Dan has claimed that he was asleep during the attacks. http://twitter.com/Viss/status/8873238707
However http://twitter.com/Viss/status/8803995420 proves he was awake -Chris On Tue, Feb 9, 2010 at 2:49 PM, David Kaiser <dkai...@cdk.com> wrote: > Chris, thanks for the excellent research. > > About 5 minutes after I sent the complaint e-mails out last night I did > a complete firewall block on these IP's: > 67.52.151.96 67.52.151.97 67.52.151.98 67.52.151.99 > 67.52.151.100 67.52.151.101 67.52.151.102 67.52.151.103 > > So, as of 2:40AM, the IP's have been blocked, and will stay blocked > indefinitely. > > I'll check out these other ones that are not part of 67.52.151.96/29 > after I get home from work. > > > Chris Penn wrote: >> Last Time I check: >> itkinetix.com. 14400 IN SOA inertia.itkinetix.com. >> d...@itkinetix.com. ( >> 2006010408 ; Serial >> 14400 ; Refresh >> 7200 ; Retry >> 3600000 ; Expire >> 86400 ) ; Minimum TTL >> itkinetix.com. 14400 IN NS ns.itkinetix.com. >> itkinetix.com. 14400 IN NS ns2.itkinetix.com. >> itkinetix.com. 14400 IN MX 0 ns.itkinetix.com. >> itkinetix.com. 14400 IN A 67.52.151.98 >> sneaky.itkinetix.com. 14400 IN A 67.52.151.99 >> secure.itkinetix.com. 14400 IN A 67.52.151.98 >> mail.itkinetix.com. 14400 IN A 67.52.151.98 >> www.itkinetix.com. 14400 IN A 67.52.151.98 >> wiki.itkinetix.com. 14400 IN A 67.52.151.102 >> gearfuse.itkinetix.com. 14400 IN A 74.53.94.162 >> inertia.itkinetix.com. 14400 IN A 67.52.151.98 >> aten.itkinetix.com. 14400 IN A 67.52.151.102 >> ns.itkinetix.com. 14400 IN A 67.52.151.98 >> ns2.itkinetix.com. 14400 IN A 67.52.151.102 >> >> >> Might want to monitor the entire block >> 67.52.151.98/32 >> 67.52.151.102/32 >> >> This another one of Dan's older sites I believe. Might want to >> monitor for these IPs as well: >> >> thaumatocracy.com. 14400 IN SOA ns.itkinetix.com. >> ns2.itkinetix.com. ( >> 2006010044 ; Serial >> 14400 ; Refresh >> 7200 ; Retry >> 3600000 ; Expire >> 86400 ) ; Minimum TTL >> thaumatocracy.com. 14400 IN NS ns.itkinetix.com. >> thaumatocracy.com. 14400 IN NS ns2.itkinetix.com. >> thaumatocracy.com. 14400 IN MX 0 thaumatocracy.com. >> thaumatocracy.com. 14400 IN A 67.52.151.98 >> endorphins.thaumatocracy.com. 14400 IN A 10.0.0.71 >> home.thaumatocracy.com. 14400 IN A 67.52.151.102 >> localhost.thaumatocracy.com. 14400 IN A 127.0.0.1 >> mail.thaumatocracy.com. 14400 IN CNAME thaumatocracy.com. >> www.thaumatocracy.com. 14400 IN CNAME thaumatocracy.com. >> tumble.thaumatocracy.com. 14400 IN A 72.32.231.8 >> ftp.thaumatocracy.com. 14400 IN A 67.52.151.98 >> >> >> Chris Penn >> >> On Tue, Feb 9, 2010 at 12:23 PM, Dino K <socalli...@cloudcomp.info> wrote: >>> Unbelievable... I will look into this also and correspond any findings via >>> private e-mail first. >>> >>> >>> On Tue, Feb 9, 2010 at 9:04 AM, David Kaiser <dkai...@cdk.com> wrote: >>>> Last night I submitted the attached e-mail to the abuse department at >>>> rr.com as well as to federal authorities. I believe the attached e-mail >>>> and the corresponding web page (http://socallinux.org/attack/log.html) >>>> are self-explanatory. >>>> >>>> Additionally, I need to point out the following: >>>> >>>> * we are NOT cool with actions like this being run against our server. >>>> this incident is NOT considered friendly. it is not any type of >>>> research. nobody was invited to run an attack on our server. (just >>>> making that clear) >>>> >>>> * the server host for socallinux.org is being actively monitored >>>> >>>> * we have taken steps to eliminate or reduce any damage by any attempted >>>> hacks (having current backups, etc.) should anything ever be defaced, etc. >>>> >>>> * we take these offenses very seriously and are working with law >>>> enforcement to report incidents >>>> >>>> >>>> Finally, we know the IP address (67.52.151.102) is in a netblock which >>>> we can assume belongs to dan tentler. the netblock is listed as follows: >>>> network:ID:NETBLK-ISRC-67.52.128.0/19 >>>> network:Auth-Area:67.52.151.96/29 >>>> network:Network-Name:IT-KINETIX-67.52.151.96 >>>> network:IP-Network:67.52.151.96/29 >>>> network:IP-Network-Block:67.52.151.96 - 67.52.151.103 >>>> network:Organization;I:IT-KINETIX >>>> network:Tech-Contact;I:ipadd...@rr.com >>>> network:Admin-Contact;I:IPADD-ARIN >>>> network:AbuseEmail:d...