Send VoiceOps mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/voiceops
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of VoiceOps digest..."
Today's Topics:
1. Re: VoiceOps Digest, Vol 52, Issue 11 ([email protected])
2. Re: [VOIPSEC] Web Attacker Blacklist (J. Oquendo)
3. Re: Web Attacker Blacklist (Jay Hennigan)
4. Re: Web Attacker Blacklist (J. Oquendo)
5. Re: Web Attacker Blacklist (Oren Yehezkely)
6. Blacklist script (J. Oquendo)
----------------------------------------------------------------------
Message: 1
Date: Tue, 22 Oct 2013 12:01:48 -0400 (EDT)
From: [email protected]
To: [email protected]
Subject: Re: [VoiceOps] VoiceOps Digest, Vol 52, Issue 11
Message-ID: <[email protected]>
Content-Type: text/plain; charset="us-ascii"
An HTML attachment was scrubbed...
URL:
<https://puck.nether.net/pipermail/voiceops/attachments/20131022/cdb7e8ba/attachment-0001.html>
------------------------------
Message: 2
Date: Tue, 22 Oct 2013 15:19:37 -0500
From: "J. Oquendo" <[email protected]>
To: Sergey Kolesnichenko <[email protected]>
Cc: [email protected], [email protected]
Subject: Re: [VoiceOps] [VOIPSEC] Web Attacker Blacklist
Message-ID: <[email protected]>
Content-Type: text/plain; charset=us-ascii
On Tue, 22 Oct 2013, Sergey Kolesnichenko wrote:
> If I ever want to do something bad I would check if my IP is the public
> lists. If I ever want to protect my scripts I will never rely on 3rd party
> blacklists. And I think modsecurity.org saves the day for web
> applications...
>
You're missing the purpose of the list. Not everyone can,
will, or has the capability of running modsecurity. I do
so I am fully aware of how to blacklist/filter attacks.
Filtering - while it helps me, helps me solely because I
have taken the time to implement strong (overly aggressive)
rules. What about the others who can't/don't run filters
such as modsecurity. So for starters, it helps others see
who is doing what on other networks under the premise that
"if it hits me, it can hit you too."
Secondly, accountability. Having maintained my blacklists
for some time now, I get a lot of requests to have IP
addresses taken off the blacklists. Many are companies that
didn't even know they were compromised. Because of the list
and people blocking the IP, they quickly fix their networks
to where before, they'd of never known.
Thirdly, research. I can't count the number of times that
articles were written with no attributable addresses. By
posting addresses publicly, anyone doing research into
cybercrime related themese (botnets, etc.) can see addresses
firsthand and if necessary, I would supply them for the
exact attack vector used by an address.
Finally, its no secret that most attackers do this (check
against blacklists). At some point in time the theory is,
they're gonna run out of addresses, and compromisable hosts
once companies and individuals running websites get their
acts in order. NO COMPANY wants to have entire netblocks
blacklisted.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
------------------------------
Message: 3
Date: Tue, 22 Oct 2013 14:29:27 -0700
From: Jay Hennigan <[email protected]>
To: [email protected]
Subject: Re: [VoiceOps] Web Attacker Blacklist
Message-ID: <[email protected]>
Content-Type: text/plain; charset=ISO-8859-1
On 10/22/13 6:57 AM, J. Oquendo wrote:
>
> Going to cross post this to the list (I know some of us
> criss-cross lists). Reasoning, a lot of IP PBXs have
> web based interfaces, and some need to be on the public
> Internet.
>
> Cobbled together a script to scrape my logs, parse out web
> based attackers (SQLi, XSS, CSRF, etc) and compile said list
> for blacklisting. Script is pulling from 6 different web
> servers for now. I may add more later depending on whether
> or not I see a lot of usage.
>
> http://www.infiltrated.net/webattackers.txt
Thanks. I personally would like to see it as solely raw IP addresses
rather than a mix of IPs and PTRs. The PTRs may not match forward DNS,
particularly if a bad guy has control of rDNS.
--
Jay Hennigan - CCIE #7880 - Network Engineering - [email protected]
Impulse Internet Service - http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV
------------------------------
Message: 4
Date: Wed, 23 Oct 2013 07:04:39 -0500
From: "J. Oquendo" <[email protected]>
To: Jay Hennigan <[email protected]>
Cc: [email protected]
Subject: Re: [VoiceOps] Web Attacker Blacklist
Message-ID: <[email protected]>
Content-Type: text/plain; charset=us-ascii
On Tue, 22 Oct 2013, Jay Hennigan wrote:
> On 10/22/13 6:57 AM, J. Oquendo wrote:
> >
> > Going to cross post this to the list (I know some of us
> > criss-cross lists). Reasoning, a lot of IP PBXs have
> > web based interfaces, and some need to be on the public
> > Internet.
> >
> > Cobbled together a script to scrape my logs, parse out web
> > based attackers (SQLi, XSS, CSRF, etc) and compile said list
> > for blacklisting. Script is pulling from 6 different web
> > servers for now. I may add more later depending on whether
> > or not I see a lot of usage.
> >
> > http://www.infiltrated.net/webattackers.txt
>
> Thanks. I personally would like to see it as solely raw IP addresses
> rather than a mix of IPs and PTRs. The PTRs may not match forward DNS,
> particularly if a bad guy has control of rDNS.
