Last night I submitted the attached e-mail to the abuse department at
rr.com as well as to federal authorities. I believe the attached e-mail
and the corresponding web page (http://socallinux.org/attack/log.html)
are self-explanatory.
Additionally, I need to point out the following:
* we are NOT cool with actions like this being run against our server.
this incident is NOT considered friendly. it is not any type of
research. nobody was invited to run an attack on our server. (just
making that clear)
* the server host for socallinux.org is being actively monitored
* we have taken steps to eliminate or reduce any damage by any attempted
hacks (having current backups, etc.) should anything ever be defaced, etc.
* we take these offenses very seriously and are working with law
enforcement to report incidents
Finally, we know the IP address (67.52.151.102) is in a netblock which
we can assume belongs to dan tentler. the netblock is listed as follows:
network:ID:NETBLK-ISRC-67.52.128.0/19
network:Auth-Area:67.52.151.96/29
network:Network-Name:IT-KINETIX-67.52.151.96
network:IP-Network:67.52.151.96/29
network:IP-Network-Block:67.52.151.96 - 67.52.151.103
network:Organization;I:IT-KINETIX
network:Tech-Contact;I:ipadd...@rr.com
network:Admin-Contact;I:IPADD-ARIN
network:AbuseEmail:d...@itkinetix.com
if you do an ARIN whois search on those 8 IP addresses (67.52.151.96
through 67.52.151.103) you fill find they are all a part of the same
assigned netblock. (try the following command to search ARIN records:
whois -h whois.arin.net 67.52.151.102 )
other domains hosted in the netblock include: atenlabs.com and
thaumatocracy.com, which are known to be under dan's control. (you can
look up their IP#'s yourself.)
Having said that... we don't have any concrete evidence or proof who
actually was behind this attack. (It is theoretically possible that
someone could have gained control of a host inside that network and done
this without Dan's permission.) I am not making an accusation that Dan
himself did this. In my reporting of the incident to the authorities I
am only providing the information as I have here (providing log files
and analysis through domain registration records, etc.)
I'm being very clear here and only stating non-opinion facts because
sometimes people confuse opinions with accusations. I would advise
anyone to also stay clear of opinions and anything that even could be
construed as an accusation of wrongdoing against any individual if they
reply to this message.
I'm posting this today so everyone on the list can analyze the log
files, take a look at them and you can start to understand how nmap
works. If you look at the linked access.log file, you can also see the
specific mailman CGI URL's that were being targeted for privilege
escalation. It's an opportunity to learn a bit about what a public
server faces from time to time.
If you have any questions, let me know.
DK
---Begin Forwarded Message---
To: RR.COM abuse department <ab...@rr.com>,
RR.COM Security department <secur...@rr.com>
Cc: IT-KINETIX abuse department <d...@itkinetix.com>
Subject: Malicous activity from IP address 67.52.151.102 (itkinetix.com)
For the past few days an Internet host that I help maintain has been the
recipient of a large amount of malicous activity from an IP number
within your network. This activity has included wide-range port
scanning, probing for vulnerable services, attempts to obtain secured
and private information, and attempts to gain privilege or gain elevated
privilege from the system.
The host in your network has an IP address of: 67.52.151.102 with a
reverse DNS record pointing to ns2.itkinetix.com. I have Cc:d the abuse
contact, d...@itkinetix.com, in this complaint, based on that e-mail
being listed as the abuse contact in the ARIN record for itkinetix.com
Please see the specific log content and linked files at
http://socallinux.org/attack/log.html
While it can be argued, in some jurisdictions, that port scanning is not
illegal, it can be clearly seen that in this case, a particular scanner
is making multiple attempts to discover available and potentially
vulnerable services on the system. Combined with the attempts to obtain
user account information (trying to force a CGI to return the contents
of /etc/passwd) as well as trying to force a CGI to edit stored HTML
content, we believe these actions are intentional and done with malicous
intent.
Based on the RoadRunner "System and Network Security" Policy listed at:
http://help.rr.com/HMSFaqs/e_sys_net_security.aspx?Topic=Policies
(specifically the first bullet point which reads "Unauthorized access to
or use of data, systems or networks, including any attempt to probe,
scan or test the vulnerability of a system or network or to breach
security or authentication measures without express authorization of the
owner of the system or network." ...we are sure this activity is a
direct violation of RoadRunner's policies, and definitively constitutes
unauthorized activity.
We are appealing to RoadRunner to provide an immediate and thorough
removal of the offending host and to put in place a solution which
prevents this offense from affecting our server again.
Please be advised that we have also filed a complaint with the Internet
Crime Complaint Center (www.ic3.gov) and this incident has been assigned
Complaint ID: I1002090519458152 You may be contacted by a
representative of one of the IC3 agencies for clarification of details.
We expect a response from rr.com within 24 hours with a complete list of
actions taken to meet this request.
Upon request, we can provide the complete firewall logs detailing the
over 16000 TCP connection attempts (made from this one host) in 4
different port scanning sessions.
Thank you for your attention to this matter.
David Kaiser <dkai...@cdk.com>
Representing SocalLinux.org system administrators
_______________________________________________
LinuxUsers mailing list
LinuxUsers@socallinux.org
http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers
