[CLUE-Tech] root kit checker

Mike Staver staver at fimble.com
Thu May 6 23:34:44 MDT 2004 

Ah - I made an assumption that all apps would look to hosts.deny - I 
didn't realize that only xinetd apps did, my bad.  And yeah - I figured 
something like what Skip was saying - that even though I'm using a cisco 
access list to deny connections to port 80 from that ip, msn has tricky 
ways around it.  Oh well, and yeah - thanks for pointing out the phone 
number I missed :) I WILL be calling it and at the very least, leaving a 
message telling them a bill is on the way for the bandwidth usuage...

Jim Ockers wrote:

>Mike:
>
>Mike Staver wrote:
>  
>
>>This isn't even working in apache:
>>
>>Deny from 65.54.164.101
>>Deny from msnbot64101.search.msn.com
>>
>>    
>>
>
>The hosts.deny is used by xinetd services, portmap, and anything else
>that uses libtcpwrap.  I think you'll find that apache doesn't check
>hosts.deny when accepting a connection, at least not by default.
>
>  
>
>>I can't figure out how in my cisco access list I'm blocking 
>>65.54.164.101, and I have the ip in hosts.deny, and I have apache 
>>configured to deny it.... it's still happening.  I hate MSN.
>>    
>>
>
>That sucks.  To stop the traffic I would just use iptables/ipchains.
>I saw another suggestion on the list about that.  I would put the
>reject line at the top of the INPUT chain in the filter table, if
>you're using iptables.
>
>iptables -I INPUT -s 65.54.164.101 -j REJECT
>
>That ought to put a stop to the indexing for now.  I'd be interested
>to know how you fix the phpbb recursion problem.
>
>  
>
>>>And it still won't stop.  I wish I had a phone number for somebody as 
>>>MSN so I could yell at somebody about this.  I have tried to block them 
>>>on my firewall, I have put their ip in hosts.deny, and I can't prevent 
>>>it from sucking up bandwidth.
>>>      
>>>
>
>As has been pointed out, you can phone the netblock owner as listed
>in the ARIN WHOIS record.
>
>[241] tahoua.ockers.net:/home/ockers > whois 65.54.164.101 at whois.arin.net
>[whois.arin.net]
>
>OrgName:    Microsoft Corp
>OrgID:      MSFT
>Address:    One Microsoft Way
>City:       Redmond
>StateProv:  WA
>PostalCode: 98052
>Country:    US
>
>NetRange:   65.52.0.0 - 65.55.255.255
>CIDR:       65.52.0.0/14
>NetName:    MICROSOFT-1BLK
>NetHandle:  NET-65-52-0-0-1
>Parent:     NET-65-0-0-0-0
>NetType:    Direct Assignment
>NameServer: DNS1.CP.MSFT.NET
>NameServer: DNS2.CP.MSFT.NET
>NameServer: DNS1.TK.MSFT.NET
>NameServer: DNS1.DC.MSFT.NET
>NameServer: DNS1.SJ.MSFT.NET
>Comment:
>RegDate:    2001-02-14
>Updated:    2002-12-05
>
>TechHandle: ZM23-ARIN
>TechName:   Microsoft Corporation
>TechPhone:  +1-425-882-8080
>TechEmail:  noc at microsoft.com
>
>OrgAbuseHandle: HOTMA-ARIN
>OrgAbuseName:   Hotmail Abuse
>OrgAbusePhone:  +1-425-882-8080
>OrgAbuseEmail:  abuse at hotmail.com
>
>OrgAbuseHandle: MSNAB-ARIN
>OrgAbuseName:   MSN ABUSE
>OrgAbusePhone:  +1-425-882-8080
>OrgAbuseEmail:  abuse at msn.com
>
>OrgAbuseHandle: ABUSE231-ARIN
>OrgAbuseName:   Abuse
>OrgAbusePhone:  +1-425-882-8080
>OrgAbuseEmail:  abuse at microsoft.com
>
>OrgNOCHandle: ZM23-ARIN
>OrgNOCName:   Microsoft Corporation
>OrgNOCPhone:  +1-425-882-8080
>OrgNOCEmail:  noc at microsoft.com
>
>OrgTechHandle: MSFTP-ARIN
>OrgTechName:   MSFT-POC
>OrgTechPhone:  +1-425-882-8080
>OrgTechEmail:  iprrms at microsoft.com
>
>Looks like they really want you to call 425-882-8080.  I bet
>that number goes to voicemail hell though.  Luckily I've never
>needed to call it...
>
>  
>

More information about the clue-tech mailing list