Trends from the trenches of Internet traffic. Hackers, spammers and Internet abuse. IP address database. DNS sightings. Views and opinions expressed are my own. ~ Teri Radichel @teriradichel
Wednesday, July 25, 2007
DNS Bind Vulnerability
Sunday, July 15, 2007
Core Security Patterns
"A Gartner Group report [CSO online] estimates that employees of companies are responsible for more than 70% of the unauthorized access to information systems in those companies. It is also employees of companies who perpetrate more than 95% of information systems intrusions that cause significant financial losses."
So when I ask - do you just "trust" your managed data center employees like the managed hosting companies would like you to do? No. Audit everything. If they cannot provide an audit trail to explicitly define who accessed your server on what time and day and what they did - you'll need to keep your password to yourself and manage access to your server and do your own auditing -- don't use that company.
And for all those companies that swear up and down that they are invincible and secure, I say no one is ever 100% secure and constant auditing and monitoring is needed. Case in point, this book says:
"According to an FBI survey [eWeek] of 500 companies, 90 percent say they'd had a computer security breach, and 80 percent of those said they'd suffered a financial loss as a result."
There are more reports an examples in the book as well as a good list of security patterns for those who use a programming language that allows you to, in my opinion, have more control over your environment such as with a Java web server. I say that because you cannot get the IIS source code...
Anyway the book for anyone who wants to read it again is:
Core Security Patterns from Sun by Christopher Steel, Ramesh, Nagappan and Ray Lai
Even if you don't program in Java it seems that some of the information could apply to any web application.
I haven't read the whole book so I cannot say how useful it is yet.
Friday, July 13, 2007
Network Solutions SSL Certificate Instructions - Java Web Server
Installing Your Network Solutions SSL Certificate on Java Based Web Servers
There are 4 certificates that you will receive from Network Solutions:
1. AddTrustExternalCARoot.crt
2. UTNAddTrustServer_CA.crt
3. NetworkSolutions_CA.crt
4. yourdomainname.crt
These must be imported in the correct order:
1. AddTrustExternalCARoot.crt
2. UTNAddTrustServer_CA.crt
3. NetworkSolutions_CA.crt
4. yourdomainname.crt
Use the keytool command to import the certificates as follows:
keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore domain.key
Use the same process for the UTNAddTrustServer_CA.crt certificate using the keytool command:
keytool -import -trustcacerts -alias utnaddtrustserverca -file UTNAddTrustServer_CA.crt -keystore domain.key
Use the same process for the NetworkSolutions_CA.crt certificate using the keytool command:
keytool -import -trustcacerts -alias networksolutionsca -file NetworkSolutions_CA.crt -keystore domain.key
Use the same process for the site certificate using the keytool command, if you are using an alias then please include the alias command in the string.
keytool -import -trustcacerts -alias yyy (where yyy is the alias specified during CSR creation) -file yourdomainname.crt -keystore domain.key
(The default is no so type 'y' or 'yes')
Certificate was added to keystore
All of the certificates are now loaded.
Anti-virus software: Chinese vs. Russian
http://www.networkworld.com/news/2007/071207-update-gloves-come-off-in.html?nlhtsec=0709securityalert5&
There are other options developed in the US.
Kapersky itself was embedded into a piece of malware that removed other malware from computers so who knows what is the underlying cause of all this.
This article makes it sound like you have a choice between one or the other - you don't. There are other vendors that have been doing this longer in the US.
Thursday, July 12, 2007
A list of known bots
Bot not obeying the Rules
This bot does not appear to be obeying robots.txt
Unversity of Illinois192.17.0.0 - 192.17.255.255MQBOT/Nutch-0.9-dev (MQBOT Nutch Crawler; http://falcon.cs.uiuc.edu; mqbot@cs.uiuc.edu)
/instmsg/aliases/orders
/instmsg/aliases/orders
I wrote about this in another post.
RedBot
Here's a new bot:
RedBot/redbot-1.0 (Rediff.com Crawler; redbot at rediff dot com)
Seems to be some India related web site.Doesn't say how to block it in robots.txt at first glance.
Wednesday, July 11, 2007
IEMB3 may be hacked
Cazoodle
CazoodleBot/Nutch-0.9-dev (CazoodleBot Crawler; http://www.cazoodle.com/cazoodlebot; cazoodlebot@cazoodle.com)
OrgName: University of Illinois OrgID: UIUCAddress: 1120 DCL, MC-256Address: 1304 West Springfield AvenueCity: UrbanaStateProv: ILPostalCode: 61801Country: USNetRange: 72.36.64.0 - 72.36.127.255
Bell Canada
67.68.135.71
Bell Canada BELLNEXXIA-11 (NET-67-68-0-0-1) 67.68.0.0 - 67.71.255.255HSE HSE020924-CA (NET-67-68-0-0-2) 67.68.0.0 - 67.68.255.255
1-800-HOSTING
69.41.185.18
OrgName: 1-800-HOSTING, Inc.OrgID: 1800HAddress: 3509 Oak Lawn AveCity: DALLASStateProv: TXPostalCode: 75219Country: US
NetRange: 69.41.160.0 - 69.41.191.255
Ask Jeeves not identifying itself
MCI Communications Services, Inc. d/b/a Verizon Business UUNET65 (NET-65-192-0-0-1) 65.192.0.0 - 65.223.255.255AskJeeves, Inc. UU-65-214-36 (NET-65-214-36-0-1) 65.214.36.0 - 65.214.39.255
Interland, Inc.
Someone on Interland, Inc.'s network (Atlanta, GA) is hitting our site with a bot.
64.239.7.216
OrgName: Interland, Inc.OrgID: INTDAddress: 101 Marietta StreetCity: AtlantaStateProv: GAPostalCode: 30039Country: US
NetRange: 64.239.0.0 - 64.239.127.255
Bay Area Internet Solutions
OrgName: Bay Area Internet Solutions OrgID: BAYAAddress: 2650 San Thomas ExpresswayCity: Santa ClaraStateProv: CAPostalCode: 95051Country: USNetRange: 72.20.96.0 - 72.20.127.255
Server4You - Germany
We are still getting unwanted hits from this hosting facility.
inetnum: 85.25.129.0 - 85.25.148.255descr: SERVER4YOU Dedicated Server Hostingdescr: http://www.server4you.denetname: SERVER4YOU-1country: DE
Tuesday, July 10, 2007
Internet Crime - Summary Of Issues - 2007
Monday, July 09, 2007
Hits from Czech Data Center
This doesn't look right - hits from a data center...
inetnum: 81.31.32.0 - 81.31.35.255netname: MASTER1descr: Master Internet s.r.o.descr: server housing Brno, Cejlcountry: CZ
Bot coming from this IP: 80.194.189.66
7/8/2007 23:07
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:07
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:07
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:07
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:07
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:07
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:07
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:09
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:07
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:07
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:07
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:09
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:09
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:08
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
7/8/2007 23:09
80.194.189.66
MJ12bot/v1.2.0 (http://majestic12.co.uk/bot.php?+)
Sunday, July 08, 2007
PHP hacker - everyone's internet - 66.98.228.8
66.98.228.8
/phpgroupware/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/wordpress/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/b2evo/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpgroupware/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/b2/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/wordpress/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpgroupware/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/blogtest/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/b2evo/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/wordpress/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpgroupware/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/blog/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/b2/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/wordpress/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/b2evo/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/blogs/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/blogtest/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/b2/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/b2evo/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/blogs/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/blogtest/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/blog/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/b2/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/community/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/blogs/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/blog/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/blogtest/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/drupal/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/blog/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/blogs/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/blogs/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/blog/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/community/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/blogs/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/blogs/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/community/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/drupal/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/blogs/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/xmlrpc/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/blog/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/drupal/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/community/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/blog/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/drupal/