Mailinglist Archive: opensuse-security (320 mails)

< Previous Next >
RE: [suse-security] New(?) exploit for webservers?
  • From: "HoneyNet Germany" <newsletter@xxxxxxxxxxx>
  • Date: Sun, 11 May 2003 14:29:53 +0200
  • Message-id: <2EAAF8BBC01A08479A6AAAF50789C8BC0972C4@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Hi Keith,

why do you think this is an exploit against webservers?

To your questions: It depends on the local laws what and when an ISP has to
log every connection, user, ip. In Germany for example they are only allowed
to log the minimum information needed for billing their customers. So
flatrate users shouldn't be logged to their IP and time they spend online,
but some ISP do logging some do not. There are already some discussions
about what they exactly are allowed to do. But this is different in each
country.

If you want to know the ISP the attacking machine "belongs" to you just need
to do an whois on the IP, either using whois.ripe.net for european isp's or
whois.arin.net.

Arin will show you that this IP is handled by RIPE, so you will have to ask
RIPE for the ISP which will give you the following information:

inetnum: 62.162.0.0 - 62.162.255.255
netname: MK-MPT-20000926
descr: Provider Local Registry
descr: Macedonian Post & Telecommunications
country: MK
admin-c: DB12235-RIPE
admin-c: DJ54-RIPE
tech-c: DB12235-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: MTnet1
mnt-routes: MTnet1
changed: hostmaster@xxxxxxxx 20000926
changed: hostmaster@xxxxxxxx 20011008
source: RIPE

route: 62.162.0.0/16
descr: ROUTE-OBJ-3-MT
origin: AS6821
notify: jdusica@xxxxxxxxx
mnt-by: MPT-ASN
changed: ognenf@xxxxxxxxxxxxxxxx 20010123
source: RIPE

person: Dusica Janevska
address: Macedonian Telecommunications
address: "Orce Nikolov" bb
address: 1000 Skopje
address: Macedonia
phone: +389 2 135 224
fax-no: +389 2 135 224
e-mail: jdusica@xxxxxxxxx
nic-hdl: DJ54-RIPE
notify: jdusica@xxxxxxxxx
changed: jdusica@xxxxxxxxx 20011018
source: RIPE

person: Stevco Risteski
address: Macedonian Telecommunications
address: "Orce Nikolov" bb
address: 1000 Skopje
address: Macedonia
phone: +389 91 213 221
fax-no: +389 91 213 480
e-mail: stevco.risteski@xxxxxxxxx
nic-hdl: DB12235-RIPE
changed: risteskis@xxxxxxxxx 20021107
source: RIPE

