Chris, thanks for the excellent research. About 5 minutes after I sent the complaint e-mails out last night I did a complete firewall block on these IP's: 67.52.151.96 67.52.151.97 67.52.151.98 67.52.151.99 67.52.151.100 67.52.151.101 67.52.151.102 67.52.151.103
So, as of 2:40AM, the IP's have been blocked, and will stay blocked indefinitely. I'll check out these other ones that are not part of 67.52.151.96/29 after I get home from work. Chris Penn wrote: > Last Time I check: > itkinetix.com. 14400 IN SOA inertia.itkinetix.com. > d...@itkinetix.com. ( > 2006010408 ; Serial > 14400 ; Refresh > 7200 ; Retry > 3600000 ; Expire > 86400 ) ; Minimum TTL > itkinetix.com. 14400 IN NS ns.itkinetix.com. > itkinetix.com. 14400 IN NS ns2.itkinetix.com. > itkinetix.com. 14400 IN MX 0 ns.itkinetix.com. > itkinetix.com. 14400 IN A 67.52.151.98 > sneaky.itkinetix.com. 14400 IN A 67.52.151.99 > secure.itkinetix.com. 14400 IN A 67.52.151.98 > mail.itkinetix.com. 14400 IN A 67.52.151.98 > www.itkinetix.com. 14400 IN A 67.52.151.98 > wiki.itkinetix.com. 14400 IN A 67.52.151.102 > gearfuse.itkinetix.com. 14400 IN A 74.53.94.162 > inertia.itkinetix.com. 14400 IN A 67.52.151.98 > aten.itkinetix.com. 14400 IN A 67.52.151.102 > ns.itkinetix.com. 14400 IN A 67.52.151.98 > ns2.itkinetix.com. 14400 IN A 67.52.151.102 > > > Might want to monitor the entire block > 67.52.151.98/32 > 67.52.151.102/32 > > This another one of Dan's older sites I believe. Might want to > monitor for these IPs as well: > > thaumatocracy.com. 14400 IN SOA ns.itkinetix.com. > ns2.itkinetix.com. ( > 2006010044 ; Serial > 14400 ; Refresh > 7200 ; Retry > 3600000 ; Expire > 86400 ) ; Minimum TTL > thaumatocracy.com. 14400 IN NS ns.itkinetix.com. > thaumatocracy.com. 14400 IN NS ns2.itkinetix.com. > thaumatocracy.com. 14400 IN MX 0 thaumatocracy.com. > thaumatocracy.com. 14400 IN A 67.52.151.98 > endorphins.thaumatocracy.com. 14400 IN A 10.0.0.71 > home.thaumatocracy.com. 14400 IN A 67.52.151.102 > localhost.thaumatocracy.com. 14400 IN A 127.0.0.1 > mail.thaumatocracy.com. 14400 IN CNAME thaumatocracy.com. > www.thaumatocracy.com. 14400 IN CNAME thaumatocracy.com. > tumble.thaumatocracy.com. 14400 IN A 72.32.231.8 > ftp.thaumatocracy.com. 14400 IN A 67.52.151.98 > > > Chris Penn > > On Tue, Feb 9, 2010 at 12:23 PM, Dino K <socalli...@cloudcomp.info> wrote: >> Unbelievable... I will look into this also and correspond any findings via >> private e-mail first. >> >> >> On Tue, Feb 9, 2010 at 9:04 AM, David Kaiser <dkai...@cdk.com> wrote: >>> Last night I submitted the attached e-mail to the abuse department at >>> rr.com as well as to federal authorities. I believe the attached e-mail >>> and the corresponding web page (http://socallinux.org/attack/log.html) >>> are self-explanatory. >>> >>> Additionally, I need to point out the following: >>> >>> * we are NOT cool with actions like this being run against our server. >>> this incident is NOT considered friendly. it is not any type of >>> research. nobody was invited to run an attack on our server. (just >>> making that clear) >>> >>> * the server host for socallinux.org is being actively monitored >>> >>> * we have taken steps to eliminate or reduce any damage by any attempted >>> hacks (having current backups, etc.) should anything ever be defaced, etc. >>> >>> * we take these offenses very seriously and are working with law >>> enforcement to report incidents >>> >>> >>> Finally, we know the IP address (67.52.151.102) is in a netblock which >>> we can assume belongs to dan tentler. the netblock is listed as follows: >>> network:ID:NETBLK-ISRC-67.52.128.0/19 >>> network:Auth-Area:67.52.151.96/29 >>> network:Network-Name:IT-KINETIX-67.52.151.96 >>> network:IP-Network:67.52.151.96/29 >>> network:IP-Network-Block:67.52.151.96 - 67.52.151.103 >>> network:Organization;I:IT-KINETIX >>> network:Tech-Contact;I:ipadd...@rr.com >>> network:Admin-Contact;I:IPADD-ARIN >>> network:AbuseEmail:d...@itkinetix.com >>> >>> if you do an ARIN whois search on those 8 IP addresses (67.52.151.96 >>> through 67.52.151.103) you fill find they are all a part of the same >>> assigned netblock. (try the following command to search ARIN records: >>> whois -h whois.arin.net 67.52.151.102 ) >>> >>> other domains hosted in the netblock include: atenlabs.com and >>> thaumatocracy.com, which are known to be under dan's control. (you can >>> look up their IP#'s yourself.) >>> >>> Having said that... we don't have any concrete evidence or proof who >>> actually was behind this attack. (It is theoretically possible that >>> someone could have gained control of a host inside that network and done >>> this without Dan's permission.) I am not making an accusation that Dan >>> himself