Last Time I check:
itkinetix.com. 14400 IN SOA inertia.itkinetix.com.
d...@itkinetix.com. (
2006010408 ; Serial
14400 ; Refresh
7200 ; Retry
3600000 ; Expire
86400 ) ; Minimum TTL
itkinetix.com. 14400 IN NS ns.itkinetix.com.
itkinetix.com. 14400 IN NS ns2.itkinetix.com.
itkinetix.com. 14400 IN MX 0 ns.itkinetix.com.
itkinetix.com. 14400 IN A 67.52.151.98
sneaky.itkinetix.com. 14400 IN A 67.52.151.99
secure.itkinetix.com. 14400 IN A 67.52.151.98
mail.itkinetix.com. 14400 IN A 67.52.151.98
www.itkinetix.com. 14400 IN A 67.52.151.98
wiki.itkinetix.com. 14400 IN A 67.52.151.102
gearfuse.itkinetix.com. 14400 IN A 74.53.94.162
inertia.itkinetix.com. 14400 IN A 67.52.151.98
aten.itkinetix.com. 14400 IN A 67.52.151.102
ns.itkinetix.com. 14400 IN A 67.52.151.98
ns2.itkinetix.com. 14400 IN A 67.52.151.102
Might want to monitor the entire block
67.52.151.98/32
67.52.151.102/32
This another one of Dan's older sites I believe. Might want to
monitor for these IPs as well:
thaumatocracy.com. 14400 IN SOA ns.itkinetix.com.
ns2.itkinetix.com. (
2006010044 ; Serial
14400 ; Refresh
7200 ; Retry
3600000 ; Expire
86400 ) ; Minimum TTL
thaumatocracy.com. 14400 IN NS ns.itkinetix.com.
thaumatocracy.com. 14400 IN NS ns2.itkinetix.com.
thaumatocracy.com. 14400 IN MX 0 thaumatocracy.com.
thaumatocracy.com. 14400 IN A 67.52.151.98
endorphins.thaumatocracy.com. 14400 IN A 10.0.0.71
home.thaumatocracy.com. 14400 IN A 67.52.151.102
localhost.thaumatocracy.com. 14400 IN A 127.0.0.1
mail.thaumatocracy.com. 14400 IN CNAME thaumatocracy.com.
www.thaumatocracy.com. 14400 IN CNAME thaumatocracy.com.
tumble.thaumatocracy.com. 14400 IN A 72.32.231.8
ftp.thaumatocracy.com. 14400 IN A 67.52.151.98
Chris Penn
On Tue, Feb 9, 2010 at 12:23 PM, Dino K <socalli...@cloudcomp.info> wrote:
> Unbelievable... I will look into this also and correspond any findings via
> private e-mail first.
>
>
> On Tue, Feb 9, 2010 at 9:04 AM, David Kaiser <dkai...@cdk.com> wrote:
>>
>> Last night I submitted the attached e-mail to the abuse department at
>> rr.com as well as to federal authorities. I believe the attached e-mail
>> and the corresponding web page (http://socallinux.org/attack/log.html)
>> are self-explanatory.
>>
>> Additionally, I need to point out the following:
>>
>> * we are NOT cool with actions like this being run against our server.
>> this incident is NOT considered friendly. it is not any type of
>> research. nobody was invited to run an attack on our server. (just
>> making that clear)
>>
>> * the server host for socallinux.org is being actively monitored
>>
>> * we have taken steps to eliminate or reduce any damage by any attempted
>> hacks (having current backups, etc.) should anything ever be defaced, etc.
>>
>> * we take these offenses very seriously and are working with law
>> enforcement to report incidents
>>
>>
>> Finally, we know the IP address (67.52.151.102) is in a netblock which
>> we can assume belongs to dan tentler. the netblock is listed as follows:
>> network:ID:NETBLK-ISRC-67.52.128.0/19
>> network:Auth-Area:67.52.151.96/29
>> network:Network-Name:IT-KINETIX-67.52.151.96
>> network:IP-Network:67.52.151.96/29
>> network:IP-Network-Block:67.52.151.96 - 67.52.151.103
>> network:Organization;I:IT-KINETIX
>> network:Tech-Contact;I:ipadd...@rr.com
>> network:Admin-Contact;I:IPADD-ARIN
>> network:AbuseEmail:d...@itkinetix.com
>>
>> if you do an ARIN whois search on those 8 IP addresses (67.52.151.96
>> through 67.52.151.103) you fill find they are all a part of the same
>> assigned netblock. (try the following command to search ARIN records:
>> whois -h whois.arin.net 67.52.151.102 )
>>
>> other domains hosted in the netblock include: atenlabs.com and
>> thaumatocracy.com, which are known to be under dan's control. (you can
>> look up their IP#'s yourself.)
