[Techtalk] Apache, abuse and nonexistent domains.

Mandi mandi at linuxchick.org
Tue Dec 17 11:34:12 EST 2002 

(this gets kinda long.  if you know how to use fwhois, you can skip it.
:) )

Therese --

> 208.3.113.49 - - [17/Dec/2002:04:34:42 +0100] "CONNECT
> 203.190.194.95:25 HTTP/1.1" 400 379 "-" "-"

This is a proxy scan.  A process running on 208.3.113.49 is looking at
your machine as a proxy to see if it can get back through to send mail to
203.190.194.95 by pretending to be from your IP.  It's a common method for
spammers to hide the origin of spam.

One of CERT's writeups about proxy vulnerabilities is here:
http://www.kb.cert.org/vuls/id/150227

> 25. What is this? Should I get worried? I tried it myself and used
> telnet to connect to my webserver on port 80 and wrote what they wrote
> but all I got back was the html for the index webpage.

If you're not running a proxy, (and not running mod_proxy on your apache
server, which i don't know a whole lot about, you might want to look that
up) you should be fine, just pay attention to the logs and keep your
servers secured.

> I wanted to report it to the appropriate domain for the ip-numbers, but
> some, like the one above, doesn't resolve to a hostname. I only get
> "Non-existent domain" as an answer. What should I do then? How can I
> find out where to report it to? And when I report it what should I say?
> Should I just attach the appropriate parts of the server logs?

use a tool called fwhois.  depending on your distro/version, it might be
there, or you might have to get hold of it.  if you're on an rpm-based
distro, the rpms for red hat 6.2 will probably be ok.

This tool does whois lookups against the whois databases for domain names
and ip addresses.  it's a different system from dns.

for example, take the source ip for the example  you posted:  208.3.113.49

to get hold of assignment information for IP addresses, you want to query
the whois database at arin.net (which you can access on the web page as
well, it's just not as convenient...) like this:

[rwalls at erinyes rwalls]$ fwhois 208.3.113.49 at whois.arin.net

which returns

Sprint SPRINTLINK-BLKS (NET-208-0-0-0-1)
                                  208.0.0.0 - 208.35.255.255
Accesscom, Inc SPRINT-D00370-1 (NET-208-3-112-0-1)
                                  208.3.112.0 - 208.3.127.255

# ARIN Whois database, last updated 2002-12-16 20:00
# Enter ? for additional hints on searching ARIN's Whois database.

So, now you know that the IP address you queried for was originally
assigned to Sprint, who reassigned it to Accesscom, a Sprint customer.
Given the size of the reassigned netblock, 15 class C spaces, you can
probably assume that Accesscom is an ISP of some fashion.

Now you can recurse on Accesscom's netblock NAME, rather than the IP
(we're still working at arin.net):

[rwalls at erinyes rwalls]$ fwhois NET-208-3-112-0-1 at whois.arin.net
[whois.arin.net]

OrgName:    Accesscom, Inc
OrgID:      AXSC

NetRange:   208.3.112.0 - 208.3.127.255
CIDR:       208.3.112.0/20
NetName:    SPRINT-D00370-1
NetHandle:  NET-208-3-112-0-1
Parent:     NET-208-0-0-0-1
NetType:    Reallocated
Comment:
RegDate:    1999-08-27
Updated:    2001-12-31

TechHandle: SW112-ARIN
TechName:   Wong, Shing
TechPhone:  +1-504-962-2000
TechEmail:  wong at accesscom.net

# ARIN Whois database, last updated 2002-12-16 20:00
# Enter ? for additional hints on searching ARIN's Whois database.

You can get additional information by using the OrgName or OrgID in a
whois query, or, since there is a tech email here, you can send a message
to that address.  You may also want to CC: a sprint address, usually found
from the abuse/acceptible use page on their site.

you can use fwhois to do domain name whois lookups, as well.  You'll need
to know the whois server of the domain registrar, which will usually be
part of the output if you query the wrong whois server.  So, looking up
accesscom.net:

[rwalls at erinyes rwalls]$ fwhois accesscom.net
[whois.crsnic.net]

Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: ACCESSCOM.NET
   Registrar: NETWORK SOLUTIONS, INC.
   Whois Server: whois.networksolutions.com
   Referral URL: http://www.networksolutions.com
   Name Server: NS.ACCESSCOM.NET
   Name Server: NS1-AUTH.SPRINTLINK.NET
   Updated Date: 10-dec-2002


>>> Last update of whois database: Tue, 17 Dec 2002 05:10:08 EST <<<

The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.

I know to query whois.networksolutions.com:
[rwalls at erinyes rwalls]$ fwhois accesscom.net at whois.networksolutions.com

<standard disclaimer stuff/acceptible use message appears here....>

Wongs Advance Technology (ACCESSCOM-DOM)
   1340 Poydras
   New Orleans, LA 70112
   US

   Domain Name: ACCESSCOM.NET

   Administrative Contact:
      Org-Account  (OR58-ORG)           org-hostmaster at ACCESSCOM.NET
      AccessCom Internet Services
      1340 Poydras
      Suite 340
      New Orleans, LA 70112
      US
      504.962.2000
      Fax- 504.962.2001
   Technical Contact:
      Technical Account  (TA210-ORG)
tech-hostmaster at ACCESSCOM.NET
      AccessCom Internet Services
      1340 Poydras
      Ste 350
      New Orleans, LA 70112
      US
      504.962.2000
      Fax- 504.962.2001

   Record expires on 21-Jan-2004.
   Record created on 20-Jan-1995.
   Database last updated on 17-Dec-2002 09:54:49 EST.

   Domain servers in listed order:

   NS.ACCESSCOM.NET             204.181.176.2
   NS1-AUTH.SPRINTLINK.NET      206.228.179.10


So now we've tracked the source back to some folks in new orleans, and you
can get in touch with them, let them know what you're seeing.  It's
usually a good idea to paste in the relevant log entries, just so they
know what you're talking about and what activity generated your contact
with them.

It could be their customer, in which case the company will be able to deal
with that through an acceptible use policy, most likely.  It could also be
a compromised machine (by the looks of an nmap scan against that IP, it's
a Windows machine of some sort, sitting out in the open on the net, with
VNC and other nice services just sitting there...) which they should be
able to contact the customer about.

(if they give you any flak about the source being spoofed, well, that's
just silly, because the attacker is trying to start a TCP connection,
which is a 2 way connection, and doesn't work to a spoofed address...  the
return of an html page isn't enough to be considered a denial of service
attack against a spoofed origin...  but that's another whole discussion!)

Anyway, I hope that helps!

--mandi

More information about the Techtalk mailing list