER IAC WILL 3 (SGA)
SERVER DATA: <0x0D><0x0A>
WELCOME TO<0x0D>
SERVER DATA: <0x0A>
___ _ _ _ __ __ _ _ _ _ ___ _____
<0x0D><0x0A>
/ __| /_\ | \| | \ \ / / /_\ | | | \| | | __| |_ _|
<0x0D><0x0A>
\__ \ / _ \ | .` | \ V / / _ \ | |__ | .` | | _| | |
<0x0D><0x0A>
|___/ /_/_\_\_|_|\_| |_| /_/ \_\ |____| |_|\_| |___|_ |_|
<0x0D><0x0A>
<0x0D><0x0A>
<0x0D><0x0A>
VAX-11/780 | OpenVMS V7.3<0x0D><0x0A>
<0x0D><0x0A>
+--<0x0D><0x0A>
+ This is a private hobbyist OpenVMS/VAX server. All connections are <0x0D><0x0A>
+ monitored and recorded. Disconnect NOW if you are not an authorized <0x0D><0x0A>
+ use
SERVER DATA: r.<0x0D><0x0A>
+<0x0D>
SERVER DATA: <0x0A>
+ GUEST Account: Login as GUEST with password WELCOME123<0x0D><0x0A> +--<0x0D><0x0A>
<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT IAC DO 1 (ECHO)
CLIENT DATA: administrator
SERVER DATA: a
SERVER DATA: dministrator
CLIENT DATA: <0x0D><0x0A>
1234<0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
CLIENT DATA: enable<0x00>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: <0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Username:
CLIENT DATA: system<0x00><0x0D><0x0A>

SERVER DATA: s
SERVER DATA: ystem<0x0D><0x0A>
<0x0D>Password:
CLIENT DATA: shell<0x00><0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DATA: <0x0A>
<0x0D>Username:
CLIENT DATA: sh<0x00>
SERVER DATA: s
SERVER DATA: h
CLIENT DATA: <0x0D><0x0A>
/bin/busybox MIRAI<0x00><0x0D><0x0A>

SERVER DATA: <0x0D><0x0A>

SERVER DATA: <0x0D>Password:
SERVER DATA: <0x0D><0x0A>
User authorization failure<0x0D>
SERVER DISCONNECTED
BOTH CONNECTIONS CLOSED
LISTENING ON PORT 23
^C

--
Supratim Sanyal
DECnet VMSMAIL: QCOCAL::SANYAL (via HECnet)
Internet email: http://mcaf.ee/sdlg9f
QCOCAL - VAXserver 3900/OpenVMS 7.3 - telnet://sanyalnet-openvms- vax.freeddns.org
QCOCAL WASD: http://sanyalnet-openvms-vax.freeddns.org:82/
CLOUDY - VAX-11/780/OpenVMS 7.3 - SET HOST from QCOCAL
JUICHI - PDP-11/24/RSX-11M-PLUS - SET HOST from QCOCAL
SunOS 5.11/Solaris 11 OpenIndiana: ssh sanyal.duckdns.org
SanyalCraft Minecraft Server: sanyal.duckdns.org:25565
NTP servers: sanyalnet-ntp.freeddns.org,sanyalnet-cloud- vps.freeddns.org,sanyalnet-cloudvps2.freeddns.org
Ad-Malware-Ransomware Blocking Recursive DNS Servers: sanyalnet-cloud- vps.freeddns.org,sanyalnet-cloudvps2.freeddns.org
WBRi Radio Stream: banglaradio.homeip.net:8000
Anonymous FTP (Solaris 11): sanyal.duckdns.org / HTTP wrapper for FTP: http://sanyal.duckdns.org:81

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 26 Nov 2016, in the Usenet newsgroup comp.os.linux.security, in article <MPG.32a3ddc17009d6e5989683@news.albasani.net>, Supratim Sanyal wrote:

ibuprofin@painkiller.example.tld.invalid says...

Last month, I enabled logging on the firewall for a day, and was
seeing an _average_ of 81 rather obvious 'bots per hour during the
entire period. Based on the RFC defined protocols, more than 95% of
the connection attempts I saw (1953 of 2029 in 24 hours) were 'bots.

