[CLUE-Tech] root kit checker
Mike Staver
staver at fimble.com
Thu May 6 23:34:44 MDT 2004
Ah - I made an assumption that all apps would look to hosts.deny - I
didn't realize that only xinetd apps did, my bad. And yeah - I figured
something like what Skip was saying - that even though I'm using a cisco
access list to deny connections to port 80 from that ip, msn has tricky
ways around it. Oh well, and yeah - thanks for pointing out the phone
number I missed :) I WILL be calling it and at the very least, leaving a
message telling them a bill is on the way for the bandwidth usuage...
Jim Ockers wrote:
>Mike:
>
>Mike Staver wrote:
>
>
>>This isn't even working in apache:
>>
>>Deny from 65.54.164.101
>>Deny from msnbot64101.search.msn.com
>>
>>
>>
>
>The hosts.deny is used by xinetd services, portmap, and anything else
>that uses libtcpwrap. I think you'll find that apache doesn't check
>hosts.deny when accepting a connection, at least not by default.
>
>
>
>>I can't figure out how in my cisco access list I'm blocking
>>65.54.164.101, and I have the ip in hosts.deny, and I have apache
>>configured to deny it.... it's still happening. I hate MSN.
>>
>>
>
>That sucks. To stop the traffic I would just use iptables/ipchains.
>I saw another suggestion on the list about that. I would put the
>reject line at the top of the INPUT chain in the filter table, if
>you're using iptables.
>
>iptables -I INPUT -s 65.54.164.101 -j REJECT
>
>That ought to put a stop to the indexing for now. I'd be interested
>to know how you fix the phpbb recursion problem.
>
>
>
>>>And it still won't stop. I wish I had a phone number for somebody as
>>>MSN so I could yell at somebody about this. I have tried to block them
>>>on my firewall, I have put their ip in hosts.deny, and I can't prevent
>>>it from sucking up bandwidth.
>>>
>>>
>
>As has been pointed out, you can phone the netblock owner as listed
>in the ARIN WHOIS record.
>
>[241] tahoua.ockers.net:/home/ockers > whois 65.54.164.101 at whois.arin.net
>[whois.arin.net]
>
>OrgName: Microsoft Corp
>OrgID: MSFT
>Address: One Microsoft Way
>City: Redmond
>StateProv: WA
>PostalCode: 98052
>Country: US
>
>NetRange: 65.52.0.0 - 65.55.255.255
>CIDR: 65.52.0.0/14
>NetName: MICROSOFT-1BLK
>NetHandle: NET-65-52-0-0-1
>Parent: NET-65-0-0-0-0
>NetType: Direct Assignment
>NameServer: DNS1.CP.MSFT.NET
>NameServer: DNS2.CP.MSFT.NET
>NameServer: DNS1.TK.MSFT.NET
>NameServer: DNS1.DC.MSFT.NET
>NameServer: DNS1.SJ.MSFT.NET
>Comment:
>RegDate: 2001-02-14
>Updated: 2002-12-05
>
>TechHandle: ZM23-ARIN
>TechName: Microsoft Corporation
>TechPhone: +1-425-882-8080
>TechEmail: noc at microsoft.com
>
>OrgAbuseHandle: HOTMA-ARIN
>OrgAbuseName: Hotmail Abuse
>OrgAbusePhone: +1-425-882-8080
>OrgAbuseEmail: abuse at hotmail.com
>
>OrgAbuseHandle: MSNAB-ARIN
>OrgAbuseName: MSN ABUSE
>OrgAbusePhone: +1-425-882-8080
>OrgAbuseEmail: abuse at msn.com
>
>OrgAbuseHandle: ABUSE231-ARIN
>OrgAbuseName: Abuse
>OrgAbusePhone: +1-425-882-8080
>OrgAbuseEmail: abuse at microsoft.com
>
>OrgNOCHandle: ZM23-ARIN
>OrgNOCName: Microsoft Corporation
>OrgNOCPhone: +1-425-882-8080
>OrgNOCEmail: noc at microsoft.com
>
>OrgTechHandle: MSFTP-ARIN
>OrgTechName: MSFT-POC
>OrgTechPhone: +1-425-882-8080
>OrgTechEmail: iprrms at microsoft.com
>
>Looks like they really want you to call 425-882-8080. I bet
>that number goes to voicemail hell though. Luckily I've never
>needed to call it...
>
>
>
More information about the clue-tech
mailing list