On 2014-01-10 Fri 21:12 PM |, Jan Stary wrote: > > > 2 references to hinet (chinese) > > What "references"? > What's "hinet" and how do you know it is chinese? > > > > intenting to send spam (relay). > > How do you know that "hinet" (whatever it is) > was intenting to send or relay spam? >
Hosts in hinet have been relentlessly attacking my mail & web servers for over 8 years. I feed them rubbish to play with, and they're still at it this week, in spamd's log: [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] Looking at some of the IP addresses: $ host 1.34.176.248 248.176.34.1.in-addr.arpa domain name pointer 1-34-176-248.HINET-IP.hinet.net. $ whois 1.34.176.248 ... ... netnum: 1.34.0.0 - 1.34.255.255 netname: HINET-NET descr: Taipei Taiwan country: TW ... Since late last year, I've noticed an increase in cgi/php probes. I don't use scripting/CGI dynamic stuff - static html only in chroot. HINET is one of the top offenders: $ for ip in $(awk '/POST \/cgi-bin\/php/ { print $1 }' /var/www/logs/access_log | sort -u); do host $ip | fgrep -i hinet && print $ip; done 248.176.34.1.in-addr.arpa domain name pointer 1-34-176-248.HINET-IP.hinet.net. 1.34.176.248 127.59.127.59.in-addr.arpa domain name pointer 59-127-59-127.HINET-IP.hinet.net. 59.127.59.127 .... ... They've even infected iPads as probing droids: $ fgrep 1.34.176.248 /var/www/logs/access_log 1.34.176.248 - - [20/Dec/2013:07:55:54 +0000] "POST /cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 221 teak.britvault.co.uk "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25" Decoding it (http://meyerweb.com/eric/tools/dencoder/) shows this: -d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n Which is another known PHP exploit: "...continued scanning for CVE-2012-1823 which is a vulnerability within PHP-CGI" "...the attacker is attempt to use various command-line web clients (wget/curl/fetch/lwp-get, etc...) to download the "mc.pl" script on the remote attacker's site." http://blog.spiderlabs.com/2013/11/honeypot-alert-more-php-cgi-scanning-apache-magikac.html I'm no web guru, so I use HTTP (Hypertext Transfer Protocol) just for what it was designed to do: let users transfer/GET static files. Get safe, get static. -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