>
I changed it up, but will leave existing domains on there.
I thought about this (domains vs. IPs) in the sense that,
filtering (WAF) often tends to rely on domains. Then I
thought about matching domains to IPs on that instance but
it wouldn't have been cumbersome considering anyone can
edit /etc/hosts or c:\windows\system32\etc\drivers\hosts
so I left it alone. As of about 20 minutes of the original
post, I re-configured Apache to stop hostname lookups.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
------------------------------
Message: 5
Date: Wed, 23 Oct 2013 08:37:36 -0400
From: Oren Yehezkely <[email protected]>
To: "J. Oquendo" <[email protected]>
Cc: "[email protected]" <[email protected]>
Subject: Re: [VoiceOps] Web Attacker Blacklist
Message-ID:
<cal+wrhky843nkvesxmxjxqfrpa2x9w-m63dwzbfz0ryzbs2...@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
J,
Did you intend to provide the script for others to use and add data, or
just the data you collected so far?
Regards,
Oren
On Wed, Oct 23, 2013 at 8:04 AM, J. Oquendo <[email protected]> wrote:
> On Tue, 22 Oct 2013, Jay Hennigan wrote:
>
> > On 10/22/13 6:57 AM, J. Oquendo wrote:
> > >
> > > Going to cross post this to the list (I know some of us
> > > criss-cross lists). Reasoning, a lot of IP PBXs have
> > > web based interfaces, and some need to be on the public
> > > Internet.
> > >
> > > Cobbled together a script to scrape my logs, parse out web
> > > based attackers (SQLi, XSS, CSRF, etc) and compile said list
> > > for blacklisting. Script is pulling from 6 different web
> > > servers for now. I may add more later depending on whether
> > > or not I see a lot of usage.
> > >
> > > http://www.infiltrated.net/webattackers.txt
> >
> > Thanks. I personally would like to see it as solely raw IP addresses
> > rather than a mix of IPs and PTRs. The PTRs may not match forward DNS,
> > particularly if a bad guy has control of rDNS.
> >
>
> I changed it up, but will leave existing domains on there.
> I thought about this (domains vs. IPs) in the sense that,
> filtering (WAF) often tends to rely on domains. Then I
> thought about matching domains to IPs on that instance but
> it wouldn't have been cumbersome considering anyone can
> edit /etc/hosts or c:\windows\system32\etc\drivers\hosts
> so I left it alone. As of about 20 minutes of the original
> post, I re-configured Apache to stop hostname lookups.
>
> --
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
>
> "Where ignorance is our master, there is no possibility of
> real peace" - Dalai Lama
>
> 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
> _______________________________________________
> VoiceOps mailing list
> [email protected]
> https://puck.nether.net/mailman/listinfo/voiceops
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://puck.nether.net/pipermail/voiceops/attachments/20131023/882da341/attachment-0001.html>
------------------------------
Message: 6
Date: Wed, 23 Oct 2013 07:37:29 -0500
From: "J. Oquendo" <[email protected]>
To: [email protected]
Cc: [email protected], [email protected]
Subject: [VoiceOps] Blacklist script
Message-ID: <[email protected]>
Content-Type: text/plain; charset=us-ascii
Isn't much more than a bloated one line. Just parses
through apache logs to check for the following (so
far):
JCE - Joomla shell uploader)
Ahrefsbot - (spammer bot)
POST - (because no one should be posting stuff to my
site, I have no user logins, forms, etc. and after
analyzing what was being posted close to 100% were
things with malicious intent. Catches most things)
administrator - no one should be trying to log in
as administrator. They get nowhere trying, but they
still do.
55000 is the set amount of lines I chose to look
through, since I fluctuate between 25-40k visitors
at peak times. (This was written for my personal
site which sees about 2-3k ranDumb attacks per
day (must be the domain name)) Sorting uniquely
ensures I don't get dupes.
I may reconstruct it to aggregate data from others
once I get proper permission to do so. In which
event I'd be able to correlate data from a couple
hundred/thousandish webservers (unsure when this
will happen).
-----------
printf "
#
# The following addresses are web based attackers
# compiled on an hourly basis. Most are attempting
# XSS, SQLi, CSRF and other attacks. Compiled list
# to be used for blacklisting.
#
#" > /tmp/xssers/XSSATTACKERS
echo `date`|sed 's:^: :g' >> /tmp/xssers/XSSATTACKERS
printf "\n\n" >> /tmp/xssers/XSSATTACKERS
tail -n 55000 /var/logs/httpd/access_log|\
awk '/AhrefsBot|POST|administrator|JCE/{print $1}'|sort -u >>
/tmp/xssers/bad.xxxers
cat /tmp/xssers/bad.xxxers >> /tmp/xssers/XSSATTACKERS
mv /tmp/xssers/XSSATTACKERS /var/www/html/infiltrated.net/webattackers.txt
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
------------------------------
Subject: Digest Footer
_______________________________________________
VoiceOps mailing list
[email protected]
https://puck.nether.net/mailman/listinfo/voiceops
------------------------------
End of VoiceOps Digest, Vol 52, Issue 12
****************************************
