Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Notifying DC of hack attempt?

[Dave - Just199]

Usually I just block offending machines that try to get into our systems and move on but for the last 2 days I have started notifying the contacts on the arin info for offending IP's. I guess I am trying to do my part to make the internet a better place?

• Is this stuff largely ignored?
• Is anyone else doing this?
• Is there an easier way?

[ThatScriptGuy]

I did it for a couple of weeks...and grew tired of it..

[Dave - Just199]

I was thinking about automating the process

[trustedurl.com]

Quote:

Originally Posted by keepr

I was thinking about automating the process

If you do, then please make sure it goes to the right person and not many many times. It's amazing how quickly people ignore you if you send them 100s of messages

[Dave - Just199]

that's a good point, hmmm daily / weekly summary ?

[(Stephen)]

We get such reports on VPS accounts we take them seriously and stop them at the root of the issue. Especially with VPSes it is not uncommon to have someone that does not know server management and gets hacked or otherwise compromised and to have port scanners running on their machines. Alerting the ARIN listed abuse address is a good thing so long as it is accurate information and provided in a timely matter(we had 3 month old reports from one source multiple times, hardly useful at all!)

[Dave - Just199]

I have been emailing the arin contact for the ip block.

example:
Time: Wed May 30 17:01:20 2007
IP: xxxxxxxxxxxx (xxxxxxxxxxxx.sithhostingx.net)
Failures: 5 (sshd)
Interval: 280 seconds
Blocked: Yes

Log entries:

May 30 17:01:11 cp2 sshd[17213]: Failed password for invalid user muniz from ::ffff:xxxxxxxxxxxx port 37044 ssh2
May 30 17:01:12 cp2 sshd[17215]: Failed password for invalid user junho from ::ffff:xxxxxxxxxxxx port 37136 ssh2
May 30 17:01:14 cp2 sshd[17217]: Failed password for invalid user muniz from ::ffff:xxxxxxxxxxxx port 37271 ssh2
May 30 17:01:15 cp2 sshd[17219]: Failed password for invalid user junho from ::ffff:xxxxxxxxxxxx port 37363 ssh2
May 30 17:01:17 cp2 sshd[17222]: Failed password for invalid user muniz from ::ffff:xxxxxxxxxxxx port 37502 ssh2

[jon-f]

thats the problem, inexperienced admins or people neglecting their boxes, they get hacked and send spam, brute force, ddos, etc.
In my first year of running my own servers I would go through all mod_security logs and apf/bfd alerts and send the logs along with report on the issue, let them know they have a compromised server, etc.
Some will do soemthing about it, some will not. I know I gave up reporting abuse to ISPs, nothing ever happens there most places, comcast being the worse IMO.
But Id say datacenters are 10 times more likely to handle abuse issues then ISPs.

I wish something could be done about all the dns servers on the net with open recursion which can be used to send huge ddos attacks

[Dave - Just199]

I almost want to create a WebHost blocked ip repository where people could pull the ip's to CSF / APF..

But just for webhosts

[jmcgon]

Quote:

Originally Posted by keepr

I almost want to create a WebHost blocked ip repository where people could pull the ip's to CSF / APF..

But just for webhosts

feeds.dshield.org/block.txt

[johnbrown362003]

Quote:

Originally Posted by keepr

Usually I just block offending machines that try to get into our systems and move on but for the last 2 days I have started notifying the contacts on the arin info for offending IP's. I guess I am trying to do my part to make the internet a better place?

• Is this stuff largely ignored?
• Is anyone else doing this?
• Is there an easier way?

Yes we have had success with notifying the offending sources. The best thing is to provide timely report along with a tcpdump if available.

If the web hosting company does not respond to your requests to cease and desist malicious activity, your next step should be to inform the carrier. You can find out the carrier from the ARIN or a traceroute.

Most often the web hosting companies take care of the problem once notified. Our experience has noted that the size of the web hosting company , large or small or the brand name, well known or obscure, does not factor into the quality of the level of the response time.

If the web hosting company does not comply, we then contact their carrier at which point we see almost immediate results. The carriers are liable, civil and criminal, as co-conspirators, if they continue to allow malicious activity to originate out of their network, once they have been informed of such.

[Dave - Just199]

I dont like dshields
too many false positives

[WebSnail.net]

I've started getting much more hits on my CSF setup and in particular phpbb2 exploit attempts but I do wonder just how much information the abuse@... contact needs in order to track the offender down.

Is there any automated script or similar that would allow me to grab all the information related to the attack. The idea of trying to do this manually every time makes me feel less inclined to report anything.

[jon-f]

I usually forwrd the csf emails to the proper abuse departments.

Now Im not totally sure but I think apf sends abuse email to abuse contacts when it bans for dos or whatnot.

But yeah forwarding csf emails will suffice, they give you all the info you need as well as offending network

[bryonhost1]

Hi!
Back in the day when I was battling a group of hackers..literally..abuse departments vary. Some take action..some could care less. I have found..if you can..to go down the food chain yourself.

Ie:
Who is actually using that ip?

Sometimes you can..sometimes not.

Bryon