[CLUE-Tech] root kit checker
Jim Ockers
ockers at ockers.net
Thu May 6 22:37:21 MDT 2004
Mike:
Mike Staver wrote:
>
> This isn't even working in apache:
>
> Deny from 65.54.164.101
> Deny from msnbot64101.search.msn.com
>
The hosts.deny is used by xinetd services, portmap, and anything else
that uses libtcpwrap. I think you'll find that apache doesn't check
hosts.deny when accepting a connection, at least not by default.
> I can't figure out how in my cisco access list I'm blocking
> 65.54.164.101, and I have the ip in hosts.deny, and I have apache
> configured to deny it.... it's still happening. I hate MSN.
That sucks. To stop the traffic I would just use iptables/ipchains.
I saw another suggestion on the list about that. I would put the
reject line at the top of the INPUT chain in the filter table, if
you're using iptables.
iptables -I INPUT -s 65.54.164.101 -j REJECT
That ought to put a stop to the indexing for now. I'd be interested
to know how you fix the phpbb recursion problem.
> > And it still won't stop. I wish I had a phone number for somebody as
> > MSN so I could yell at somebody about this. I have tried to block them
> > on my firewall, I have put their ip in hosts.deny, and I can't prevent
> > it from sucking up bandwidth.
As has been pointed out, you can phone the netblock owner as listed
in the ARIN WHOIS record.
[241] tahoua.ockers.net:/home/ockers > whois 65.54.164.101 at whois.arin.net
[whois.arin.net]
OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
NetRange: 65.52.0.0 - 65.55.255.255
CIDR: 65.52.0.0/14
NetName: MICROSOFT-1BLK
NetHandle: NET-65-52-0-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Assignment
NameServer: DNS1.CP.MSFT.NET
NameServer: DNS2.CP.MSFT.NET
NameServer: DNS1.TK.MSFT.NET
NameServer: DNS1.DC.MSFT.NET
NameServer: DNS1.SJ.MSFT.NET
Comment:
RegDate: 2001-02-14
Updated: 2002-12-05
TechHandle: ZM23-ARIN
TechName: Microsoft Corporation
TechPhone: +1-425-882-8080
TechEmail: noc at microsoft.com
OrgAbuseHandle: HOTMA-ARIN
OrgAbuseName: Hotmail Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: abuse at hotmail.com
OrgAbuseHandle: MSNAB-ARIN
OrgAbuseName: MSN ABUSE
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: abuse at msn.com
OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: abuse at microsoft.com
OrgNOCHandle: ZM23-ARIN
OrgNOCName: Microsoft Corporation
OrgNOCPhone: +1-425-882-8080
OrgNOCEmail: noc at microsoft.com
OrgTechHandle: MSFTP-ARIN
OrgTechName: MSFT-POC
OrgTechPhone: +1-425-882-8080
OrgTechEmail: iprrms at microsoft.com
Looks like they really want you to call 425-882-8080. I bet
that number goes to voicemail hell though. Luckily I've never
needed to call it...
--
Jim Ockers, P.Eng. (ockers at ockers.net)
Contact info: please see http://www.ockers.net/
More information about the clue-tech
mailing list