Bonjour, Ce mail étant long, veuillez NE PAS le reprendre en entier dans vos réponses!
Pour info, depuis deux jours, je commence à revecoir des nouvelles inscriptions au gull... d'un certain James Smith... On Wed, Nov 11, 2020 at 08:21:07AM +0100, [email protected] wrote: > The attached message has been automatically discarded. ... > To: [email protected] > Subject: Undelivered Mail Returned to Sender > ... said: 550 Sender email address rejected (in reply to RCPT TO command) ... > Date: Wed, 11 Nov 2020 08:21:00 +0100 (CET) > From: GULL Webmaster <[email protected]> > Subject: Inscription au GULL > > Bonjour, > > Nous avons bien enregistré votre demande d'inscription au Gull... > > Prenom: James > Nom: Smith > Societe: mbirgucrje > Adresse: Muchas gracias. ?Como puedo iniciar sesion? > Ville: 90002 Los Angeles > J'ai donc ``provisoirement'' redirigé https://www.linux-gull.ch/cgi-bin/admin.pl (Vite fait, en attendant une résurection officielle du gull, ou autre...;) Voilà... Pour les plus curieux, voici les ip des 47 requêtes que je trouve dans les logs depuis hier... (classées d'après requêtes whois) 109.70.100.53 -> 109.70.100.0/25 1 AT TOR-EXIT--FOUNDATION-FOR-APPLIED-PRIVACY 185.56.171.94 -> 185.56.168.0/22 1 IT IT-ARMADA-20140506 179.43.160.235 -> 179.0.0.0/8 1 PA LACNIC-179 31.220.40.239 -> 31.220.40.0/23 1 BZ BZ-ESCUR1 199.249.230.162 -> 199.249.230.0/24 1 US QUINTEX230 185.220.102.4 -> 185.220.102.0/27 1 DE ZWIEBELFREUNDE 185.220.102.241 -> 185.220.102.240/28 1 DE DIGITALCOURAGE-EXITS 89.34.27.48 -> 89.34.27.0/24 1 RO NETACTION-TELECOM-SRL 31.220.40.163 -> 31.220.40.0/23 2 BZ BZ-ESCUR1 185.220.101.137 -> 185.220.101.0/24 1 DE MK-TOR-EXIT 185.220.101.145 -> 185.220.101.0/24 2 DE MK-TOR-EXIT 185.100.86.128 -> 185.100.86.0/24 1 FI FlokiNET-Finland 185.220.102.251 -> 185.220.102.240/28 2 DE DIGITALCOURAGE-EXITS 185.220.101.203 -> 185.220.101.0/24 3 DE MK-TOR-EXIT 178.175.131.194 -> 178.175.128.0/18 1 MD TRABIA 109.70.100.41 -> 109.70.100.0/25 1 AT TOR-EXIT--FOUNDATION-FOR-APPLIED-PRIVACY 51.210.242.106 -> 51.210.242.0/23 1 FR VPS-SBG6 89.31.57.5 -> 89.31.56.0/21 1 NL NL-UNITHOST-20060824 51.195.148.18 -> 51.195.148.0/22 1 GB VPS-UK2 87.118.122.30 -> 87.118.96.0/19 1 DE DE-KEYWEB-III 179.43.160.238 -> 179.0.0.0/8 2 PA LACNIC-179 91.250.242.12 -> 91.250.242.0/24 1 RO RO-NAV-20120914 205.185.125.216 -> 205.185.112.0/20 1 US PONYNET-03 104.244.77.95 -> 104.244.72.0/21 1 LU BUYVM-LUXEMBOURG-01 109.70.100.39 -> 109.70.100.0/25 1 AT TOR-EXIT--FOUNDATION-FOR-APPLIED-PRIVACY 185.220.100.254 -> 185.220.100.240/28 1 DE TOR-EXIT 176.10.99.200 -> 176.10.99.192/27 1 ch ACCESSNOW 185.220.101.4 -> 185.220.101.0/24 4 DE MK-TOR-EXIT 51.210.243.206 -> 51.210.242.0/23 2 FR VPS-SBG6 109.70.100.49 -> 109.70.100.0/25 1 AT TOR-EXIT--FOUNDATION-FOR-APPLIED-PRIVACY 51.210.242.100 -> 51.210.242.0/23 3 FR VPS-SBG6 146.59.225.195 -> 146.59.225.0/24 1 FR VPS-GRA8 51.195.103.56 -> 51.195.100.0/22 1 DE VPS-DE2 199.249.230.109 -> 199.249.230.0/24 2 US QUINTEX230 195.144.21.219 -> 195.144.21.0/24 1 AT BlackHOST-CLOUD 185.220.101.134 -> 185.220.101.0/24 5 DE MK-TOR-EXIT 185.220.100.248 -> 185.220.100.240/28 2 DE TOR-EXIT 199.195.250.77 -> 199.195.248.0/21 1 US PONYNET-05 51.15.1.221 -> 51.15.0.0/18 1 NL ONLINE_NET_DEDICATED_SERVERS_NL 130.225.244.90 -> 130.225.0.0/14 1 DK DK-DENET-19881021 51.15.235.211 -> 51.15.0.0/16 1 FR ONLINE_NET_DEDICATED_SERVERS 199.249.230.183 -> 199.249.230.0/24 3 US QUINTEX230 185.220.101.129 -> 185.220.101.0/24 6 DE MK-TOR-EXIT 51.210.242.130 -> 51.210.242.0/23 4 FR VPS-SBG6 109.70.100.58 -> 109.70.100.0/25 1 AT TOR-EXIT--FOUNDATION-FOR-APPLIED-PRIVACY 51.210.242.100 -> 51.210.242.0/23 5 FR VPS-SBG6 192.42.116.17 -> 192.42.116.0/27 1 NL TOR-EXIT-HVIV Hint: 47, request: 32 Je n'ai qu'une seule requête POST par IP. L'assaillant semble passer par TOR. Voici donc les 46 interval de temps entre les requêtes POST (en secondes) et l'interval entre le GET et le POST (très court) 10/11 07:38:45 2195 1 10/11 09:12:34 5628 1 10/11 16:38:20 26745 1 10/11 20:36:10 14269 2 10/11 20:57:22 1270 1 10/11 21:07:33 610 2 10/11 21:36:59 1764 1 10/11 21:50:25 805 1 10/11 22:02:33 727 2 10/11 22:12:08 573 2 10/11 22:13:17 67 2 10/11 22:49:03 2144 2 10/11 22:58:10 545 1 10/11 23:37:22 2351 1 10/11 23:51:17 834 3 10/11 23:53:53 153 1 10/11 23:54:40 46 2 11/11 00:01:00 378 1 11/11 00:19:24 1103 1 11/11 00:34:54 929 1 11/11 00:53:52 1137 1 11/11 02:06:05 4332 3 11/11 02:25:36 1168 1 11/11 02:32:45 428 0 11/11 02:40:26 461 2 11/11 02:42:50 142 1 11/11 02:56:47 836 2 11/11 03:34:25 2256 3 11/11 03:34:50 22 1 11/11 03:45:46 655 3 11/11 04:00:01 852 2 11/11 04:03:42 219 1 11/11 04:19:34 951 2 11/11 04:25:09 333 1 11/11 04:25:59 49 1 11/11 05:28:06 3726 2 11/11 05:39:45 697 2 11/11 05:42:19 152 1 11/11 06:17:53 2133 3 11/11 06:25:52 476 2 11/11 06:34:02 488 9 11/11 06:44:19 608 4 11/11 07:05:17 1254 1 11/11 07:42:34 2236 1 11/11 08:04:38 1323 2 11/11 08:20:58 978 1 Cela ressemble à un job manuel... -- Félix Hauri - <[email protected]> - http://www.f-hauri.ch _______________________________________________ gull mailing list [email protected] https://forum.linux-gull.ch/mailman/listinfo/gull
