{"id":368,"date":"2009-04-14T16:00:41","date_gmt":"2009-04-14T14:00:41","guid":{"rendered":"http:\/\/robert.kolatzek.org\/wblog\/?p=368"},"modified":"2009-04-14T16:00:41","modified_gmt":"2009-04-14T14:00:41","slug":"ein-neues-bot-netz-schlagt-zu","status":"publish","type":"post","link":"https:\/\/blog.kolatzek.org\/wblog\/368\/ein-neues-bot-netz-schlagt-zu","title":{"rendered":"Ein neues Bot-Netz schl\u00e4gt zu"},"content":{"rendered":"<p>Ich bin mir nicht sicher, ob das Conficker (Downup, Downadup, Kido ) ist, aber einige hundert Server versuchen bei mir Emails an ausgedachte namen zuzustellen. Zu erkennen an der Antwort des eigenen Servers: <em>550 5.1.1 &lt;Ahmed-dlottsri@server&gt;: Recipient address rejected<\/em><!--more--><\/p>\n<p>Da es mit so viel Spa\u00df mit sshdeny gemacht hat, mache ich auch hier eine \u00e4hnliche Liste. Unter <a title=\"SMTP-Bot-Net - Liste von IPs\" href=\"http:\/\/robert.kolatzek.org\/smtp-botnet.txt\">smtp-botnet.txt<\/a> stelle ich Euch eine Liste von Rechnern, die vermutlich in einem gro\u00dfen Netz organisiert sind und versuchen (so vermute ich) \u00fcber Pseudo-Mails die Namen der Systembenutzer herauszufinden, um sie sp\u00e4ter f\u00fcr einen SSH-Angriff zu benutzen. Doch Vorsicht! Nicht einfach die IPs in \/etc\/hosts.deny (wie z.B. per &#8222;ALL:[ip]&#8220;) \u00fcbernehmen. Es k\u00f6nnen ja dynamische Adressen sein (aber solche darf man aussperren, da sie keine echten Server sind) oder sogar befreundete Server, von denen man Emails erwartet&#8230;<\/p>\n<p>Wie habe ich es erstellt? Ganz einfach &#8211; Linux Basics!<\/p>\n<address>egrep &#8222;.*[[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}]: 550 5..*&#8220; \/var\/log\/mail.info | awk &#8218;{ print $10 }&#8216; | sed &#8222;s\/[\/ \/g&#8220; | awk &#8218;{ print $2 }&#8216; | sed &#8222;s\/]\/ \/g&#8220; | awk &#8218;{ print $1 }&#8216;<\/address>\n<address>\n<\/address>\n<p><strong>UPDATE:<\/strong><\/p>\n<p>Jemand hat mich auf die offensichtliche L\u00f6sung gebracht. Weil in dieser Liste auch google-Adressen auftauchen, ist die Idee mit einem Bot eher unwahrscheinlich. Was durchaus m\u00f6glich ist, aber nicht gerade l\u00f6blich f\u00fcr die Besitzer dieser Server: sie ignorieren meine <a title=\"Sender Policy Framework - ein Sinnvoller Schutz gegen Spam (wenn alle mitmachen)\" href=\"http:\/\/www.openspf.org\/\">SPF<\/a>-Einstellungen und nehmen angeblich von meinem Server stammenden Emails an, die nicht von meinem Server verschickt worden sind. Da diese eine gef\u00e4lschte Absender-Adresse tragen und nicht zuzgestellt wurden, kommen jetzt die Bounces zur\u00fcck &#8211; und dann genau an die nicht existierenden Adressen! Und das ist wohl des R\u00e4tsels L\u00f6sung.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ich bin mir nicht sicher, ob das Conficker (Downup, Downadup, Kido ) ist, aber einige hundert Server versuchen bei mir Emails an ausgedachte namen zuzustellen. Zu erkennen an der Antwort des eigenen Servers: 550 5.1.1 &lt;Ahmed-dlottsri@server&gt;: Recipient address rejected<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[8],"tags":[52,65,91,96,98,104],"class_list":["post-368","post","type-post","status-publish","format-standard","hentry","category-software","tag-internet","tag-linux","tag-regex","tag-server","tag-sicherheit","tag-spam","entry"],"_links":{"self":[{"href":"https:\/\/blog.kolatzek.org\/wblog\/wp-json\/wp\/v2\/posts\/368","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.kolatzek.org\/wblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.kolatzek.org\/wblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.kolatzek.org\/wblog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.kolatzek.org\/wblog\/wp-json\/wp\/v2\/comments?post=368"}],"version-history":[{"count":0,"href":"https:\/\/blog.kolatzek.org\/wblog\/wp-json\/wp\/v2\/posts\/368\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.kolatzek.org\/wblog\/wp-json\/wp\/v2\/media?parent=368"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.kolatzek.org\/wblog\/wp-json\/wp\/v2\/categories?post=368"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.kolatzek.org\/wblog\/wp-json\/wp\/v2\/tags?post=368"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}