26-Dec-2006

All quiet on the mail and login front

No remarks in operator.log, no newly banned acesses in accounting.dat… Just the increasingly bigger amount of unsolicited mail that gets blocked – and the increasingly bigger amount of spoofed (or hacked) addresses that cannot be filtered out without scanning the subject and content of the messages.
Phishing
Two phishing attempts – both said to come from EBay. But examining the code showed that some links refer to a coded (and therefore suspicious) address.
Webserver abuse
The web seems one again a nice challenge for someone:

211.239.241.23 - - [15/Dec/2006:19:31:15 +0100] "GET / HTTP/1.0" 200 3147
211.239.241.23 - - [15/Dec/2006:19:31:22 +0100] "OPTIONS / HTTP/1.0" 200 172
211.239.241.23 - - [15/Dec/2006:19:31:23 +0100] "OPTIONS /" 501 694
211.239.241.23 - - [15/Dec/2006:19:31:23 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:31:29 +0100] "GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0" 404 864
211.239.241.23 - - [15/Dec/2006:19:31:29 +0100] "- -" 400 870
211.239.241.23 - - [15/Dec/2006:19:31:30 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:31:35 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:31:41 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:31:46 +0100] "HELP -" 400 870
211.239.241.23 - - [15/Dec/2006:19:31:47 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:31:52 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:31:57 +0100] "
default -" 400 870
211.239.241.23 - - [15/Dec/2006:19:31:58 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:32:03 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:32:08 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:32:14 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:32:19 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:32:24 +0100] "< NTP/1.0" 501 694 211.239.241.23 - - [15/Dec/2006:19:32:25 +0100] "- -" 0 0 211.239.241.23 - - [15/Dec/2006:19:32:30 +0100] "- -" 0 0
According WHOIS this is a Korean address, but there seems to be no domain connected to is. DIG won't find it either:
$ dig -x 211.239.241.23

; < <>> DiG 9.2.1 < <>> -x 211.239.241.23
;; global options: printcmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: SERVFAIL, id: 33783 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;23.241.239.211.in-addr.arpa. IN PTR ;; Query time: 2715 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Dec 26 11:32:53 2006 ;; MSG SIZE rcvd: 45 $

SERVFAIL? No, this is NOT an error on Diana. Digging the address of www.hp.com, for instance, does give a valid answer. So the address has likely not been registered in any DNS.