[CLUE-Tech] root kit checker

Jim Ockers ockers at ockers.net
Thu May 6 22:37:21 MDT 2004 

Mike:

Mike Staver wrote:
> 
> This isn't even working in apache:
> 
> Deny from 65.54.164.101
> Deny from msnbot64101.search.msn.com
> 

The hosts.deny is used by xinetd services, portmap, and anything else
that uses libtcpwrap.  I think you'll find that apache doesn't check
hosts.deny when accepting a connection, at least not by default.

> I can't figure out how in my cisco access list I'm blocking 
> 65.54.164.101, and I have the ip in hosts.deny, and I have apache 
> configured to deny it.... it's still happening.  I hate MSN.

That sucks.  To stop the traffic I would just use iptables/ipchains.
I saw another suggestion on the list about that.  I would put the
reject line at the top of the INPUT chain in the filter table, if
you're using iptables.

iptables -I INPUT -s 65.54.164.101 -j REJECT

That ought to put a stop to the indexing for now.  I'd be interested
to know how you fix the phpbb recursion problem.

> > And it still won't stop.  I wish I had a phone number for somebody as 
> > MSN so I could yell at somebody about this.  I have tried to block them 
> > on my firewall, I have put their ip in hosts.deny, and I can't prevent 
> > it from sucking up bandwidth.

As has been pointed out, you can phone the netblock owner as listed
in the ARIN WHOIS record.

[241] tahoua.ockers.net:/home/ockers > whois 65.54.164.101 at whois.arin.net
[whois.arin.net]

OrgName:    Microsoft Corp
OrgID:      MSFT
Address:    One Microsoft Way
City:       Redmond
StateProv:  WA
PostalCode: 98052
Country:    US

NetRange:   65.52.0.0 - 65.55.255.255
CIDR:       65.52.0.0/14
NetName:    MICROSOFT-1BLK
NetHandle:  NET-65-52-0-0-1
Parent:     NET-65-0-0-0-0
NetType:    Direct Assignment
NameServer: DNS1.CP.MSFT.NET
NameServer: DNS2.CP.MSFT.NET
NameServer: DNS1.TK.MSFT.NET
NameServer: DNS1.DC.MSFT.NET
NameServer: DNS1.SJ.MSFT.NET
Comment:
RegDate:    2001-02-14
Updated:    2002-12-05

TechHandle: ZM23-ARIN
TechName:   Microsoft Corporation
TechPhone:  +1-425-882-8080
TechEmail:  noc at microsoft.com

OrgAbuseHandle: HOTMA-ARIN
OrgAbuseName:   Hotmail Abuse
OrgAbusePhone:  +1-425-882-8080
OrgAbuseEmail:  abuse at hotmail.com

OrgAbuseHandle: MSNAB-ARIN
OrgAbuseName:   MSN ABUSE
OrgAbusePhone:  +1-425-882-8080
OrgAbuseEmail:  abuse at msn.com

OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-425-882-8080
OrgAbuseEmail:  abuse at microsoft.com

OrgNOCHandle: ZM23-ARIN
OrgNOCName:   Microsoft Corporation
OrgNOCPhone:  +1-425-882-8080
OrgNOCEmail:  noc at microsoft.com

OrgTechHandle: MSFTP-ARIN
OrgTechName:   MSFT-POC
OrgTechPhone:  +1-425-882-8080
OrgTechEmail:  iprrms at microsoft.com

Looks like they really want you to call 425-882-8080.  I bet
that number goes to voicemail hell though.  Luckily I've never
needed to call it...

-- 
Jim Ockers, P.Eng. (ockers at ockers.net)
Contact info: please see http://www.ockers.net/

More information about the clue-tech mailing list