It could have been cron, but looking at the time stamps he would have had some type of random execution on it. Random wait commands or etc. Otherwise it looks to human IMHO. Its also possible his system was compromised by someone else and they did it.
-Chris On Tue, Feb 9, 2010 at 5:09 PM, <char...@knownelement.com> wrote: > It could have easily been launched from cron. > I wouldn't rely to much on Twitter statuses . > > Though if this goes to court it could set precedent. Cool stuff. > > > Sent via BlackBerry from T-Mobile > > -----Original Message----- > From: Chris Louden <ch...@chrislouden.com> > Date: Tue, 9 Feb 2010 17:00:30 > To: SoCal LUG Users List<linuxusers@socallinux.org> > Subject: Re: [LinuxUsers] [Fwd: Malicous activity from IP address > 67.52.151.102 (itkinetix.com)] > > Dan has claimed that he was asleep during the attacks. > > http://twitter.com/Viss/status/8873238707 > > However http://twitter.com/Viss/status/8803995420 proves he was awake > > -Chris > > > > On Tue, Feb 9, 2010 at 2:49 PM, David Kaiser <dkai...@cdk.com> wrote: >> Chris, thanks for the excellent research. >> >> About 5 minutes after I sent the complaint e-mails out last night I did >> a complete firewall block on these IP's: >> 67.52.151.96 67.52.151.97 67.52.151.98 67.52.151.99 >> 67.52.151.100 67.52.151.101 67.52.151.102 67.52.151.103 >> >> So, as of 2:40AM, the IP's have been blocked, and will stay blocked >> indefinitely. >> >> I'll check out these other ones that are not part of 67.52.151.96/29 >> after I get home from work. >> >> >> Chris Penn wrote: >>> Last Time I check: >>> itkinetix.com. 14400 IN SOA inertia.itkinetix.com. >>> d...@itkinetix.com. ( >>> 2006010408 ; Serial >>> 14400 ; Refresh >>> 7200 ; Retry >>> 3600000 ; Expire >>> 86400 ) ; Minimum TTL >>> itkinetix.com. 14400 IN NS ns.itkinetix.com. >>> itkinetix.com. 14400 IN NS ns2.itkinetix.com. >>> itkinetix.com. 14400 IN MX 0 ns.itkinetix.com. >>> itkinetix.com. 14400 IN A 67.52.151.98 >>> sneaky.itkinetix.com. 14400 IN A 67.52.151.99 >>> secure.itkinetix.com. 14400 IN A 67.52.151.98 >>> mail.itkinetix.com. 14400 IN A 67.52.151.98 >>> www.itkinetix.com. 14400 IN A 67.52.151.98 >>> wiki.itkinetix.com. 14400 IN A 67.52.151.102 >>> gearfuse.itkinetix.com. 14400 IN A 74.53.94.162 >>> inertia.itkinetix.com. 14400 IN A 67.52.151.98 >>> aten.itkinetix.com. 14400 IN A 67.52.151.102 >>> ns.itkinetix.com. 14400 IN A 67.52.151.98 >>> ns2.itkinetix.com. 14400 IN A 67.52.151.102 >>> >>> >>> Might want to monitor the entire block >>> 67.52.151.98/32 >>> 67.52.151.102/32 >>> >>> This another one of Dan's older sites I believe. Might want to >>> monitor for these IPs as well: >>> >>> thaumatocracy.com. 14400 IN SOA ns.itkinetix.com. >>> ns2.itkinetix.com. ( >>> 2006010044 ; Serial >>> 14400 ; Refresh >>> 7200 ; Retry >>> 3600000 ; Expire >>> 86400 ) ; Minimum TTL >>> thaumatocracy.com. 14400 IN NS ns.itkinetix.com. >>> thaumatocracy.com. 14400 IN NS ns2.itkinetix.com. >>> thaumatocracy.com. 14400 IN MX 0 thaumatocracy.com. >>> thaumatocracy.com. 14400 IN A 67.52.151.98 >>> endorphins.thaumatocracy.com. 14400 IN A 10.0.0.71 >>> home.thaumatocracy.com. 14400 IN A 67.52.151.102 >>> localhost.thaumatocracy.com. 14400 IN A 127.0.0.1 >>> mail.thaumatocracy.com. 14400 IN CNAME thaumatocracy.com. >>> www.thaumatocracy.com. 14400 IN CNAME thaumatocracy.com. >>> tumble.thaumatocracy.com. 14400 IN A 72.32.231.8 >>> ftp.thaumatocracy.com. 14400 IN A 67.52.151.98 >>> >>> >>> Chris Penn >>> >>> On Tue, Feb 9, 2010 at 12:23 PM, Dino K <socalli...@cloudcomp.info> wrote: >>>> Unbelievable... I will look into this also and correspond any findings >>>> via >>>> private e-mail first. >>>> >>>> >>>> On Tue, Feb 9, 2010 at 9:04 AM, David Kaiser <dkai...