[Intrusions] SSH brute forcers
security.alerts at dynamicnet.net
security.alerts at dynamicnet.net
Mon Jun 6 14:06:49 GMT 2005
Greetings CJ:
Do you have a copy of your "nasty gram" you can share?
Also, in hand testing:
1. ripe WHOIS and arins WHOIS format the email differently.
In ripe, it is "e-mail:"
In arins, it is email:
So searching for "mail:" rather than "e-mail" will produce better results.
I did not check APNIC or LATNIC to see if they format the information
differently.
2. And this is where I'm stuck
If I run
host 193.110.122.42
I get
Host 42.122.110.193.in-addr.arpa not found: 3(NXDOMAIN)
which your script would have not tried to send out a "nasty gram" email.
Yet, if I do
whois 193.110.122.42
I get
[Querying whois.ripe.net]
[whois.ripe.net]
and the rest of the WHOIS including
person: Barbara Sarnacka
e-mail: barbara.sarnacka at tpi.pl
So it appears the "host" test was inaccurate.
I'm not sure of the entire reasoning behind the "host" test (cut down on
WHOIS calls so the IP doing the WHOIS is not blocked as an offend?), but I
can see the purpose as in
host 216.141.251.242
Host 242.251.141.216.in-addr.arpa not found: 3(NXDOMAIN)
whois 216.141.251.242
[Querying whois.arin.net]
[whois.arin.net]
Broadwing Communications, Inc. BROADWING-NET (NET-216-140-0-0-1)
216.140.0.0 - 216.143.255.255
Application Objects, Inc. BRW-2586-APPLICATION (NET-216-141-251-0-1)
216.141.251.0 - 216.141.251.255
# ARIN WHOIS database, last updated 2005-06-05 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
Which brings the question, of is there a way then to do the following in
the script if you get the above?:
whois NET-216-141-251-0-1
which would get you (edited for brevity sake):
[Querying whois.arin.net]
[whois.arin.net]
OrgName: Application Objects, Inc.
TechEmail: hostmaster at broadwing.com
OrgTechEmail: hostmaster at broadwing.com
Thank you.
More information about the Intrusions
mailing list