#robotics Logs

Aug 09 2018

#robotics Calendar

10:26 PM Tom_L: it was the +r
10:30 PM -!- #robotics mode set to +v by rue_shop3
10:30 PM rue_shop3: I'm out of ideas
10:30 PM Tom_L: you broke it
10:30 PM rue_shop3: WASNT ME
10:30 PM Tom_L: lemme check something
10:30 PM Tom_L: mm i dunno what's wrong
10:30 PM Tom_L: missed since aug 1
10:30 PM Tom_L: all rue's thoughts are lost forever
10:30 PM rue_shop3: heh
10:31 PM Tom_L: i could add em from my local log but i'm not gonna take the time to
10:31 PM rue_shop3: we could regenerate them from statistical data
10:34 PM zhanx: let the log gap stay with a note on the spam?
10:34 PM captain4217: kaniini has invited you to join #litepub
10:34 PM Tom_L: they must have a bot running too
10:48 PM bernalex5: kaniini has invited you to join #litepub
10:52 PM zhanx: Tom_L: you think?
10:57 PM orlock: ok, i have my cable doohicky
10:57 PM orlock: right angle mini-USB
10:57 PM orlock: so that this CNC board will fit inside my telescope mount
10:57 PM orlock: heh, funny thought
10:58 PM orlock: i could make a converter that takes LX200 telescope protocol and turns it into gcode
11:14 PM eggy: kaniini has invited you to join #litepub
11:15 PM rue_shop3: uh
11:15 PM rue_shop3: are those invites you guys?
11:15 PM rue_shop3: or are those bot messages?
11:15 PM zhanx: bots
11:15 PM rue_shop3: was there an eggy in this channel?
11:16 PM rue_shop3: I dont have join/parts on
11:16 PM zhanx: it was a register nick for a bot
11:16 PM rue_shop3: ok, I'm gonna say I worked on the tea machine today and go eat/sleep
11:17 PM rue_shop3: tommorow I'll weld the ring I have on the now-level table
11:31 PM rue_: hey you know whats funny
11:31 PM rue_: lots of the usernames in these ssh attacks are wrong
11:32 PM rue_: invalid user muhammad from 111.231.231.20
11:32 PM rue_: invalid user jiankong from 116.140.32.149
11:32 PM rue_: apparently is supposed to be kang
11:32 PM rue_: wtf...
11:32 PM rue_: it seems to me
11:33 PM rue_: that this is the traffic I'd see from a time traveler trying to find a particular machine on the internet, and doing it verbosly so that a person could know someone was looking...
11:34 PM orlock: rue_: Are you assuming their spelling?
11:34 PM rue_: the nature of the attacks dont make sense
11:35 PM rue_: thats whats been perplexing me
11:35 PM rue_: why would one ip try one login and then go quiet
11:35 PM orlock: distributed botnet attacks
11:35 PM orlock: staying under the flood radar
11:35 PM rue_: especially with a really specific username and password
11:35 PM rue_: yes and no
11:36 PM orlock: yes
11:36 PM orlock: trust me
11:36 PM orlock: i look at dark network traffic for fun
11:36 PM rue_: these aren't dictionary attacks
11:36 PM rue_: these dont make sense
11:36 PM rue_: some of these usernames are really specific
11:36 PM orlock: the operators behind it are working on a shotgun approach
11:37 PM orlock: and they have lots and lots of shotguns
11:37 PM rue_: but it would make sense to use common usernames/servicenames
11:37 PM rue_: lots of these aren't
11:37 PM orlock: it starts making sense when you step back anbd watch the traffic destined to thousands of ip's
11:37 PM rue_: well no
11:38 PM rue_: if you did overall dictionary attacks to a specific username on an ip, that would make sense
11:38 PM rue_: the other really strange thing, is that they happen in busts
11:38 PM rue_: cursts
11:38 PM rue_: bursts
11:39 PM rue_: :)
11:39 PM orlock: yeah
11:39 PM orlock: i see the ripples in my graphs
11:39 PM rue_: I see up to 20 mins of silence
11:39 PM orlock: you can spot the difference between sophisticated distributed botnets
11:39 PM rue_: I have a huge list of networks banned
11:39 PM orlock: and the crude ones that get burnt quickly
11:40 PM rue_: most of the traffic I see is like background noise
11:40 PM rue_: I think I'll set up a machine with root/1234 and see what they do with it (for a bit)
11:41 PM rue_: I wonder if I can make the shell a screen session
11:41 PM rue_: invalid user vyatta from 79.1
11:41 PM rue_: awefull specific
11:42 PM rue_: its like they pick up the usernames of the machines they break into
11:42 PM rue_: and try them eveywehrere
11:42 PM rue_: but something else
11:43 PM rue_: I kinda have the feeling that they are using exloits in web browsers to do attacks
11:43 PM rue_: we pages that cause the browser to do (an attack) of (an ip)
11:43 PM rue_: so, what would the flow of the results be?
11:45 PM orlock: you can also look at the way the raw attempts are made on a tcp/ip level
11:45 PM orlock: as far as portscans go
11:45 PM rue_: just been looing at ssh
11:45 PM orlock: cooked socket,s you'll usually see 3 tcp conenct attempts
11:45 PM orlock: raw, one attempt
11:45 PM orlock: yeah
11:45 PM orlock: the stuff i look at , theres literally no services listening
11:46 PM orlock: so i never see credentials
11:46 PM rue_: want to see my hosts.deny?
11:46 PM orlock: i'm good thanks :)
11:46 PM orlock: the really weird shit i'm seeing
11:46 PM orlock: is fake netblocks
11:46 PM orlock: not fake as in spoofed
11:46 PM orlock: but fake companies
11:46 PM orlock: all seems "legit" intil you poke a bit
11:47 PM orlock: and then it all falls into an unexplainable heap
11:48 PM rue_: oh? like you whois an IP and its part of something fake?
11:48 PM orlock: yuh
11:48 PM orlock: PM time :)
11:49 PM * orlock has returned... [atl]