Re: Kornet's Last Hack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What are the ranges you are blocking? Is there a "defacto" place to
download a list of subnets that are "bad" or you should never receive
any packets from? I thought IANNA had a list but I can't find it.

Paul

jayjwa wrote:
| I was going thru logs today and I found that some asshole from Thrunet
| 210.94.86.186 actually, had tried to brute force my ftp server's root
| account (yeah, if it had one :P ). Anyways, I'm sick and tired of this
| nation of system crackers and spammers who do nothing but cause trouble
| for the rest of the Internet all day long. Some say that their own
machines
| are rooted and used for attacks, but to me it makes no difference: they
| still let it go on by doing nothing about it. They never answer abuse
| emails. If they even have one. Today they're getting what they deserved
| long ago, to total blacklisting. If you're sick of these idiots too, and
| had your machine attacked one too many times, cut out the below shell
| script and run it for iptables. This is core IP space of Kornet, there's
| some more but they overlap other areas. Note also, that this isn't the
| result of one incident, but months and months of similar incidents.
|
|
|
| #!/bin/sh
| ## kornhole_kornet.sh
| ##
| ## This is my way of saying Thanks to this nation of
| ## script kiddies, crackers, and spammers. Special thanks
| ## to the asshat at 210.94.86.186 (thrunet) and his little
| ## play time on my server today. Hint: We don't allow 'root'.
| ## Period.
| ##
| ## Usage: Run your normal firewall scripts then run this
| ## anytime you don't feel like getting hacked or spammed
| ## save the whole thing with iptables-save and restore with
| ## iptables-restore.
|
| iptables -A INPUT -s 59.0.0.0/11 -j DROP
| iptables -A INPUT -s 60.196.0.0/15 -j DROP
| iptables -A INPUT -s 61.32.0.0/13 -j DROP
| iptables -A INPUT -s 61.40.0.0/14 -j DROP
| iptables -A INPUT -s 61.72.0.0/13 -j DROP
| iptables -A INPUT -s 61.80.0.0/14 -j DROP
| iptables -A INPUT -s 61.84.0.0/15 -j DROP
| iptables -A INPUT -s 61.96.0.0/12 -j DROP
| iptables -A INPUT -s 61.248.0.0/13 -j DROP
| iptables -A INPUT -s 128.134.0.0/16 -j DROP
| iptables -A INPUT -s 129.254.0.0/16 -j DROP
| iptables -A INPUT -s 134.75.0.0/16 -j DROP
| iptables -A INPUT -s 137.68.0.0/16 -j DROP
| iptables -A INPUT -s 141.223.0.0/16 -j DROP
| iptables -A INPUT -s 143.248.0.0/16 -j DROP
| iptables -A INPUT -s 147.6.0.0/16 -j DROP
| iptables -A INPUT -s 147.43.0.0/16 -j DROP
| iptables -A INPUT -s 147.46.0.0/15 -j DROP
| iptables -A INPUT -s 150.150.0.0/16 -j DROP
| iptables -A INPUT -s 150.183.0.0/16 -j DROP
| iptables -A INPUT -s 152.99.0.0/16 -j DROP
| iptables -A INPUT -s 152.149.0.0/16 -j DROP
| iptables -A INPUT -s 154.10.0.0/16 -j DROP
| iptables -A INPUT -s 155.230.0.0/16 -j DROP
| iptables -A INPUT -s 156.147.0.0/16 -j DROP
| iptables -A INPUT -s 157.197.0.0/16 -j DROP
| iptables -A INPUT -s 158.44.0.0/16 -j DROP
| iptables -A INPUT -s 161.122.0.0/16 -j DROP
| iptables -A INPUT -s 163.152.0.0/16 -j DROP
| iptables -A INPUT -s 163.180.0.0/16 -j DROP
| iptables -A INPUT -s 163.239.0.0/16 -j DROP
| iptables -A INPUT -s 164.124.0.0/15 -j DROP
| iptables -A INPUT -s 165.132.0.0/15 -j DROP
| iptables -A INPUT -s 165.141.0.0/16 -j DROP
| iptables -A INPUT -s 165.186.0.0/16 -j DROP
| iptables -A INPUT -s 165.194.0.0/16 -j DROP
| iptables -A INPUT -s 165.213.0.0/16 -j DROP
| iptables -A INPUT -s 165.229.0.0/16 -j DROP
| iptables -A INPUT -s 165.243.0.0/16 -j DROP
| iptables -A INPUT -s 165.244.0.0/16 -j DROP
| iptables -A INPUT -s 165.246.0.0/16 -j DROP
| iptables -A INPUT -s 166.79.0.0/16 -j DROP
| iptables -A INPUT -s 166.103.0.0/16 -j DROP
| iptables -A INPUT -s 166.104.0.0/16 -j DROP
| iptables -A INPUT -s 166.125.0.0/16 -j DROP
| iptables -A INPUT -s 168.78.0.0/16 -j DROP
| iptables -A INPUT -s 168.115.0.0/16 -j DROP
| iptables -A INPUT -s 168.126.0.0/16 -j DROP
| iptables -A INPUT -s 168.131.0.0/16 -j DROP
| iptables -A INPUT -s 168.154.0.0/16 -j DROP
| iptables -A INPUT -s 168.188.0.0/16 -j DROP
| iptables -A INPUT -s 168.219.0.0/16 -j DROP
| iptables -A INPUT -s 168.248.0.0/15 -j DROP
| iptables -A INPUT -s 169.140.0.0/16 -j DROP
| iptables -A INPUT -s 192.5.90.0/24 -j DROP
| iptables -A INPUT -s 192.100.2.0/24 -j DROP
| iptables -A INPUT -s 192.104.15.0/24 -j DROP
| iptables -A INPUT -s 192.132.15.0/24 -j DROP
| iptables -A INPUT -s 192.132.247.0/24 -j DROP
| iptables -A INPUT -s 192.132.248.0/22 -j DROP
| iptables -A INPUT -s 192.195.39.0/24 -j DROP
| iptables -A INPUT -s 192.195.40.0/24 -j DROP
| iptables -A INPUT -s 192.203.138.0/23 -j DROP
| iptables -A INPUT -s 192.203.140.0/22 -j DROP
| iptables -A INPUT -s 192.203.144.0/23 -j DROP
| iptables -A INPUT -s 192.203.146.0/24 -j DROP
| iptables -A INPUT -s 192.245.249.0/24 -j DROP
| iptables -A INPUT -s 192.245.250.0/23 -j DROP
| iptables -A INPUT -s 192.249.16.0/20 -j DROP
| iptables -A INPUT -s 202.6.95.0/24 -j DROP
| iptables -A INPUT -s 202.14.103.0/24 -j DROP
| iptables -A INPUT -s 202.14.165.0/24 -j DROP
| iptables -A INPUT -s 202.20.82.0/23 -j DROP
| iptables -A INPUT -s 202.20.84.0/23 -j DROP
| iptables -A INPUT -s 202.20.86.0/24 -j DROP
| iptables -A INPUT -s 202.20.99.0/24 -j DROP
| iptables -A INPUT -s 202.20.119.0/24 -j DROP
| iptables -A INPUT -s 202.20.128.0/17 -j DROP
| iptables -A INPUT -s 202.21.0.0/21 -j DROP
| iptables -A INPUT -s 202.30.0.0/15 -j DROP
| iptables -A INPUT -s 202.189.128.0/20 -j DROP
| iptables -A INPUT -s 203.224.0.0/11 -j DROP
| iptables -A INPUT -s 210.80.96.0/19 -j DROP
| iptables -A INPUT -s 210.90.0.0/15 -j DROP
| iptables -A INPUT -s 210.92.0.0/14 -j DROP
| iptables -A INPUT -s 210.94.86.0/24 -j DROP
| iptables -A INPUT -s 210.96.0.0/11 -j DROP
| iptables -A INPUT -s 210.178.0.0/15 -j DROP
| iptables -A INPUT -s 210.180.0.0/14 -j DROP
| iptables -A INPUT -s 210.204.0.0/14 -j DROP
| iptables -A INPUT -s 210.216.0.0/13 -j DROP
| iptables -A INPUT -s 211.32.0.0/11 -j DROP
| iptables -A INPUT -s 211.104.0.0/13 -j DROP
| iptables -A INPUT -s 211.112.0.0/13 -j DROP
| iptables -A INPUT -s 211.168.0.0/13 -j DROP
| iptables -A INPUT -s 211.176.0.0/12 -j DROP
| iptables -A INPUT -s 211.192.0.0/10 -j DROP
| iptables -A INPUT -s 218.36.0.0/14 -j DROP
| iptables -A INPUT -s 218.48.0.0/13 -j DROP
| iptables -A INPUT -s 218.101.128.0/17 -j DROP
| iptables -A INPUT -s 218.144.0.0/12 -j DROP
| iptables -A INPUT -s 218.232.0.0/13 -j DROP
| iptables -A INPUT -s 219.240.0.0/15 -j DROP
| iptables -A INPUT -s 219.248.0.0/13 -j DROP
| iptables -A INPUT -s 220.64.0.0/11 -j DROP
| iptables -A INPUT -s 220.103.0.0/16 -j DROP
| iptables -A INPUT -s 220.116.0.0/14 -j DROP
| iptables -A INPUT -s 220.120.0.0/13 -j DROP
| iptables -A INPUT -s 220.149.0.0/16 -j DROP
| iptables -A INPUT -s 221.138.0.0/15 -j DROP
| iptables -A INPUT -s 221.140.0.0/14 -j DROP
| iptables -A INPUT -s 221.144.0.0/12 -j DROP
| iptables -A INPUT -s 221.160.0.0/13 -j DROP
| iptables -A INPUT -s 221.168.0.0/16 -j DROP
| iptables -A INPUT -s 222.96.0.0/12 -j DROP
| iptables -A INPUT -s 222.112.0.0/13 -j DROP
| iptables -A INPUT -s 222.120.0.0/15 -j DROP
| iptables -A INPUT -s 222.122.0.0/16 -j DROP
| iptables -A INPUT -s 222.231.0.0/18 -j DROP
| iptables -A INPUT -s 222.232.0.0/13 -j DROP
|
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBpIV7oLDxPzZbDg8RAjbFAKDDe5QUJw87/9499wv+6Kcir7dTBQCgk/9D
+IaDKRYxh9NynmrT4+HHmWA=
=O5Dr
-----END PGP SIGNATURE-----

On Wed, 24 Nov 2004 12:58:35 +0000, paul Morriss blurted:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>What are the ranges you are blocking? Is there a "defacto" place to
>download a list of subnets that are "bad" or you should never receive
>any packets from? I thought IANNA had a list but I can't find it.
>
http://www.blackholes.us/zones/country/korea.txt


Spamming this account signifies
your unqualified consent to a free security audit

spammersarevermin <spammersarevermin@krumpli.com> wrote:
> On Wed, 24 Nov 2004 12:58:35 +0000, paul Morriss blurted:
>
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >What are the ranges you are blocking? Is there a "defacto" place to
> >download a list of subnets that are "bad" or you should never receive
> >any packets from? I thought IANNA had a list but I can't find it.
> >
> http://www.blackholes.us/zones/country/korea.txt

Thanks. I lost the bookmark on that.

For reference, the entire APNIC ranges are
60-61. 202-203. 210-211. 218-222.

--
William Park <opengeometry@yahoo.ca>
Linux solution for data management and processing.

In article <30mjm5F2vp1bmU1@uni-berlin.de>, William Park wrote:
> spammersarevermin <spammersarevermin@krumpli.com> wrote:
>> http://www.blackholes.us/zones/country/korea.txt
>
> Thanks. I lost the bookmark on that.
>
> For reference, the entire APNIC ranges are
> 60-61. 202-203. 210-211. 218-222.

Has anyone got a zone file or iptables script for APNIC minus
Australia and New Zealand?

Cameron

In article <30mjm5F2vp1bmU1@uni-berlin.de>, William Park wrote:

>For reference, the entire APNIC ranges are
> 60-61. 202-203. 210-211. 218-222.

[compton ~]$ zgrep APNIC rfcs/ipv4-address-space.Aug.03.2004.gz
058/8 Apr 04 APNIC (whois.apnic.net)
059/8 Apr 04 APNIC (whois.apnic.net)
060/8 Apr 03 APNIC (whois.apnic.net)
061/8 Apr 97 APNIC (whois.apnic.net)
202/8 May 93 APNIC (whois.apnic.net)
203/8 May 93 APNIC (whois.apnic.net)
210/8 Jun 96 APNIC (whois.apnic.net)
211/8 Jun 96 APNIC (whois.apnic.net)
218/8 Dec 00 APNIC (whois.apnic.net)
219/8 Sep 01 APNIC (whois.apnic.net)
220/8 Dec 01 APNIC (whois.apnic.net)
221/8 Jul 02 APNIC (whois.apnic.net)
222/8 Feb 03 APNIC (whois.apnic.net)
[compton ~]$

http://www.iana.org/assignments/ipv4-address-space

But that's only at the /8 level. APNIC has allocations in _other_ blocks
as well. As of the first of November;

[compton ~]$ zcat IP.ADDR/stats/APNIC.gz | cut -d' ' -f2 | cut -d'.' -f1 |
uniq -c | column
30 59 23 138 5 151 6 162 2884 202
49 60 15 139 14 152 59 163 3678 203
197 61 28 140 3 153 20 164 378 210
3 128 8 141 3 154 42 165 142 211
9 129 19 143 11 155 15 166 130 218
18 130 26 144 10 156 11 167 67 219
14 131 14 146 68 157 24 168 74 220
6 132 20 147 30 158 2 169 79 221
14 134 4 148 12 159 4 170 87 222
5 136 6 149 67 160 17 196
14 137 99 150 26 161 97 198
[compton ~]$ zcat IP.ADDR/stats/APNIC.gz | head -5
KR 59.0.0.0 255.224.0.0 allocated
TW 59.104.0.0 255.254.0.0 allocated
JP 59.106.0.0 255.255.0.0 allocated
CN 59.107.0.0 255.255.128.0 allocated
CN 59.108.0.0 255.254.0.0 allocated
Broken pipe
[compton ~]$

Also, ARIN is still allocating some blocks to Asian areas.