Hope that helps,

Regards,

Uwe

> -----Original Message-----
> From: keith@xxxxxxxxxxxxxxxxxxxxxxxx
> [mailto:keith@xxxxxxxxxxxxxxxxxxxxxxxx]
> Sent: Sunday, May 11, 2003 3:12 PM
> To: Sven 'Darkman' Michels; suse-security@xxxxxxxx
> Subject: Re: [suse-security] New(?) exploit for webservers?
>
>
>
>
> I noticed these dropped connection attempts recently to port
> 80 on my machine with a dynamic dial-in ISP account, from
> IPTables log output.
>
> May 7 17:37:21 topaz kernel: DROPPED IN CONNS ON PPP0IN=ppp0
> OUT= MAC= SRC=62.162.87.194 DST=62.64.201.242 LEN=48 TOS=0x00
> PREC=0x00 TTL=113 ID=64376 DF PROTO=TCP SPT=1575 DPT=80
> WINDOW=16384 RES=0x00 SYN URGP=0
>
> May 7 17:37:24 topaz kernel: DROPPED IN CONNS ON PPP0IN=ppp0
> OUT= MAC= SRC=62.162.87.194 DST=62.64.201.242 LEN=48 TOS=0x00
> PREC=0x00 TTL=113 ID=64611 DF PROTO=TCP SPT=1575 DPT=80
> WINDOW=16384 RES=0x00 SYN URGP=0
>
> May 7 17:37:25 topaz kernel: DROPPED IN CONNS ON PPP0IN=ppp0
> OUT= MAC= SRC=218.8.150.167 DST=62.64.201.242 LEN=78 TOS=0x00
> PREC=0x20 TTL=109 ID=15818 PROTO=UDP SPT=1045 DPT=137 LEN=58
>
> May 7 17:37:30 topaz kernel: DROPPED IN CONNS ON PPP0IN=ppp0
> OUT= MAC= SRC=62.162.87.194 DST=62.64.201.242 LEN=48 TOS=0x00
> PREC=0x00 TTL=113 ID=65125 DF PROTO=TCP SPT=1575 DPT=80
> WINDOW=16384 RES=0x00 SYN URGP=0
>
>
> Is each ISP allocated a fixed range of IP addresses for their
> customers to use?
>
> Surely each ISP must log who is accessing the net, at what
> time, and on which dynamic IP address they own, and pass to
> their customers?
>
> Is it possible to trace dynamic IP addresses to a particular ISP?
>
> regards Keith Roberts
>
>
> On Fri, 9 May 2003, Sven 'Darkman' Michels wrote:
>
> > evening,
> >
> > i noticed some weird logentries in my apache access log:
> >
> > 57.67.127.228 - - [09/May/2003:02:23:32 +0200] "ãB" 200
> 6618 "-" "-"
> > 57.67.127.228 - - [09/May/2003:02:48:19 +0200] "ãB" 200
> 6618 "-" "-"
> > 57.67.127.228 - - [09/May/2003:03:18:09 +0200] "ãB" 200
> 6618 "-" "-"
> > 66.74.204.40 - - [09/May/2003:03:45:11 +0200] "ãA" 200 6617 "-" "-"
> > 66.74.204.40 - - [09/May/2003:03:46:15 +0200] "ãA" 200 6617 "-" "-"
> > 66.74.204.40 - - [09/May/2003:03:47:17 +0200] "ãA" 200 6617 "-" "-"
> > 217.235.22.155 - - [09/May/2003:03:58:38 +0200] "ãL" 200
> 6619 "-" "-"
> > 217.235.22.155 - - [09/May/2003:03:59:23 +0200] "ãL" 200
> 6619 "-" "-"
> > 200.40.225.210 - - [09/May/2003:03:59:34 +0200] "ã=" 200
> 6619 "-" "-"
> > 217.235.22.155 - - [09/May/2003:04:00:08 +0200] "ãL" 200
> 6619 "-" "-"
> > 217.234.189.246 - - [09/May/2003:04:00:59 +0200] "ã=" 200
> 6620 "-" "-"
> > 80.144.22.228 - - [09/May/2003:04:01:28 +0200] "ãN" 200
> 6618 "-" "-"
> > 217.234.189.246 - - [09/May/2003:04:01:48 +0200] "ã=" 200
> 6620 "-" "-"
> > 80.144.22.228 - - [09/May/2003:04:02:12 +0200] "ãN" 200
> 6618 "-" "-"
> > 217.234.189.246 - - [09/May/2003:04:02:41 +0200] "ã=" 200
> 6620 "-" "-"
> > 80.144.22.228 - - [09/May/2003:04:02:57 +0200] "ãN" 200 6618 "-" "-"
> >
> > since 8th may they're some of these entries, mostly a few
> times from
> > the same ip and the requests change a bit. Anybody has seen that
> > before? or know anything about it? I quickchecked bugtraq for
> > something like that but didn't found something.
> >
> > Regards,
> > Sven
> >
> >
> > --
> > Check the headers for your unsubscription address
> > For additional commands, e-mail: suse-security-help@xxxxxxxx
> > Security-related bug reports go to security@xxxxxxx, not here
> >
> >
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>
>


< Previous Next >
References