@itkinetix.com >>>> >>>> if you do an ARIN whois search on those 8 IP addresses (67.52.151.96 >>>> through 67.52.151.103) you fill find they are all a part of the same >>>> assigned netblock. (try the following command to search ARIN records: >>>> whois -h whois.arin.net 67.52.151.102 ) >>>> >>>> other domains hosted in the netblock include: atenlabs.com and >>>> thaumatocracy.com, which are known to be under dan's control. (you can >>>> look up their IP#'s yourself.) >>>> >>>> Having said that... we don't have any concrete evidence or proof who >>>> actually was behind this attack. (It is theoretically possible that >>>> someone could have gained control of a host inside that network and done >>>> this without Dan's permission.) I am not making an accusation that Dan >>>> himself did this. In my reporting of the incident to the authorities I >>>> am only providing the information as I have here (providing log files >>>> and analysis through domain registration records, etc.) >>>> >>>> I'm being very clear here and only stating non-opinion facts because >>>> sometimes people confuse opinions with accusations. I would advise >>>> anyone to also stay clear of opinions and anything that even could be >>>> construed as an accusation of wrongdoing against any individual if they >>>> reply to this message. >>>> >>>> I'm posting this today so everyone on the list can analyze the log >>>> files, take a look at them and you can start to understand how nmap >>>> works. If you look at the linked access.log file, you can also see the >>>> specific mailman CGI URL's that were being targeted for privilege >>>> escalation. It's an opportunity to learn a bit about what a public >>>> server faces from time to time. >>>> >>>> If you have any questions, let me know. >>>> >>>> DK >>>> >>>> >>>> >>>> ---Begin Forwarded Message--- >>>> >>>> To: RR.COM abuse department <ab...@rr.com>, >>>> RR.COM Security department <secur...@rr.com> >>>> Cc: IT-KINETIX abuse department <d...@itkinetix.com> >>>> Subject: Malicous activity from IP address 67.52.151.102 (itkinetix.com) >>>> >>>> For the past few days an Internet host that I help maintain has been the >>>> recipient of a large amount of malicous activity from an IP number >>>> within your network. This activity has included wide-range port >>>> scanning, probing for vulnerable services, attempts to obtain secured >>>> and private information, and attempts to gain privilege or gain elevated >>>> privilege from the system. >>>> >>>> The host in your network has an IP address of: 67.52.151.102 with a >>>> reverse DNS record pointing to ns2.itkinetix.com. I have Cc:d the abuse >>>> contact, d...@itkinetix.com, in this complaint, based on that e-mail >>>> being listed as the abuse contact in the ARIN record for itkinetix.com >>>> >>>> >>>> Please see the specific log content and linked files at >>>> http://socallinux.org/attack/log.html >>>> >>>> >>>> While it can be argued, in some jurisdictions, that port scanning is not >>>> illegal, it can be clearly seen that in this case, a particular scanner >>>> is making multiple attempts to discover available and potentially >>>> vulnerable services on the system. Combined with the attempts to obtain >>>> user account information (trying to force a CGI to return the contents >>>> of /etc/passwd) as well as trying to force a CGI to edit stored HTML >>>> content, we believe these actions are intentional and done with malicous >>>> intent. >>>> >>>> Based on the RoadRunner "System and Network Security" Policy listed at: >>>> http://help.rr.com/HMSFaqs/e_sys_net_security.aspx?Topic=Policies >>>> >>>> (specifically the first bullet point which reads "Unauthorized access to >>>> or use of data, systems or networks, including any attempt to probe, >>>> scan or test the vulnerability of a system or network or to breach >>>> security or authentication measures without express authorization of the >>>> owner of the system or network." ...we are sure this activity is a >>>> direct violation of RoadRunner's policies, and definitively constitutes >>>> unauthorized activity. >>>> >>>> We are appealing to RoadRunner to provide an immediate and thorough >>>> removal of the offending host and to put in place a solution which >>>> prevents this offense from affecting our server again. >>>> >>>> Please be advised that we have also filed a complaint with the Internet >>>> Crime Complaint Center (www.ic3.gov) and this incident has been assigned >>>> Complaint ID: I1002090519458152 You may be contacted by a >>>> representative of one of the IC3 agencies for clarification of details. >>>> >>>> We expect a response from rr.com within 24 hours with a complete list of >>>> actions taken to meet this request. >>>> >>>> Upon request, we can provide the complete firewall logs detailing the >>>> over 16000 TCP connection attempts (made from this one host) in 4 >>>> different port scanning sessions. >>>> >>>> Thank you for your attention to this matter. >>>> >>>> David Kaiser <dkai...@cdk.com> >>>> Representing SocalLinux.org system administrators >>>> >>>> _______________________________________________ >>>> LinuxUsers mailing list >>>> LinuxUsers@socallinux.org >>>> http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers >>> >>> _______________________________________________ >>> LinuxUsers mailing list >>> LinuxUsers@socallinux.org >>> http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers >>> >>> >> >> >> > > _______________________________________________ > LinuxUsers mailing list > LinuxUsers@socallinux.org > http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers > _______________________________________________ LinuxUsers mailing list LinuxUsers@socallinux.org http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers
