[Intrusions] SSH Brute forcers

kenneth gf brown ken at shadowplay.net
Thu Jun 9 23:12:20 GMT 2005 

cudos! 

this version works MUCH better
(It actually runs hehehe) 

is there a way you can do a placeholder
so that only new items since the last tattle
are processed ?


also.. I might point out... 

http://www.abuse.net/using.phtml

may be a better solution to your whois lookups... 
ie only do whois on FAILED lookups at abuse.net

with this... sniped from the above page...

This snippet of perl code will do the lookup and return an array containing
the contact addresses: 

--->snip 

# look up contacts from abuse.net
use Net::DNS;
sub ablookup {
    my ($domain) = @_;
    my ($res, $query, @r);

    $res = new Net::DNS::Resolver;
    while(1) {
	$query = $res->search("$domain.contacts.abuse.net", "TXT");
	if ($query) {
	    my $rr;

	    foreach $rr ($query->answer) {
		push @r, $rr->txtdata if $rr->type eq "TXT";
	    }
	    return @r;
	} else { # Net::DNS rejects special characters, strip off
		 # subdomains and see if a parent domain works
	    if($domain =~ m{^[^.]+\.([^.]+\..+)}) {
		$domain = $1;
	    } else {
		die "Cannot lookup contacts for $domain";
	    }
	}
    }
}
<---snip


just a thot... 
faster and less chance of a heavily hit site 
from being black listed... 

kenneth gf brown
ceo shadowplay.net



> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of C.J. 
> Steele, CISSP
> Sent: June 7, 2005 06:15
> To: intrusions at lists.sans.org
> Subject: Re: [Intrusions] SSH Brute forcers
> 
> 
> I've made a few bug fixes to `tattle` (including one that
> might prevent it from working at all on some systems), and 
> would readily accept more peer review of this, if any of you 
> are interested.  You can get the latest from 
> http://sodaphish.com/files/tattle
> 
> Those of you who have already provided feedback: please check
> the latest for fixes to your bugs.
> 
> Cheers,
> -C
> 
> --
> C.J. Steele, CISSP <coreyjsteele at yahoo.com>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org 
> http://www.dshield.org/mailman/listinfo/intrusions
>

More information about the Intrusions mailing list