[Modsecurity] hello, newbie user here

Rob Shakir rob at catalyst2.net
Sat Jun 10 12:23:09 EDT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ET wrote:
> I normally do a whois lookup and notify the owners of the offending IPs,
> and ask for them to secure the boxes.

IME this is the right thing to do. Be sure to use the address that is
intended for abuse, if there is one readily available (in the RIPE
database a good proportion of the records show listed abuse contacts).
.
> I had seen that "command.gif" is really a text file, but had not seen
> the "lnikon", and so I clicked and saved the "lnikon" file, which in
> turn called 2 files, one named "linux-kernel: and one called
> "linux-mkdir" both of which are binary files. if I open the files with
> "khexedit" I can "extract strings" and see a few entries with
> "newchrousty.org" in the name (Sympatico.Qc.Ca.newchrousty.org,
> Chat.newchrousty.org, micro-ISP.newchrousty.org,
> LaLiPus.newchrousty.org, Trois-Rivieres.QC.Ca.newchrousty.org,
> IRC.newchrousty.org,) and I also note the "72.18.195.161/" IP to be
> written into the script for the 'linux-mkdir' file as is the IPs
> '24.224.174.18' and '81.223.104.152'
> 
> Since these IPs do not show up in spamcops black lists, I am wondering
> if and to whom I should be reporting this info to? or should I not care,
> am I worrying about something there is no cure for at this time??

What evidence do you have that these IPs are a source of spam? Blindly
reporting the IPs as spam sources causes inconvenience for sysadmins
whose servers are reported when in fact there is no evidence for it. One
should only report an IP as a spam source if there's actually evidence
that there is spam being relayed by that machine.

newchrousty.org appears to be an IRC network (verifiable by visiting
their website at http://www.newchrousty.org) - it's not uncommon for IRC
drones to be created using scripts such as this - as such, it's nothing
"major" to worry about - many IRC networks take pro-active measures to
kill drones, but letting the network operators know that there are
exploits being used that are connecting to their servers, along with a
copy of the binary, could be useful. I know that Undernet have a team
who are interested in the binaries that are creating drones on their
network.

The other two IPs appear to be referencing different endpoints on access
networks. Without further knowledge of how these addresses are
referenced, there's nothing really further you can do with them.

Keep on letting the abuse contacts of the boxes you're seeing trying to
exploit your server know about it - but beware of digging too deep and
generating large numbers of abuse reports with insufficient evidence

Regards,
Rob

- --
Rob Shakir - <rob at catalyst2.net>
Technical Manager - Catalyst2 Services Ltd.
PGP Key ID: 0xC07E6DEB / RIPE: RJS-RIPE
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEivHsIbIhVcB+besRAq/iAJ9fNtCptUM9znP9eF5gqmH/r6KK4gCfcRnT
hpRGwn2V/mVkdlqY3l5lV7w=
=HPLe
-----END PGP SIGNATURE-----

More information about the Modsecurity mailing list