Made some progress. Looked deeper at one of my internet-facing OpenVMS
VMs, clearly see "/bin/busybox MIRAI" forced right after the attempted >password. I have OpenVMS logs already forwarded to a central linux
syslog server, wrote a bash script to parse these and spoof pam
privlog lines. fail2ban picks them up, and bans them as well as
reports to blocklist.de ...

Seems like a waste of CPU cycles to me - how many sane people offer a
server on port 23 today (since... maybe 1999 or so)? Busybox itself
is not the problem - it's the idiots who fail to secure the boxes where
busybox is frequently a main tool - routers, DVDs, etc. Lately, I'm
also seeing an up-tick in connection attempts to 7547/tcp (the RomPager web-server used on routers/DVD-players/etc.) which is another massive
security hole. Thing is, it's a moving target - two months ago, I was
seeing 30-50 hits/hour on 53413/udp (Netis/NetCore router backdoor),
while in the first several months of this year it was DDOS attacks
using mis-configured DNS servers (and in consequence, lots of hits on
53/udp looking for open nameservers).

spam has gone down but will not disappear

'spam' is what you get in the mail - and actually, my received spam
levels have decreased over the past 15 years. I can't remember the
last time I was offered pills at lower costs, a lower interest rate on
the credit card/mortgage or multiple millions of $CURRENCY_UNITS from
the wife of the deceased dictator of Lower Whoositz or what-ever.

OpenVMS logs the hostname after a lookup and reverse-DNS does not work
for all of the hostnames it logs.

Used to was, ("man 5 hosts_access") we did reverse lookups to validate
any remote trying to connect:

PARANOID
Matches any host whose name does not match its address. When
tcpd is built with -DPARANOID (default mode), it drops requests
from such clients even before looking at the access control
tables. Build without -DPARANOID when you want more control
over such requests.

but I'm seeing a substantial number of ISPs that don't bother setting
up PTR records on their DNS. In the late-1980s when I was also doing
registrar duties and responsible for the division's DNS and NIS yellow
pages services, we had a Makefile ("man 1 make") that automagically
parsed the source hosts file we used to create the appropriate (DNS and
NIS) file entries from a single entry - it was assumed that an A record
in DNS (hostname to IP) would have a matching PTR record (IP to
hostname) as well as the "yp" files that are similar to looking in the /etc/hosts files. The sub-domain I was responsible for had some 31000
IPv4 addresses to match up - which any idiot who know shell scripting
can handle. There was even a Perl script that was supplied with bind
(Berkeley Internet Name Daemon - the de-facto standard name server)
that would create the appropriate DNS zone files from a source file
that was formatted like /etc/hosts. ISPs seem to lack this caliber of
skill - I guess the drug crazed chimpanzees (hired because their 7
bananas/day wage is what the ISP can pay and still make a profit) they
are using as network administrators were not trained. Consequently, I
am used to seeing /12s (255.240.0.0) either return NXDOMAIN, SERVFAIL, "localhost" or "." to any PTR lookup. Another source of the problem is
virtual hosts - when you have 100 hostname (A) records pointing to a
single IP, which name should your PTR record for that IP point to? You
may find the RFC "draft-ietf-dnsop-isp-ip6rdns" interesting. The
abstract for version -02 of the document reads

"Reverse DNS in IPv6 for Internet Service Providers", Lee Howard,
2016-07-18, <draft-ietf-dnsop-isp-ip6rdns-02.txt>

In IPv4, Internet Service Providers (ISPs) commonly provide IN-
ADDR.ARPA information for their customers by prepopulating the zone
with one PTR record for every available address. This practice does
not scale in IPv6. This document analyzes different approaches and
considerations for ISPs in managing the ip6.arpa zone for IPv6
address space assigned to many customers.

There are several paragraphs in that document (use a search engine, or
try "ftp search.ietf.org" and look in the /internet-drafts/ directory)
are discouraging, but when the smallest IPv6 address block being handed
out to end-users is a /96 (ffff:ffff:ffff:ffff:ffff:ffff:0000:0000 or
2^32 hosts), it's not unexpected.

Old guy

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)