The KiwiSDR 2 online store is open for orders! Please visit kiwisdr.nz
Random generated usernames
New thing I have noticed on my Kiwi:
|-----------> Last users
pony.brown 2022-09-01 09:17:00.361647
lily`jones 2022-09-01 08:08:32.753586
king`taylor 2022-08-31 17:55:21.852088
tank`henry 2022-08-31 12:20:54.784790
So this guy logs in with random usernames. Seems to be a kiwirecorder. What may the intention be?
I just blocked his IP now (was always the same IP)
Any ideas?
Comments
Would the IP be 149.248.51.191 ?
That's the one I had yesterday. He is using vultr VPN and I have had the same random names before.
I also blocked the iP.
Exactly!
interesting that he faked usernames since usually there is no need to log in on a kiwi, is it?
so he modified kiwirecorder (or is using a wrapper) to come up with a faked username. I wonder how this makes sense.
I was going to repeat my constant refrain that once on the Vultr list you never come off but just checked firewall and last one I have listed is 167.179.65.161 end of last week. (no public Kiwi at this IP for ages).
Will have to see if they are using a new IP range.
--edit--
Correction, I was looking at the previous log, seems they never give up..
of course it's the same botnet that was running some time ago
149.248.0.0/18 (0.0 to 63.255) added to blacklist
@jks is there a place to report these clearly "spam" ip's or is it unwanted?
207.246.64.0/18 (widened from 207.246.104.0/23) and 141.164.32.0/20 added to blacklist.
@jks is there a place to report these clearly "spam" ip's or is it unwanted?
The best we can do is maintain our own blacklist. Complaining to these hosting companies does nothing.
I see those two knocking on the firewall.
Sep 11 207.246.127.130 started 11:30AM
Sep 12 141.164.35.242 started 9:00 AM
@jks, it would be nice if we can leave comments in the personal blacklist in the web interface about ip address. I update my blacklist very often. And I keep forgetting which addresses I add and for what reason. I think many people agree with me.
@jks Sorry I ment reporting them to you, not to the isp or cloud company.
I think they don’t do anything illegal. It’s only annoying to us
73, Andy
Hi Andy. Okay, understood -- no worries.
It's all just a big game of "cat and mouse" or "who can build the tallest wall/ladder". So we do what we can, while we can.
Hi
Is it possible to add message YOUR IP IS BLOCKED ON THIS RECEIVER for local blacklist? What if you could add a reason for the block to be displayed to the user, like in the old days on IRC? ;)
regards
I think this is not possible since the blocking is made on tcp level. See iptables -L -n and watch for "DROP". This is the best design since attackers are not able to reach the the Kiwi on its webserver.
Showing a message box is like showing the middle finger but not best practice security wise :-)
73
Andy