Security Incidents mailing list archives
Re: PHP injection attempt from 200.222.244.154
From: James Eaton-Lee <james.mailing () gmail com>
Date: Fri, 17 Dec 2004 15:12:25 +0000
On Thu, 2004-12-09 at 01:08 +0000, Jez Hancock wrote:
On Tue, 7 Dec 2004 23:46:21 +0000, Jez Hancock <jez.hancock () gmail com> wrote:I did something similar in a perl script when my network became the target of (relatively small scale - less than a dozen at a time) distributed denial of service attacks a while ago. After detecting a sustained attack from a set of IP addresses - ie a number of unacceptable log entries in the firewall log from certain addresses - I would initiate this script to help me build an abuse report that I could forward to the ISPs responsible for the addresses involved in the attacks. For each address the process of building the report would be cut from 5-10 minutes down to just a minute or two.For anyone interested, the perl abuse report script mentioend above can be found here: http://munk.nu/programming/perl/abuse_report.pl I've just added a considerable amount of description to the script (the text is probably longer than the script now :grin:) which describes the problem of reporting abuse. Any comments are welcome: (snipped)
Jez, Sad to say, but for anything significant I've resorted to that most old-fashioned of communications mediums, the telephone; this really varies based on your line of work and which sector you work in, but I find that in my professional life, I encounter a relatively low number of incidents which I'd consider extremely serious. To that end, when these issues do crop up (and this is really specific to DoS issues), whilst I have automated the process of gathering information on source addresses before now (mostly by scripting in order to swiftly get information without having to manually sift through netstat output and firewall logs in order to get source IPs and then whois them), but rather than sending out e-mails, I've actually called up the network operator in question. I've done this at least a dozen times in the last two years, and I've found that in almost every instance, I've had a useful response. Obviously in the case of a DoS attack, there isn't much which you accomplish by having one host disconnected from the 'net, but in a smaller subset of those dozen cases, I've actually been able to make useful progress with the tech at the other end. If you are interested in being very proactive, I have encountered more than one technical contact who was prepared to disconnect and dissect a machine in order to track down the attacker. Automating the attack investigation and e-mail drafting is a great idea, but I'd be a little careful about it - you may find that netadmins get a little offended if they think they're being sent one-fits-all e-mails which have had little or no human intervention! That said, I've downloaded a copy of the script and I'll have a play about with it if I get time ;) regards, - James.
Current thread:
- Re: PHP injection attempt from 200.222.244.154 Jez Hancock (Dec 06)
- Re: PHP injection attempt from 200.222.244.154 Barrie Dempster (Dec 07)
- Re: PHP injection attempt from 200.222.244.154 Jez Hancock (Dec 08)
- Re: PHP injection attempt from 200.222.244.154 Jez Hancock (Dec 09)
- Re: PHP injection attempt from 200.222.244.154 James Eaton-Lee (Dec 17)
- Re: PHP injection attempt from 200.222.244.154 Jez Hancock (Dec 08)
- Re: PHP injection attempt from 200.222.244.154 Barrie Dempster (Dec 07)