I have found a way to get rid of the botnets, for one my ip can works great! We are using a small ddwrt router for now, it works great, but in the future w are going to have a sisco router for sure. As of now I found a great thing about ddwrt routers, or any router in general. If you have a basic router, you may want to consider flashing it's bios and installing the ddwrt router's operating system. It is quite robust, so that's why i recoment it. If you already have a sisco router setup with the correct ip tables, this message isn't for you.
If your router supports scripts try to find a scrip that bans ip tables from botnet infested ips they are every were on the net.
If not you may want to flash your routers bios and install ddwrt's operating system on it. Their operating system is quite robust, and is capable of executing scripts.
I installed the script into the routers bios by running it, and I haven't had a bad bot try to hack into my server since. The script bans all of chinanet, and some other areas known for botnets. If you don't want to risk banning a whole country like china then don't do it. I personally haven't found a single user from the certain countries..That's not to say decent users are out there
in those countries, but it's few and far between. Many of them are mingled in with the bad bots so it's hard to tell. I for one don't want to get black listed or get a bad name for this server so to me it's worth it. The script also bans regions like afganistan and pakistan.
Hope this helps sysops keep their system spam free!

... I only touch base with reality on an as-needed basis!
Solomon's Temple BBS
Home to Starr-Net
Telnet://solomonstemplebbs.com, https://solomonstemplebbs.com




---
þ Synchronet þ Solomon's Temple telnet://solomonstemplebbs.com, Home to Starr-Net

Re: botnets
By: Lesser Keys to All on Fri Jan 24 2014 01:25:51

the future w are going to have a sisco router for sure. As of now I
found a great thing about ddwrt routers, or any router in general. If
you have a basic router, you may want to consider flashing it's bios and installing the ddwrt router's operating system. It is quite robust, so that's why i recoment it. If you already have a sisco router setup with the correct ip tables, this message isn't for you.

If not you may want to flash your routers bios and install ddwrt's operating system on it. Their operating system is quite robust, and is capable of executing scripts.

I installed the script into the routers bios by running it, and I
haven't had a bad bot try to hack into my server since. The script bans all of chinanet, and some other areas known for botnets. If you don't

I totally agree. I have a fairly high-end router (an Asus RT-N66U - At least it was high-end a couple years ago when I bought it) - It supports 3rd-party firmware but it seems difficult to flash DD-WRT on it. I did flash Tomato on it though. I found out that Tomato supports iptables scripts too, so I put some of my known "bad" IPs in there to be blocked at the router level so they don't even hit my server. I like not having to have attacks from already-blocked IP addresses still hammering my server.

I've thought about trying to flash DD-WRT on my router again, since I think some progress has been made to enable DD-WRT on my router - but at the same time, I kinda like Tomato too, and if it's not broken, don't fix it. The stock Asus firmware was actually fairly good and had almost all the features that Tomato has. I think Tomato still provides a couple extra features though, such as iptables and data monitoring - It lets you see how much you have uploaded and downloaded in the last day, week, month, etc.. That can be useful if your ISP has a monthly data transfer cap.

I really liked the DD-WRT firmware though. And this may seem silly, but one of my favorite things about DD-WRT was its look & feel - I think it looked really nice. But that may have changed though..

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

Re: botnets
By: Nightfox to Lesser Keys on Fri Jan 24 2014 07:53 am

I totally agree. I have a fairly high-end router (an Asus RT-N66U - At least it was high-end a couple years ago when I bought it) - It supports 3rd-party firmware but it seems difficult to flash DD-WRT on it. I did flash Tomato on it though. I found out that Tomato supports iptables scripts too, so I put some of my known "bad" IPs in there to be blocked at the router level so they don't even hit my server. I like not having to have attacks from already-blocked IP addresses still hammering my server.

I've thought about trying to flash DD-WRT on my router again, since I think some progress has been made to enable DD-WRT on my router - but at the same time, I kinda like Tomato too, and if it's not broken, don't fix it. The stock Asus firmware was actually fairly good and had almost all the features that Tomato has. I think Tomato still provides a couple extra features though, such as iptables and data monitoring - It lets you see how much you have uploaded and downloaded in the last day, week, month, etc.. That can be useful if your ISP has a monthly data transfer cap.

Well if tomato has ip tables I would continue using it, as it's not worth changing everything for a different interface. I think ddwrt's user interface is really easy to use, organized, and better than most router operating system's that I have used. Not to say that many others are just as good. I have heard a lot of good things about ddwrt routers. There have been a few infected computers on comcast ie time warner cable's networks, but they aren't as relentless as the ones I encountered from chinanet.
I bet the guy who was controlling those bots, is wondering why those bots aren't connecting to our server anymore. Muahahahah (doctor evil laugh)

... What a man needs in gardening is a cast iron back with a hinge in it. Solomon's Temple BBS
Home to Starr-Net
Telnet://solomonstemplebbs.com, https://solomonstemplebbs.com




---
þ Synchronet þ Solomon's Temple telnet://solomonstemplebbs.com, Home to Starr-Net

Re: botnets
By: Lesser Keys to Nightfox on Fri Jan 24 2014 14:11:38

Well if tomato has ip tables I would continue using it, as it's not worth changing everything for a different interface. I think ddwrt's user interface is really easy to use, organized, and better than most router operating system's that I have used. Not to say that many others are just

I agree. I miss DD-WRT, but Tomato is good too.