@cdk.com> wrote: >>>>> Last night I submitted the attached e-mail to the abuse department at >>>>> rr.com as well as to federal authorities. I believe the attached e-mail >>>>> and the corresponding web page (http://socallinux.org/attack/log.html) >>>>> are self-explanatory. >>>>> >>>>> Additionally, I need to point out the following: >>>>> >>>>> * we are NOT cool with actions like this being run against our server. >>>>> this incident is NOT considered friendly. it is not any type of >>>>> research. nobody was invited to run an attack on our server. (just >>>>> making that clear) >>>>> >>>>> * the server host for socallinux.org is being actively monitored >>>>> >>>>> * we have taken steps to eliminate or reduce any damage by any attempted >>>>> hacks (having current backups, etc.) should anything ever be defaced, etc. >>>>> >>>>> * we take these offenses very seriously and are working with law >>>>> enforcement to report incidents >>>>> >>>>> >>>>> Finally, we know the IP address (67.52.151.102) is in a netblock which >>>>> we can assume belongs to dan tentler. the netblock is listed as follows: >>>>> network:ID:NETBLK-ISRC-67.52.128.0/19 >>>>> network:Auth-Area:67.52.151.96/29 >>>>> network:Network-Name:IT-KINETIX-67.52.151.96 >>>>> network:IP-Network:67.52.151.96/29 >>>>> network:IP-Network-Block:67.52.151.96 - 67.52.151.103 >>>>> network:Organization;I:IT-KINETIX >>>>> network:Tech-Contact;I:ipadd...@rr.com >>>>> network:Admin-Contact;I:IPADD-ARIN >>>>> network:AbuseEmail:d...@itkinetix.com >>>>> >>>>> if you do an ARIN whois search on those 8 IP addresses (67.52.151.96 >>>>> through 67.52.151.103) you fill find they are all a part of the same >>>>> assigned netblock. (try the following command to search ARIN records: >>>>> whois -h whois.arin.net 67.52.151.102 ) >>>>> >>>>> other domains hosted in the netblock include: atenlabs.com and >>>>> thaumatocracy.com, which are known to be under dan's control. (you can >>>>> look up their IP#'s yourself.) >>>>> >>>>> Having said that... we don't have any concrete evidence or proof who >>>>> actually was behind this attack. (It is theoretically possible that >>>>> someone could have gained control of a host inside that network and done >>>>> this without Dan's permission.) I am not making an accusation that Dan >>>>> himself did this. In my reporting of the incident to the authorities I >>>>> am only providing the information as I have here (providing log files >>>>> and analysis through domain registration records, etc.) >>>>> >>>>> I'm being very clear here and only stating non-opinion facts because >>>>> sometimes people confuse opinions with accusations. I would advise >>>>> anyone to also stay clear of opinions and anything that even could be >>>>> construed as an accusation of wrongdoing against any individual if they >>>>> reply to this message. >>>>> >>>>> I'm posting this today so everyone on the list can analyze the log >>>>> files, take a look at them and you can start to understand how nmap >>>>> works. If you look at the linked access.log file, you can also see the >>>>> specific mailman CGI URL's that were being targeted for privilege >>>>> escalation. It's an opportunity to learn a bit about what a public >>>>> server faces from time to time. >>>>> >>>>> If you have any questions, let me know. >>>>> >>>>> DK >>>>> >>>>> >>>>> >>>>> ---Begin Forwarded Message--- >>>>> >>>>> To: RR.COM abuse department <ab...@rr.com>, >>>>> RR.COM Security department <secur...@rr.com> >>>>> Cc: IT-KINETIX abuse department <d...@itkinetix.com> >>>>> Subject: Malicous activity from IP address 67.52.151.102 (itkinetix.com) >>>>> >>>>> For the past few days an Internet host that I help maintain has been the >>>>> recipient of a large amount of malicous activity from an IP number >>>>> within your network. This activity has included wide-range port >>>>> scanning, probing for vulnerable services, attempts to obtain secured >>>>> and private information, and attempts to gain privilege or gain elevated >>>>> privilege from the system. >>>>> >>>>> The host in your network has an IP address of: 67.52.151.102 with a >>>>> reverse DNS record pointing to ns2.itkinetix.com. I have Cc:d the abuse >>>>> contact, d...