Re: PHP injection attempt from 200.222.244.154

From: James Eaton-Lee (james.mailing_at_gmail.com)
Date: 12/17/04

  • Next message: Dejan Markovic: "SSH scans..." 
    To: Jez Han*** <jez.han***@gmail.com>
Date: Fri, 17 Dec 2004 15:12:25 +0000

    On Thu, 2004-12-09 at 01:08 +0000, Jez Han*** wrote:
    > On Tue, 7 Dec 2004 23:46:21 +0000, Jez Han*** <jez.han***@gmail.com> wrote:
    >
    > > I did something similar in a perl script when my network became the
    > > target of (relatively small scale - less than a dozen at a time)
    > > distributed denial of service attacks a while ago. After detecting a
    > > sustained attack from a set of IP addresses - ie a number of
    > > unacceptable log entries in the firewall log from certain addresses -
    > > I would initiate this script to help me build an abuse report that I
    > > could forward to the ISPs responsible for the addresses involved in
    > > the attacks. For each address the process of building the report
    > > would be cut from 5-10 minutes down to just a minute or two.
    >
    > For anyone interested, the perl abuse report script mentioend above
    > can be found here:
    >
    > http://munk.nu/programming/perl/abuse_report.pl
    >
    > I've just added a considerable amount of description to the script
    > (the text is probably longer than the script now :grin:) which
    > describes the problem of reporting abuse. Any comments are welcome:
    >
    > (snipped)

    Jez,

    Sad to say, but for anything significant I've resorted to that most
    old-fashioned of communications mediums, the telephone; this really
    varies based on your line of work and which sector you work in, but I
    find that in my professional life, I encounter a relatively low number
    of incidents which I'd consider extremely serious.

    To that end, when these issues do crop up (and this is really specific
    to DoS issues), whilst I have automated the process of gathering
    information on source addresses before now (mostly by scripting in order
    to swiftly get information without having to manually sift through
    netstat output and firewall logs in order to get source IPs and then
    whois them), but rather than sending out e-mails, I've actually called
    up the network operator in question. I've done this at least a dozen
    times in the last two years, and I've found that in almost every
    instance, I've had a useful response.

    Obviously in the case of a DoS attack, there isn't much which you
    accomplish by having one host disconnected from the 'net, but in a
    smaller subset of those dozen cases, I've actually been able to make
    useful progress with the tech at the other end. If you are interested in
    being very proactive, I have encountered more than one technical contact
    who was prepared to disconnect and dissect a machine in order to track
    down the attacker.

    Automating the attack investigation and e-mail drafting is a great idea,
    but I'd be a little careful about it - you may find that netadmins get a
    little offended if they think they're being sent one-fits-all e-mails
    which have had little or no human intervention! That said, I've
    downloaded a copy of the script and I'll have a play about with it if I
    get time ;)

    regards,

     - James.

  • Next message: Dejan Markovic: "SSH scans..."
    • Quantcast