>>
>> Having said that... we don't have any concrete evidence or proof who
>> actually was behind this attack. (It is theoretically possible that
>> someone could have gained control of a host inside that network and done
>> this without Dan's permission.) I am not making an accusation that Dan
>> himself did this. In my reporting of the incident to the authorities I
>> am only providing the information as I have here (providing log files
>> and analysis through domain registration records, etc.)
>>
>> I'm being very clear here and only stating non-opinion facts because
>> sometimes people confuse opinions with accusations. I would advise
>> anyone to also stay clear of opinions and anything that even could be
>> construed as an accusation of wrongdoing against any individual if they
>> reply to this message.
>>
>> I'm posting this today so everyone on the list can analyze the log
>> files, take a look at them and you can start to understand how nmap
>> works. If you look at the linked access.log file, you can also see the
>> specific mailman CGI URL's that were being targeted for privilege
>> escalation. It's an opportunity to learn a bit about what a public
>> server faces from time to time.
>>
>> If you have any questions, let me know.
>>
>> DK
>>
>>
>>
>> ---Begin Forwarded Message---
>>
>> To: RR.COM abuse department <ab...@rr.com>,
>> RR.COM Security department <secur...@rr.com>
>> Cc: IT-KINETIX abuse department <d...@itkinetix.com>
>> Subject: Malicous activity from IP address 67.52.151.102 (itkinetix.com)
>>
>> For the past few days an Internet host that I help maintain has been the
>> recipient of a large amount of malicous activity from an IP number
>> within your network. This activity has included wide-range port
>> scanning, probing for vulnerable services, attempts to obtain secured
>> and private information, and attempts to gain privilege or gain elevated
>> privilege from the system.
>>
>> The host in your network has an IP address of: 67.52.151.102 with a
>> reverse DNS record pointing to ns2.itkinetix.com. I have Cc:d the abuse
>> contact, d...@itkinetix.com, in this complaint, based on that e-mail
>> being listed as the abuse contact in the ARIN record for itkinetix.com
>>
>>
>> Please see the specific log content and linked files at
>> http://socallinux.org/attack/log.html
>>
>>
>> While it can be argued, in some jurisdictions, that port scanning is not
>> illegal, it can be clearly seen that in this case, a particular scanner
>> is making multiple attempts to discover available and potentially
>> vulnerable services on the system. Combined with the attempts to obtain
>> user account information (trying to force a CGI to return the contents
>> of /etc/passwd) as well as trying to force a CGI to edit stored HTML
>> content, we believe these actions are intentional and done with malicous
>> intent.
>>
>> Based on the RoadRunner "System and Network Security" Policy listed at:
>> http://help.rr.com/HMSFaqs/e_sys_net_security.aspx?Topic=Policies
>>
>> (specifically the first bullet point which reads "Unauthorized access to
>> or use of data, systems or networks, including any attempt to probe,
>> scan or test the vulnerability of a system or network or to breach
>> security or authentication measures without express authorization of the
>> owner of the system or network." ...we are sure this activity is a
>> direct violation of RoadRunner's policies, and definitively constitutes
>> unauthorized activity.
>>
>> We are appealing to RoadRunner to provide an immediate and thorough
>> removal of the offending host and to put in place a solution which
>> prevents this offense from affecting our server again.
>>
>> Please be advised that we have also filed a complaint with the Internet
>> Crime Complaint Center (www.ic3.gov) and this incident has been assigned
>> Complaint ID: I1002090519458152 You may be contacted by a
>> representative of one of the IC3 agencies for clarification of details.
>>
>> We expect a response from rr.com within 24 hours with a complete list of
>> actions taken to meet this request.
>>
>> Upon request, we can provide the complete firewall logs detailing the
>> over 16000 TCP connection attempts (made from this one host) in 4
>> different port scanning sessions.
>>
>> Thank you for your attention to this matter.
>>
>> David Kaiser <dkai...@cdk.com>
>> Representing SocalLinux.org system administrators
>>
>> _______________________________________________
>> LinuxUsers mailing list
>> LinuxUsers@socallinux.org
>> http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers
>
>
> _______________________________________________
> LinuxUsers mailing list
> LinuxUsers@socallinux.org
> http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers
>
>
--
"As we open our newspapers or watch our television screens, we seem to
be continually assaulted by the fruits of Mankind's stupidity."
-Roger Penrose
_______________________________________________
LinuxUsers mailing list
LinuxUsers@socallinux.org
http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers