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpadsnew2/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/xmlrpc/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/blog/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpAdsNew2/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/xmlsrv/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/xmlrpc/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/ads/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/xmlrpc/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpadsnew2/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/Ads/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpAdsNew2/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpadsnew2/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/xmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpads/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpAdsNew2/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpadsnew2/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/ads/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpadsnew/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/Ads/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/ads/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpAdsNew2/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpAdsNew/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/ads/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpads/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/Ads/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/adserver/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpadsnew/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/Ads/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpads/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpadsnew/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpads/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpAdsNew/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpadsnew/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/adserver/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpAdsNew/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/phpAdsNew/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/adserver/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/adserver/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/adxmlrpc.php
7/7/2007 15:28
66.98.228.8
/adxmlrpc.php
7/7/2007 15:01
66.98.228.8
/community/chat/messagesL.php3
7/7/2007 15:01
66.98.228.8
/chat3/chat/messagesL.php3
7/7/2007 15:01
66.98.228.8
/chat2/chat/messagesL.php3
7/7/2007 15:01
66.98.228.8
/forums/chat/messagesL.php3
7/7/2007 15:01
66.98.228.8
/chat1/chat/messagesL.php3
7/7/2007 15:01
66.98.228.8
/phpMyChat-0.14.4/chat/messagesL.php3
7/7/2007 15:01
66.98.228.8
/phpMyChat-0.14.3/chat/messagesL.php3
7/7/2007 15:01
66.98.228.8
/phpMyChat/chat/messagesL.php3
7/7/2007 15:01
66.98.228.8
/phpMyChat-0.14.5/chat/messagesL.php3
7/7/2007 15:01
66.98.228.8
/phpMyChat-0.14.2/chat/messagesL.php3
7/7/2007 15:01
66.98.228.8
/php/phpmychat/chat/messagesL.php3
7/7/2007 15:01
66.98.228.8
/forum/chat/messagesL.php3
7/7/2007 15:01
66.98.228.8
/chats/chat/messagesL.php3
7/7/2007 15:01
66.98.228.8
/chatroom/chat/messagesL.php3
7/7/2007 15:01
66.98.228.8
/PhpMyChat/chat/messagesL.php3
7/7/2007 15:01
66.98.228.8
/phpchat/chat/messagesL.php3
7/7/2007 15:01
66.98.228.8
/chat/chat/messagesL.php3
7/7/2007 15:01
66.98.228.8
/chat/messagesL.php3
Thursday, July 05, 2007
Blatant hacker: SERVER4YOU network
Here's a blatantly hacking IP from the Server4You network in Germany:
85.25.138.126
This IP hit our sites over 200 separate times in one day
inetnum: 85.25.129.0 - 85.25.148.255descr: SERVER4YOU Dedicated Server Hostingdescr: http://www.server4you.denetname: SERVER4YOU-1country: DE
Network Admins Not Paying Attention To Traffic
http://blogs.zdnet.com/security/?p=349
Not sure I agree however. I don't know if this person understands exactly what was done in this case and yes, it should have been done sooner, but the fact is prior to this network admins didn't pay attention to traffic much at all unless it took down a machine. The fact that the government is involved and looking at the problem is a major step forward as we all know how long it takes to get the government moving...business has financial motivation. The government is pushed by voters and many voters don't even understand what is going on. So I say go Microsoft, go FBI and keep going - do more. Catch them and start whacking people with fines and putting them in jail the same way the Enron guys were put in jail - as an example to all and yes you will pay. But make the price high.
The note about cutting off criminal resources is interesting. Yes we can and should do more about this problem, but at least someone "gets it" and it is a step in the right direction. That's my take.
And as for the last line, yeah right. I'm going to let some ex (supposedly) hacker "fix" my machine. Time for a reality check.
Monday, July 02, 2007
Definitely a Hacker from Romania
inetnum: 89.42.140.0 - 89.42.141.255netname: SC-ALIENSTATION-SRLdescr: SC AlienStation SRLdescr: B-dul Ferdinand, Nr. 56descr: Constanta Constanta 900693country: ro
Looks like they are scanning our sites and possibly stealing the content and posting it elsewhere - potentially they have found a way to hack DNS.
Null IP addresses in logs
And see my last post for the matching IP address. Not sure which one but one of those generated this:
[30/06/2007:01:48:36 -0800] "GET / HTTP/1.0" 302 0 "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2" -