Subj : Re: Housekeeping To : Adept From : DustCouncil Date : Sat Jan 21 2023 19:39:08 Ad> Since these bots are looking for servers to exploit, and don't at all Ad> care about BBSs. I'm wondering what level of bot makers even _think_ Ad> about BBS servers. Talk about a niche market, and a niche market where, I wrote a "poor man's honeypot" in some Python awhile back which simulated a Login and Password prompt. If the intruder entered "root" as the user, I gave them a # prompt, and then I gave anything else a $ prompt. As far as I can tell, all of these bum connections were scripts, not human beings manually entering data. The effect, obviously, is to give the script the impression they'd made it in and were sitting at a shell prompt. These scripts then used busybox - busybox is central to nearly all of these port 23 attacks - to issue a few commands, and then download and run scripts from remote locations. In other cases - most of them, actually, it appeared to count on an already-compromised busybox executable to do what it wanted. I don't know why there was an expectation of a compromised busybox there, but I suspect some cheap SOHO routers, or possibly security cameras, got out with a compromised busybox. These scripts were written to exploit these compromised devices. There were multiple IPs over broad time periods using the same credentials. Of course, since it was just a Python script, it logged whatever the script "typed" and didn't run anything. Those Port 23 attackers are: * Automated scripts which appear to be looking for anything with Port 23 open, possibly by doing wide-range IP portscans * Specifically looking to run busybox, in almost all cases * Annoying but ultimately impotent From the period between December 2 and January 1, the counts of unique IPs for "ports no one should be ever connecting to" on my home Internet connection (i.e., not where I ran this honeypot) are: Telnet [23] - 13258 unique IPs (!) ssh [22] - 3461 unique IPs http [80] - 2747 unique IPs These are the top (most frequently hit) ports; telnet is routinely hit (or scanned) more than any other. I would note that I do not run my BBS on my home connection, nor have I ever run anything with ingress on port 23. My firewall is configured to DROP every kind of new connection; there are no ports responding with OPEN, CLOSED, or FILTERED. The takeaway here is there is no reason (other than being in the known IP range of a large ISP) anyone should be hitting these ports. If you run a server on port 23 (like a BBS), the only thing that could possibly do is amplify the number of hits, especially if someone is downloading a report from, say, shodan.io on port 23 and is feeding that into their scripts. These are a few of the credential pairs my "poor man's honeypot" detected on port 23. These are presumably the credentials of known backdoored systems. I expect exactly zero of these should work on any BBS. And since these scripts are almost always looking for a shell prompt, should someone create an account on your system with these pairs, the script would fail. It would either never execute (no $ or # prompt), or the badly written ones would try to run their payload at the first "press key to continue" prompt. There are a lot of bad scripts. Scripts that are stymied by an unexpected prompt (e.g., ! rather than # or $). Most scripts do not try to detect if busybox is even installed. I forget how, but I even trapped one in a kind of quicksand; it kept retrying its payload over and over again. root password root 123456 root jvbzd root ROOT500 root aquario root qazxsw admin pass Admin 5up admin 12345 root ttnet root anko root admin root gpon admin admin root 1234 root founder88 ,|J=y=1j`cnws[k?/+ /5� admin admin1234 root juantech guest 12345 root 123123 root ttnet root admin root 12345 root ivdev root xc3511 admin admin1234 root dreambox root alpine root root admin 1111111 root pon521 Admin 5up service service root xmhdipc root 54321 ubnt ubnt admin meinsm service service default antslq root xmhdipc admin smc Port 23 is a cesspool of a port. That so many hits occur on that port suggest a lot of garbage hardware is still connectable there. --- Mystic BBS v1.12 A47 2021/12/24 (Linux/64) * Origin: Shipwrecks & Shibboleths [San Francisco, CA - USA] (21:1/227) .