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

Re: botnets
By: Nightfox to Lesser Keys on Fri Jan 24 2014 11:27 pm

Off topic to the actual subject, but this is important.
I found had a guy sign on yesterday through an isp in france, with prepaid internet cards! He signed on as guest, and immediatly started looking at the user list, and the posts about banned ips, and then went to the synchronet version information. What give who cares right? Wrong! Never let anyone on your system that has came from a prepaid internet card, for one it's suspicious, and two the things he was looking at was very suspicious.
Well he came back a few times and seen me and the other sysop in the chat room, and left before i could pull him into chat.
Now to the even more important part, do you guys realize that whois.net has servers in other countries like china and brazil.
I found out that the botnet hacker has compromised the whois server in brazil and was able to run bot that could setup user names on synchronet, the bot apparently had a bad password list to setup the user account, because when it came time to setup the password, the bot tried over and over for about 20 minutes using passwords that i found on top 500 passwords site. He then came back under an range 14.18.153.126, so I did a who is and found that chinanet has a new ip table range of 14.16.*.* all the way to 14.31.*.* and it's filled with botnet's..If i were a sysop I would do a whois on that ip range, and when i found it it was from chinanet (worlds most notorious botnet region in the world) i would band the whole range...But that's just me, I figured i would pos an update, on their new ip table, if you haven't been hit by ip's under the rang 14.16.* to 14.31.* then you probably will. Save yourself the trouble and just band the range :)

... I've always been a bit maturer that what I am.
Solomon's Temple BBS
Home to Starr-Net
Telnet://solomonstemplebbs.com, https://solomonstemplebbs.com




---
þ Synchronet þ Solomon's Temple telnet://solomonstemplebbs.com, Home to Starr-Net

Re: botnets
By: Lesser Keys to Nightfox on Sat Jan 25 2014 16:34:01

Off topic to the actual subject, but this is important.
I found had a guy sign on yesterday through an isp in france, with
prepaid internet cards! He signed on as guest, and immediatly started
looking at the user list, and the posts about banned ips, and then went
to the synchronet version information. What give who cares right? Wrong!
Never let anyone on your system that has came from a prepaid internet
card, for one it's suspicious, and two the things he was looking at was
very suspicious. Well he came back a few times and seen me and the other

By "prepaid internet card", I suppose that means the user paid for internet service at a cafe, hotel, etc.? I don't know why that alone would be suspicious to you? I've used internet at hotels & cafes before while traveling and I never had any bad intent. And how do you know he was using a prepaid internet card anyway?

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

Re: botnets
By: Nightfox to Lesser Keys on Sat Jan 25 2014 04:27 pm

By "prepaid internet card", I suppose that means the user paid for internet service at a cafe, hotel, etc.? I don't know why that alone would be suspicious to you? I've used internet at hotels & cafes before while traveling and I never had any bad intent. And how do you know he was using a prepaid internet card anyway?

Most hotels give away wifi, I haven't been in one that didn't, and never did I have to buy a internet card. This company is shaddy, like the ones in china that sell prepaid internet cards for chinanet. They use the prepaid card, sign on some were, get on their botnet command center, and start hacking away. I have even watched videos of this being done.

Well for starters, the bots attack in groups, one after the other. I did research on the company, and found out that all the company does is sell phone cards and prepaid internet cards, while the guy was on the server looking at user lists and what not, i seen his bots coming in for attacks. There would be no real way a user list could be gotten unless you sign in, finger and other things are disabled. As he was looking at user lists i seen bots coming in hitting specific accounts, like he was looking at the list. After seeing several ssh attempts and the person sign on several times, without creating a name, i started to watch him with the spy feature of synchronet. He was very interested in the user lists, the server information, synchronet version info, and banned ip black lists..He didn't look at anything on the system but those things. The bots started to come in and attack user accounts on my board while he was online, looking at the user list. It was as if he was using the user list and copy/paste right into his bot scripts and trying to brute force. No other way would someone have gotten the user list unless they sign on and have an account. This person was using the guest account. And no other time of the day did bots from brazil try to hack in unless it was just a strange coincidence. Thing is I personally caught him on the server trying to do things in the past under a masked ip...It's the same guy, I can just tell. After banning the ip he telneted in on as guest, and banning the few ranges he hit me with, he was gone. The botnet attacks only occured while he was online, and looking at the user list and other information. Once he seen me and my brother get on the server, he signed off quick! And then he got the ol' BAN.
What would you think if you had the same exact experience? If you seen a guest sign on with a prepaid phone card, and start looking at user lists, as the user was looking at the user lists, you seen a barrage of bots come to your bbs and try to brute force in. It doesn't take a smart person to realize what's going on. Just a bit of intuition, and that only comes with experience.
It could have been a regular user trying to check things out, but with those actions, and the things that happened while he was on, made the person look real bad. I know how bots attack, the come in groups and leave for a bit and come back. Like you say though it could have been someone just looking at the board, but the situation seemed strange and didn't feel right. You are an experienced computer savy kind of guy, would you have banned the prepaid internet card company and the bots ips, or just the bots?

Take it easy:)

... Counting time is not so important as making time count.
Solomon's Temple BBS
Home to Starr-Net
Telnet://solomonstemplebbs.com, https://solomonstemplebbs.com




---
þ Synchronet þ Solomon's Temple telnet://solomonstemplebbs.com, Home to Starr-Net

Re: botnets
By: Lesser Keys to Nightfox on Sat Jan 25 2014 20:41:51

Most hotels give away wifi, I haven't been in one that didn't, and never did I have to buy a internet card. This company is shaddy, like the ones in china that sell prepaid internet cards for chinanet. They use the prepaid card, sign on some were, get on their botnet command center, and start hacking away. I have even watched videos of this being done.

You must have not traveled very much. I suppose many hotels in the US have free wi-fi, but not in other parts of the world. I visited the UK this past summer, and most of the hotels we stayed at there charged for internet (it wasn't much though, maybe $5-$10 per day). So it's not that uncommon. It's nothing to be suspicious about.

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com