did this. In my reporting of the incident to the authorities I >>> am only providing the information as I have here (providing log files >>> and analysis through domain registration records, etc.) >>> >>> I'm being very clear here and only stating non-opinion facts because >>> sometimes people confuse opinions with accusations. I would advise >>> anyone to also stay clear of opinions and anything that even could be >>> construed as an accusation of wrongdoing against any individual if they >>> reply to this message. >>> >>> I'm posting this today so everyone on the list can analyze the log >>> files, take a look at them and you can start to understand how nmap >>> works. If you look at the linked access.log file, you can also see the >>> specific mailman CGI URL's that were being targeted for privilege >>> escalation. It's an opportunity to learn a bit about what a public >>> server faces from time to time. >>> >>> If you have any questions, let me know. >>> >>> DK >>> >>> >>> >>> ---Begin Forwarded Message--- >>> >>> To: RR.COM abuse department <ab...@rr.com>, >>> RR.COM Security department <secur...@rr.com> >>> Cc: IT-KINETIX abuse department <d...@itkinetix.com> >>> Subject: Malicous activity from IP address 67.52.151.102 (itkinetix.com) >>> >>> For the past few days an Internet host that I help maintain has been the >>> recipient of a large amount of malicous activity from an IP number >>> within your network. This activity has included wide-range port >>> scanning, probing for vulnerable services, attempts to obtain secured >>> and private information, and attempts to gain privilege or gain elevated >>> privilege from the system. >>> >>> The host in your network has an IP address of: 67.52.151.102 with a >>> reverse DNS record pointing to ns2.itkinetix.com. I have Cc:d the abuse >>> contact, d...@itkinetix.com, in this complaint, based on that e-mail >>> being listed as the abuse contact in the ARIN record for itkinetix.com >>> >>> >>> Please see the specific log content and linked files at >>> http://socallinux.org/attack/log.html >>> >>> >>> While it can be argued, in some jurisdictions, that port scanning is not >>> illegal, it can be clearly seen that in this case, a particular scanner >>> is making multiple attempts to discover available and potentially >>> vulnerable services on the system. Combined with the attempts to obtain >>> user account information (trying to force a CGI to return the contents >>> of /etc/passwd) as well as trying to force a CGI to edit stored HTML >>> content, we believe these actions are intentional and done with malicous >>> intent. >>> >>> Based on the RoadRunner "System and Network Security" Policy listed at: >>> http://help.rr.com/HMSFaqs/e_sys_net_security.aspx?Topic=Policies >>> >>> (specifically the first bullet point which reads "Unauthorized access to >>> or use of data, systems or networks, including any attempt to probe, >>> scan or test the vulnerability of a system or network or to breach >>> security or authentication measures without express authorization of the >>> owner of the system or network." ...we are sure this activity is a >>> direct violation of RoadRunner's policies, and definitively constitutes >>> unauthorized activity. >>> >>> We are appealing to RoadRunner to provide an immediate and thorough >>> removal of the offending host and to put in place a solution which >>> prevents this offense from affecting our server again. >>> >>> Please be advised that we have also filed a complaint with the Internet >>> Crime Complaint Center (www.ic3.gov) and this incident has been assigned >>> Complaint ID: I1002090519458152 You may be contacted by a >>> representative of one of the IC3 agencies for clarification of details. >>> >>> We expect a response from rr.com within 24 hours with a complete list of >>> actions taken to meet this request. >>> >>> Upon request, we can provide the complete firewall logs detailing the >>> over 16000 TCP connection attempts (made from this one host) in 4 >>> different port scanning sessions. >>> >>> Thank you for your attention to this matter. >>> >>> David Kaiser <dkai...@cdk.com> >>> Representing SocalLinux.org system administrators >>> >>> _______________________________________________ >>> LinuxUsers mailing list >>> LinuxUsers@socallinux.org >>> http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers >> >> _______________________________________________ >> LinuxUsers mailing list >> LinuxUsers@socallinux.org >> http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers >> >> > > > _______________________________________________ LinuxUsers mailing list LinuxUsers@socallinux.org http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers
