Re: Network 195.70.202.0/24 is hacker-freindly

From: Pavel Lozhkin (Pavel_Lozhkinat_private)
Date: Mon Dec 03 2001 - 23:01:52 PST

Next message: Lance Spitzner: "Honeynet Research Alliance"

Previous message: j.e.r.k. ROCKS: "Re: solaris nscd cores"
Next in thread: Justin Silles: "RE: Network 195.70.202.0/24 is hacker-freindly"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Gregg Sperling wrote:

> I ran a Code Red scanner against that netblock, and only had four results:
> 1      195.70.202.81        CommuniGatePro/3.4.8                    Not
> tested.
> 2      195.70.202.140       Apache/1.3.12 (Unix)  (Red Hat/Linux)
> mod_perl/1.24 PHP/4.0.2Not tested.
> 3      195.70.202.180       Apache/1.3.9 (Unix) PHP/3.0.12 AuthMySQL/2.20
> rus/PL28.22Not tested.
> 4      195.70.202.226       Apache/1.3.9 (Unix)                     Not
> tested.
>
> None of these appeared to be infected.

You just slightly do not understand the full story, perhaps, it is my fault.
1.He knew that he was infected by Nimda and in his mail message he had
admitted the issue. He is not an idiot, of course,  he is just a very lazy
person in my opinion.
2.These machines are WS ones can be blocked by firewall (80 port) from
external access, and the Nimda can infect them of being inside of the net. It
is my opinion, because the Nimda infection attempt from the machine is
documented one by my IDS (and in my logs on my other web servers).
3. I also tried to scan 80 port on the net and found there nothing, so that
see p 2 ;)

Local internet community here, in Russia, also decides to block the (and
similar behaves) networks by its firewall as uncontrolled network, maybe not
hacker-freindly, just only uncontrolled or bad managed ones.

The other thing is to share the knowledge about these networks between all
providers in whole world, but i do not know any good way to do that.
You can remember the story about MARS/RBL
They have a good lawyers........ and the lawyers did not sit without work.

In my experience the preventive measures are a better ones (than to fix all
cracked servers for example).
Unfortunately, i do not know the good way to share these knowledge.
In Russia we are trying to share the knowlege about spammers (the project DRBL
- Distributed Black List)
But the project has a not so good health right now just because of having a
low amount of its members.
There is an URL of the home site of the project (in English)
http://www.drbl.ofisp.org/eng/

--
Pavel
Information Security Officer of DeltaBank
ICQ UIN 39596913 8990192
Phone (7-095)-258-04-11 ext 1134
 (7-095)-258-04-00 reception

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Lance Spitzner: "Honeynet Research Alliance"
Previous message: j.e.r.k. ROCKS: "Re: solaris nscd cores"
Next in thread: Justin Silles: "RE: Network 195.70.202.0/24 is hacker-freindly"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 04 2001 - 09:50:51 PST