Unbelievable... I will look into this also and correspond any findings via private e-mail first.
On Tue, Feb 9, 2010 at 9:04 AM, David Kaiser <dkai...@cdk.com> wrote: > Last night I submitted the attached e-mail to the abuse department at > rr.com as well as to federal authorities. I believe the attached e-mail > and the corresponding web page (http://socallinux.org/attack/log.html) > are self-explanatory. > > Additionally, I need to point out the following: > > * we are NOT cool with actions like this being run against our server. > this incident is NOT considered friendly. it is not any type of > research. nobody was invited to run an attack on our server. (just > making that clear) > > * the server host for socallinux.org is being actively monitored > > * we have taken steps to eliminate or reduce any damage by any attempted > hacks (having current backups, etc.) should anything ever be defaced, etc. > > * we take these offenses very seriously and are working with law > enforcement to report incidents > > > Finally, we know the IP address (67.52.151.102) is in a netblock which > we can assume belongs to dan tentler. the netblock is listed as follows: > network:ID:NETBLK-ISRC-67.52.128.0/19 > network:Auth-Area:67.52.151.96/29 > network:Network-Name:IT-KINETIX-67.52.151.96 > network:IP-Network:67.52.151.96/29 > network:IP-Network-Block:67.52.151.96 - 67.52.151.103 > network:Organization;I:IT-KINETIX > > network:Tech-Contact;I:ipadd...@rr.com<network%3atech-contact%3bi%3aipadd...@rr.com> > network:Admin-Contact;I:IPADD-ARIN > > network:AbuseEmail:d...@itkinetix.com<network%3aabuseemail%3a...@itkinetix.com> > > if you do an ARIN whois search on those 8 IP addresses (67.52.151.96 > through 67.52.151.103) you fill find they are all a part of the same > assigned netblock. (try the following command to search ARIN records: > whois -h whois.arin.net 67.52.151.102 ) > > other domains hosted in the netblock include: atenlabs.com and > thaumatocracy.com, which are known to be under dan's control. (you can > look up their IP#'s yourself.) > > Having said that... we don't have any concrete evidence or proof who > actually was behind this attack. (It is theoretically possible that > someone could have gained control of a host inside that network and done > this without Dan's permission.) I am not making an accusation that Dan > himself did this. In my reporting of the incident to the authorities I > am only providing the information as I have here (providing log files > and analysis through domain registration records, etc.) > > I'm being very clear here and only stating non-opinion facts because > sometimes people confuse opinions with accusations. I would advise > anyone to also stay clear of opinions and anything that even could be > construed as an accusation of wrongdoing against any individual if they > reply to this message. > > I'm posting this today so everyone on the list can analyze the log > files, take a look at them and you can start to understand how nmap > works. If you look at the linked access.log file, you can also see the > specific mailman CGI URL's that were being targeted for privilege > escalation. It's an opportunity to learn a bit about what a public > server faces from time to time. > > If you have any questions, let me know. > > DK > > > > ---Begin Forwarded Message--- > > To: RR.COM abuse department <ab...@rr.com>, > RR.COM Security department <secur...@rr.com> > Cc: IT-KINETIX abuse department <d...@itkinetix.com> > Subject: Malicous activity from IP address 67.52.151.102 (itkinetix.com) > > For the past few days an Internet host that I help maintain has been the > recipient of a large amount of malicous activity from an IP number > within your network. This activity has included wide-range port > scanning, probing for vulnerable services, attempts to obtain secured > and private information, and attempts to gain privilege or gain elevated > privilege from the system. > > The host in your network has an IP address of: 67.52.151.102 with a > reverse DNS record pointing to ns2.itkinetix.com. I have Cc:d the abuse > contact, d...@itkinetix.com, in this complaint, based on that e-mail > being listed as the abuse contact in the ARIN record for itkinetix.com > > > Please see the specific log content and linked files at > http://socallinux.org/attack/log.html > > > While it can be argued, in some jurisdictions, that port scanning is not > illegal, it can be clearly seen that in this case, a particular scanner > is making multiple attempts to discover available and potentially > vulnerable services on the system. Combined with the attempts to obtain > user account information (trying to force a CGI to return the contents > of /etc/passwd) as well as trying to force a CGI to edit stored HTML > content, we believe these actions are intentional and done with malicous > intent. > > Based on the RoadRunner "System and Network Security" Policy listed at: > http://help.rr.com/HMSFaqs/e_sys_net_security.aspx?Topic=Policies > > (specifically the first bullet point which reads "Unauthorized access to > or use of data, systems or networks, including any attempt to probe, > scan or test the vulnerability of a system or network or to breach > security or authentication measures without express authorization of the > owner of the system or network." ...we are sure this activity is a > direct violation of RoadRunner's policies, and definitively constitutes > unauthorized activity. > > We are appealing to RoadRunner to provide an immediate and thorough > removal of the offending host and to put in place a solution which > prevents this offense from affecting our server again. > > Please be advised that we have also filed a complaint with the Internet > Crime Complaint Center (www.ic3.gov) and this incident has been assigned > Complaint ID: I1002090519458152 You may be contacted by a > representative of one of the IC3 agencies for clarification of details. > > We expect a response from rr.com within 24 hours with a complete list of > actions taken to meet this request. > > Upon request, we can provide the complete firewall logs detailing the > over 16000 TCP connection attempts (made from this one host) in 4 > different port scanning sessions. > > Thank you for your attention to this matter. > > David Kaiser <dkai...@cdk.com> > Representing SocalLinux.org system administrators > > _______________________________________________ > LinuxUsers mailing list > LinuxUsers@socallinux.org > http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers >
_______________________________________________ LinuxUsers mailing list LinuxUsers@socallinux.org http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers
