[Techtalk] Apache, abuse and nonexistent domains.

[Maria Blackmore]

Hi

On Tue, 17 Dec 2002, Therese Gustafsson wrote:

> Lately I have a lot of logentries in my Apache access_log like this:
> 208.3.113.49 - - [17/Dec/2002:04:34:42 +0100] "CONNECT
> 203.190.194.95:25 HTTP/1.1" 400 379 "-" "-"

hum, nasty people trying to use it as a proxy :(

> They come from a couple of different ip-numbers and they're trying to
> connect to a lot of servers with different ip-numbers, all on on port
> 25. What is this?

They're trying to use your server instead of an open proxy to send spam,
not nice

> Should I get worried? I tried it myself and used telnet to connect to
> my webserver on port 80 and wrote what they wrote but all I got back
> was the html for the index webpage.

This is probably a good sign

> Some of the entries have the code "200" instead of "400" like the one above.

hmm, interesting, but they're otherwise identical?

> I wanted to report it to the appropriate domain for the ip-numbers, but
> some, like the one above, doesn't resolve to a hostname. I only get
> "Non-existent domain" as an answer. What should I do then? How can I
> find out where to report it to?

All IP addresses in the world are recorded in massive databases called
whois, there are (currently) three of them, soon to be four, possibly
later a lot more, but that's another story.

In any case, if you're in Europe then you should be using the european
database

To look up an IP address, type at a shell prompt

whois -a -h whois.ripe.net <ipaddress>

You may need to install a whois client for this to work, as appropriate
for your distribution.  Some of the more funky whois clients don't need
"-a" (to query all databases) and "-h whois.ripe.net" to tell it to query
the european one.  Also, if you're on either american continent you should
use whois.arin.net, and for those around the pacific basin whois.apnic.net

eg, for the address in the section of log,whois -a -h

$ whois.ripe.net 203.190.194.95 203.190.194.95

(this is severely abridged)

route:        203.190.192.0/20
descr:        Concept Networks (0)
origin:       AS9787
remarks:      Do not use the notify or changed attribute to report  incidents.
remarks:      Check the inetnum object at the regional registries for contact
remarks:      information (dereference the admin-c & tech-c attributes).
notify:       routing at connect.com.au
mnt-by:       MAINT-AS2764
changed:      chris at connect.com.au 20011011
source:       RADB

route:        203.190.192.0/20
descr:        Concept Networks
origin:       AS17628
mnt-by:       MAINT-AS17486
changed:      swaddington at swiftel.com.au 20001011
source:       RADB

Further down you will see more information about who controls it, etc etc.

Basically, in this case, I would approach abuse at conceptual.net.au.  The
company controlling this IP address is "Concept Networks", and
conceptual.net.au is their domain name, which you will see appear much
further down in the whois output. 

> And when I report it what should I say? Should I just attach the
> appropriate parts of the server logs?

I would say that there are people using machines in the IP ranges listed
as being controlled by them attempting unauthorised access to your
machine, and then supply the sections of server logs appropriate for
them.  You probably won't need to supply full logs, just an example with
say, half a dozen lines worth.

If you need any help, just yell.  One of my duties where I work is abuse
contact.

That's as in recieving complaints about :)
Though sometimes it is tempting, I never give out abuse :)


-- 
Maria

Who doesn't have an axe[1], nor much of a temper nowadays, but does have
a LART

[1] I wonder how many of you will get this :)