[compton ~]$ zcat IP.ADDR/stats/ARIN.gz | egrep -c '(CN|JP|KR|TW)'
212
[compton ~]$

Old guy

In article <slrncqcepf.6q3.spambait@truffula.sj.ca.us>,
Cameron L. Spitzer wrote:

>Has anyone got a zone file or iptables script for APNIC minus
>Australia and New Zealand?

That would be a bit of a problem, as APNIC scatters countries all over the
blocks they own, and as noted in my reply to William Park, Asian ISPs also
get blocks from ARIN. You could download the zone files from the RIRs
(they all seem to mirror each other - try

ftp://ftp.arin.net/pub/stats/
ftp://ftp.apnic.net/public/apnic/stats/apnic
ftp://ftp.ripe.net/ripe/stats/
ftp://ftp.lacnic.net/pub/stats/lacnic/

and look for "delegated-<registry>-latest" where <registry> is the
local of nic,arin,lacnic,ripencc". You're looking at a total of maybe
6.5 Megs.

Old guy

Is it possible to block entire countries from access to your machine?
Personally, I would like to block Korea, China and Latvia as the sources
of most the skript kiddie's attacks on my machine. Kornet, while being a
pain in the butt, is not the only problem.

--
Jafar Calley
-----BEGIN GEEK CODE BLOCK-----
d+ s-:+ a C++++ L++ E--- W++ N++ w-- PE- t* 5++ R+ !tv D+ G e* h---- x?
------END GEEK CODE BLOCK------
Registered Linux User #359623
http://fatcat.homelinux.org

On 2004-11-25, Cameron L. Spitzer <spambait@merde.greens.org> wrote:
> In article <30mjm5F2vp1bmU1@uni-berlin.de>, William Park wrote:
>
> Has anyone got a zone file or iptables script for APNIC minus
> Australia and New Zealand?
>
http://ip.ludost.net/ is rather handy I have always found.

Sounds like you want this for billing purposes more than anything. I hear
Aussies/Kiwi's get charged for international traffic; unlike us Poms. :)

Cheers

Alex

In article <10qhh77qvq6csc6@corp.supernews.com>, Alexander Clouter wrote:
> On 2004-11-25, Cameron L. Spitzer <spambait@merde.greens.org> wrote:
>> In article <30mjm5F2vp1bmU1@uni-berlin.de>, William Park wrote:
>>
>> Has anyone got a zone file or iptables script for APNIC minus
>> Australia and New Zealand?
>>
> http://ip.ludost.net/ is rather handy I have always found.

Wow, thanks!


> Sounds like you want this for billing purposes more than anything. I hear
> Aussies/Kiwi's get charged for international traffic; unlike us Poms. :)

Nope. Except for .AU, .NZ, and a couple of penpals and one mailing list
in Japan, *all* the port 25 connections I see from APNIC space, for
months at a time, are abusive. The largest ISPs in South Korea and PRC
provide safe hosting for the handful of spam gangs responsible for at
least 85% of spam arriving here.

Made in China Italian Rolex, anyone?
Getting back to you about that mortgage application...
How about some "OEM" proprietary software for pennies on the dollar?
Chances are that's Alan Ralsky working out of his mansion outside
Detroit but hosted safely on Hanaro, China Netcom, and China
Railway. Even when it's sent from a zombie on SBC or Verizon,
instead of directly from Hanaro or Chinanet,
that abuse depends for its economic success on "bullet-proof hosting"
in APNIC space. The combination of corruption and incompetence
in the giant Asian ISPs renders any concept of "acceptable use"
meaningless. But AT&T and MCI and Savvis and MFN are not about to enforce
their contracts and de-peer them, because they're nearly as corrupt,
so it is up to more responsibly run networks to wall the rogues off.

And what I said about .KR and .CN goes for Turkey, Israel,
Taiwan, Nigeria, and Russia as well. If there is a responsibly
run ISP in any of those nations, I have yet to hear of it.
If they connect, they're sending spam or probing for ways to send spam.
Wall them off and forget about them.
Better at the router or iptables than after they've
connected to a socket on my server.
Non-criminals in those nations will learn to use email hosts
off-shore until significant changes occur.


Cameron

On 2004-11-27, Cameron L. Spitzer <spambait@merde.greens.org> wrote:
> If there is a responsibly run ISP in any of those nations, I have yet
> to hear of it.

If you are not getting any traffic from them, would it not imply that
they run responsibly? :-)

Another target to block is DUL, but it is really annoying being targeted
just because fixed IP bandwith is cost prohibitive.


/Allan