@itkinetix.com, in this complaint, based on that e-mail >>>>> being listed as the abuse contact in the ARIN record for itkinetix.com >>>>> >>>>> >>>>> Please see the specific log content and linked files at >>>>> http://socallinux.org/attack/log.html >>>>> >>>>> >>>>> While it can be argued, in some jurisdictions, that port scanning is not >>>>> illegal, it can be clearly seen that in this case, a particular scanner >>>>> is making multiple attempts to discover available and potentially >>>>> vulnerable services on the system. Combined with the attempts to obtain >>>>> user account information (trying to force a CGI to return the contents >>>>> of /etc/passwd) as well as trying to force a CGI to edit stored HTML >>>>> content, we believe these actions are intentional and done with malicous >>>>> intent. >>>>> >>>>> Based on the RoadRunner "System and Network Security" Policy listed at: >>>>> http://help.rr.com/HMSFaqs/e_sys_net_security.aspx?Topic=Policies >>>>> >>>>> (specifically the first bullet point which reads "Unauthorized access to >>>>> or use of data, systems or networks, including any attempt to probe, >>>>> scan or test the vulnerability of a system or network or to breach >>>>> security or authentication measures without express authorization of the >>>>> owner of the system or network." ...we are sure this activity is a >>>>> direct violation of RoadRunner's policies, and definitively constitutes >>>>> unauthorized activity. >>>>> >>>>> We are appealing to RoadRunner to provide an immediate and thorough >>>>> removal of the offending host and to put in place a solution which >>>>> prevents this offense from affecting our server again. >>>>> >>>>> Please be advised that we have also filed a complaint with the Internet >>>>> Crime Complaint Center (www.ic3.gov) and this incident has been assigned >>>>> Complaint ID: I1002090519458152 You may be contacted by a >>>>> representative of one of the IC3 agencies for clarification of details. >>>>> >>>>> We expect a response from rr.com within 24 hours with a complete list of >>>>> actions taken to meet this request. >>>>> >>>>> Upon request, we can provide the complete firewall logs detailing the >>>>> over 16000 TCP connection attempts (made from this one host) in 4 >>>>> different port scanning sessions. >>>>> >>>>> Thank you for your attention to this matter. >>>>> >>>>> David Kaiser <dkai...@cdk.com> >>>>> Representing SocalLinux.org system administrators >>>>> >>>>>_______________________________________________ >>>>> LinuxUsers mailing list >>>>> LinuxUsers@socallinux.org >>>>> http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers >>>> >>>>_______________________________________________ >>>> LinuxUsers mailing list >>>> LinuxUsers@socallinux.org >>>> http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers >>>> >>>> >>> >>> >>> >> >>_______________________________________________ >> LinuxUsers mailing list >> LinuxUsers@socallinux.org >> http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers >> > _______________________________________________ > LinuxUsers mailing list > LinuxUsers@socallinux.org > http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers > _______________________________________________ > LinuxUsers mailing list > LinuxUsers@socallinux.org > http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers > _______________________________________________ LinuxUsers mailing list LinuxUsers@socallinux.org http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers
