Re: probes to port 80
From: Ben Measures (saint_abroadremove_at_removehotmail.com)
Date: 01/26/04
- Next message: Hairy One Kenobi: "Re: Anybody know a good FREE certificate service?"
- Previous message: Ben Measures: "Re: Sygate"
- In reply to: yahoo serious: "probes to port 80"
- Next in thread: Jim Watt: "Re: probes to port 80"
- Reply:(deleted message) Jim Watt: "Re: probes to port 80"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 Jan 2004 05:06:59 +0000
yahoo serious wrote:
> Some 'desparate' hack is trying to break into my machine through my
> webserver thinking I'm running some unpatched version of IIS. Fortunately
> I'm just playing with Apache. However the 'individual' is fairly persistent
> (20 attempts over a 10 minute period). Is there a way to identify the
> culprit or at least warn the ISP that they have an issue. Using the Sam
> Spade site did not uncover much ..only a reverse dns lookup for IP
> 69.140.105.5 to pcp04417313pcs.nrockv01.md.comcast.net. My apache error log
> list of the attempts follows. For most request for these kinds of files I've
> redirected the request to IP 127.0.0.1 (someone suggested a microsoft site
> instead :) ) but there seem to be too many variations to handle all the
> kinds of requests for cmd.exe & root.exe. (I'm tempted to serve up a
> malicious script page instead.). To reply directly un-mung ( remove _mung)
> the email address.
> Is there a way to identify the culprit
Not really. If you do find out I'm sure the RIAA would like to know ;)
> or at least warn the ISP that they have an issue.
Maybe. The problem is, they might not consider it an issue - comcast.net
is a big network. Here is what I found on whois:
# jwhois 69.140.105.5
[Querying whois.arin.net]
[whois.arin.net]
OrgName: Comcast Cable Communications, Inc.
OrgID: CMCS
Address: 3 Executive Campus
Address: 5th Floor
City: Cherry Hill
StateProv: NJ
PostalCode: 08002
Country: US
NetRange: 69.136.0.0 - 69.140.255.255
CIDR: 69.136.0.0/14, 69.140.0.0/16
NetName: JUMPSTART-3
NetHandle: NET-69-136-0-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: DNS01.JDC01.PA.COMCAST.NET
NameServer: DNS02.JDC01.PA.COMCAST.NET
Comment:
RegDate: 2003-04-24
Updated: 2003-11-05
OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: +1-856-317-7272
OrgAbuseEmail: abuse@comcast.net
OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications Inc
OrgTechPhone: +1-856-317-7200
OrgTechEmail: cips_ip-registration@cable.comcast.com
The only thing I can suggest you can do is to block the ip address at
the kernel level. Then the attacks won't even reach apache even if it
isn't vunerable, the advantage being smaller logs, fewer processor
cycles used, and fewer 404s uploaded.
Since the offender isn't sending too much data to you, I wouldn't worry
too much about it.
-- Ben M. ---------------- What are Software Patents for? To protect the small enterprise from bigger companies. What do Software Patents do? In its current form, they protect only companies with big legal departments as they: a.) Patent everything no matter how general b.) Sue everybody. Even if the patent can be argued invalid, small companies can ill-afford the typical $500k cost of a law-suit (not to mention years of harassment). Don't let them take away your right to program whatever you like. Make a stand on Software Patents before its too late. Read about the ongoing battle at http://swpat.ffii.org/ ----------------
- Next message: Hairy One Kenobi: "Re: Anybody know a good FREE certificate service?"
- Previous message: Ben Measures: "Re: Sygate"
- In reply to: yahoo serious: "probes to port 80"
- Next in thread: Jim Watt: "Re: probes to port 80"
- Reply:(deleted message) Jim Watt: "Re: probes to port 80"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
