Hi Keith, why do you think this is an exploit against webservers? To your questions: It depends on the local laws what and when an ISP has to log every connection, user, ip. In Germany for example they are only allowed to log the minimum information needed for billing their customers. So flatrate users shouldn't be logged to their IP and time they spend online, but some ISP do logging some do not. There are already some discussions about what they exactly are allowed to do. But this is different in each country. If you want to know the ISP the attacking machine "belongs" to you just need to do an whois on the IP, either using whois.ripe.net for european isp's or whois.arin.net. Arin will show you that this IP is handled by RIPE, so you will have to ask RIPE for the ISP which will give you the following information: inetnum: 62.162.0.0 - 62.162.255.255 netname: MK-MPT-20000926 descr: Provider Local Registry descr: Macedonian Post & Telecommunications country: MK admin-c: DB12235-RIPE admin-c: DJ54-RIPE tech-c: DB12235-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: MTnet1 mnt-routes: MTnet1 changed: hostmaster@ripe.net 20000926 changed: hostmaster@ripe.net 20011008 source: RIPE route: 62.162.0.0/16 descr: ROUTE-OBJ-3-MT origin: AS6821 notify: jdusica@mt.net.mk mnt-by: MPT-ASN changed: ognenf@lotus.mpt.com.mk 20010123 source: RIPE person: Dusica Janevska address: Macedonian Telecommunications address: "Orce Nikolov" bb address: 1000 Skopje address: Macedonia phone: +389 2 135 224 fax-no: +389 2 135 224 e-mail: jdusica@mt.net.mk nic-hdl: DJ54-RIPE notify: jdusica@mt.net.mk changed: jdusica@mt.net.mk 20011018 source: RIPE person: Stevco Risteski address: Macedonian Telecommunications address: "Orce Nikolov" bb address: 1000 Skopje address: Macedonia phone: +389 91 213 221 fax-no: +389 91 213 480 e-mail: stevco.risteski@mt.net.mk nic-hdl: DB12235-RIPE changed: risteskis@mt.net.mk 20021107 source: RIPE Hope that helps, Regards, Uwe
-----Original Message----- From: keith@topaz5.worldonline.co.uk [mailto:keith@topaz5.worldonline.co.uk] Sent: Sunday, May 11, 2003 3:12 PM To: Sven 'Darkman' Michels; suse-security@suse.com Subject: Re: [suse-security] New(?) exploit for webservers?
I noticed these dropped connection attempts recently to port 80 on my machine with a dynamic dial-in ISP account, from IPTables log output.
May 7 17:37:21 topaz kernel: DROPPED IN CONNS ON PPP0IN=ppp0 OUT= MAC= SRC=62.162.87.194 DST=62.64.201.242 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=64376 DF PROTO=TCP SPT=1575 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
May 7 17:37:24 topaz kernel: DROPPED IN CONNS ON PPP0IN=ppp0 OUT= MAC= SRC=62.162.87.194 DST=62.64.201.242 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=64611 DF PROTO=TCP SPT=1575 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
May 7 17:37:25 topaz kernel: DROPPED IN CONNS ON PPP0IN=ppp0 OUT= MAC= SRC=218.8.150.167 DST=62.64.201.242 LEN=78 TOS=0x00 PREC=0x20 TTL=109 ID=15818 PROTO=UDP SPT=1045 DPT=137 LEN=58
May 7 17:37:30 topaz kernel: DROPPED IN CONNS ON PPP0IN=ppp0 OUT= MAC= SRC=62.162.87.194 DST=62.64.201.242 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=65125 DF PROTO=TCP SPT=1575 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Is each ISP allocated a fixed range of IP addresses for their customers to use?
Surely each ISP must log who is accessing the net, at what time, and on which dynamic IP address they own, and pass to their customers?
Is it possible to trace dynamic IP addresses to a particular ISP?
regards Keith Roberts
On Fri, 9 May 2003, Sven 'Darkman' Michels wrote:
evening,
i noticed some weird logentries in my apache access log:
57.67.127.228 - - [09/May/2003:02:23:32 +0200] "ãB" 200 6618 "-" "-" 57.67.127.228 - - [09/May/2003:02:48:19 +0200] "ãB" 200 6618 "-" "-" 57.67.127.228 - - [09/May/2003:03:18:09 +0200] "ãB" 200 6618 "-" "-" 66.74.204.40 - - [09/May/2003:03:45:11 +0200] "ãA" 200 6617 "-" "-" 66.74.204.40 - - [09/May/2003:03:46:15 +0200] "ãA" 200 6617 "-" "-" 66.74.204.40 - - [09/May/2003:03:47:17 +0200] "ãA" 200 6617 "-" "-" 217.235.22.155 - - [09/May/2003:03:58:38 +0200] "ãL" 200 6619 "-" "-" 217.235.22.155 - - [09/May/2003:03:59:23 +0200] "ãL" 200 6619 "-" "-" 200.40.225.210 - - [09/May/2003:03:59:34 +0200] "ã=" 200 6619 "-" "-" 217.235.22.155 - - [09/May/2003:04:00:08 +0200] "ãL" 200 6619 "-" "-" 217.234.189.246 - - [09/May/2003:04:00:59 +0200] "ã=" 200 6620 "-" "-" 80.144.22.228 - - [09/May/2003:04:01:28 +0200] "ãN" 200 6618 "-" "-" 217.234.189.246 - - [09/May/2003:04:01:48 +0200] "ã=" 200 6620 "-" "-" 80.144.22.228 - - [09/May/2003:04:02:12 +0200] "ãN" 200 6618 "-" "-" 217.234.189.246 - - [09/May/2003:04:02:41 +0200] "ã=" 200 6620 "-" "-" 80.144.22.228 - - [09/May/2003:04:02:57 +0200] "ãN" 200 6618 "-" "-"
since 8th may they're some of these entries, mostly a few times from the same ip and the requests change a bit. Anybody has seen that before? or know anything about it? I quickchecked bugtraq for something like that but didn't found something.
Regards, Sven
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here