Random generated usernames

dg7landg7lan
in Configuration and Operation

New thing I have noticed on my Kiwi:

|-----------> Last users

pony.brown 2022-09-01 09:17:00.361647

lily`jones 2022-09-01 08:08:32.753586

king`taylor 2022-08-31 17:55:21.852088

tank`henry 2022-08-31 12:20:54.784790

So this guy logs in with random usernames. Seems to be a kiwirecorder. What may the intention be?

I just blocked his IP now (was always the same IP)

Any ideas?

Comments

  • VK7JHVK7JH

    Would the IP be 149.248.51.191 ?

    That's the one I had yesterday. He is using vultr VPN and I have had the same random names before.

    I also blocked the iP.

  • dg7landg7lan

    Exactly!

    interesting that he faked usernames since usually there is no need to log in on a kiwi, is it?

    so he modified kiwirecorder (or is using a wrapper) to come up with a faked username. I wonder how this makes sense.

  • PowernumptyPowernumpty
    edited September 2022

    I was going to repeat my constant refrain that once on the Vultr list you never come off but just checked firewall and last one I have listed is 167.179.65.161 end of last week. (no public Kiwi at this IP for ages).

    Will have to see if they are using a new IP range.

    --edit--

    Correction, I was looking at the previous log, seems they never give up..

  • ArturPLArturPL 
    Fri Sep  2 17:23:03 1d:21:23:37.261 0123    3 L    58.59 kHz  WF z8  "Pony_Cook" 149.248.51.191 (ARRIVED)
Fri Sep  2 17:23:12 1d:21:23:46.804 0123    3   API: decided connection is non-Kiwi app (0)
Fri Sep  2 17:23:12 1d:21:23:46.804 0123    3   API: ext_api_users=1 >? ext_api_ch=4 F(OKAY)
Fri Sep  2 17:23:19 1d:21:23:53.806 0123    3     292.97 kHz  WF z8  "Pony_Cook" 149.248.51.191 0:00:17
Fri Sep  2 17:23:26 1d:21:24:00.874 0123    3 L GEOLOC: 149.248.51.191 sent no geoloc info, we got "Toronto, Canada" from geo host #0
Fri Sep  2 17:23:26 1d:21:24:00.878 0123        task geoloc_task:P2:T005((1000.000 msec) TaskSleep) exited by returning
Fri Sep  2 17:23:29 1d:21:24:03.811 0123    3     703.13 kHz  WF z6  "Pony_Cook" 149.248.51.191 Toronto, Canada 0:00:27
Fri Sep  2 17:23:39 1d:21:24:13.804 0123    3    2343.75 kHz  WF z5  "Pony_Cook" 149.248.51.191 Toronto, Canada 0:00:37
Fri Sep  2 17:23:49 1d:21:24:23.817 0123    3    3281.25 kHz  WF z5  "Pony_Cook" 149.248.51.191 Toronto, Canada 0:00:47
Fri Sep  2 17:23:59 1d:21:24:33.817 0123    3    9375.00 kHz  WF z3  "Pony_Cook" 149.248.51.191 Toronto, Canada 0:00:57
Fri Sep  2 17:24:09 1d:21:24:43.807 0123    3   16875.00 kHz  WF z3  "Pony_Cook" 149.248.51.191 Toronto, Canada 0:01:07
Fri Sep  2 17:24:19 1d:21:24:53.810 0123    3   20625.00 kHz  WF z3  "Pony_Cook" 149.248.51.191 Toronto, Canada 0:01:17
Fri Sep  2 17:24:29 1d:21:25:03.804 0123    3   28125.00 kHz  WF z3  "Pony_Cook" 149.248.51.191 Toronto, Canada 0:01:27
Fri Sep  2 17:24:35 1d:21:25:09.279 012.    3 L 28125.00 kHz  WF z3  "Pony_Cook" 149.248.51.191 Toronto, Canada (LEAVING after 0:01:33)

    of course it's the same botnet that was running some time ago

  • jksjks

    149.248.0.0/18 (0.0 to 63.255) added to blacklist

  • dg7landg7lan
    edited September 2022

    @jks is there a place to report these clearly "spam" ip's or is it unwanted?


    image.png


  • jksjks
    edited September 2022

    207.246.64.0/18 (widened from 207.246.104.0/23) and 141.164.32.0/20 added to blacklist.

    @jks is there a place to report these clearly "spam" ip's or is it unwanted?

    The best we can do is maintain our own blacklist. Complaining to these hosting companies does nothing.

  • PowernumptyPowernumpty

    I see those two knocking on the firewall.

    Sep 11 207.246.127.130        started   11:30AM                            

    Sep 12 141.164.35.242 started 9:00 AM

  • studentkrastudentkra

    @jks, it would be nice if we can leave comments in the personal blacklist in the web interface about ip address. I update my blacklist very often. And I keep forgetting which addresses I add and for what reason. I think many people agree with me.

  • dg7landg7lan

    @jks Sorry I ment reporting them to you, not to the isp or cloud company.

    I think they don’t do anything illegal. It’s only annoying to us

    73, Andy

  • jksjks

    Hi Andy. Okay, understood -- no worries.

    It's all just a big game of "cat and mouse" or "who can build the tallest wall/ladder". So we do what we can, while we can.

  • ArturPLArturPL

    Hi

    Is it possible to add message YOUR IP IS BLOCKED ON THIS RECEIVER for local blacklist? What if you could add a reason for the block to be displayed to the user, like in the old days on IRC? ;)

    regards

  • dg7landg7lan

    I think this is not possible since the blocking is made on tcp level. See iptables -L -n and watch for "DROP". This is the best design since attackers are not able to reach the the Kiwi on its webserver.

    Showing a message box is like showing the middle finger but not best practice security wise :-)


    73

    Andy

Sign In or Register to comment.