To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Frank Bulk wrote:
> John: > > Have you ever though about opening up your CIDR --> Abuse Email > converter to > the world by exposing it via whois, DNS, or the web? > As an experiment and to learn Twisted Python, I put up a little "whois" server running into my account on an OpenBSD box. I never tried to publish it or anything, and didn't really think anyone would want something like this. I'm toying around with the idea of taking my current IP block list, and making it available by just putting it into a text file... 004.003-255,[EMAIL PROTECTED] 012.001-255,[EMAIL PROTECTED] 017,[EMAIL PROTECTED] 018,[EMAIL PROTECTED] 024.000-023,[EMAIL PROTECTED] 024.024-029,[EMAIL PROTECTED] 024.030.000-095,[EMAIL PROTECTED] 024.030.096-127,[EMAIL PROTECTED] 024.030.128-223,[EMAIL PROTECTED] 024.030.224-255,[EMAIL PROTECTED] 024.031.000-031,[EMAIL PROTECTED] 024.031.032-255,[EMAIL PROTECTED] 024.033,[EMAIL PROTECTED] 024.034,[EMAIL PROTECTED] 024.035.000-127,[EMAIL PROTECTED] 024.036.000-063,[EMAIL PROTECTED] 024.037,[EMAIL PROTECTED] 024.039,[EMAIL PROTECTED] < only a partial one > If you think this is in a usable format to be read into a database, I can release this to the list. Back when it was running before I put it into a database, it was able to process about 4000 IP addresses, and only about 12 - 30 were not in it. Leter on, I used this as input to populate a more intensive database until I found emplyment and had to stop working on it. I still did a lot of good documentation, and I have utilities to convert these IP Blocks into CIDR's... I'll see if I can dig up the cidr_to_range and vice versa. All this was written in Python. I chose python because of spamBayes project. The text file is about 450k in size, and if you want, I can sent it to someone who might want to use it as a start. Note, this information is OLD... as the date on this file is Oct 13, 2004. A little explanation... to make the lookups blazingly fast, I developed this method of storing IP Ranges that allow me to read in the entire database in ram, into Python Hashed based dictionarites... take the line: 024.031.032-255,[EMAIL PROTECTED] the IP range would be: 024.031.032.000 - 024.031.255.255 In this way, I can represent it in a form to easily make Python Dictionaries, as well as the ability to "Merge" the IP blocks... IE: I go out and whois about 30 new ones, then I have a program that Merges it, and it knows to combine adjacent IP blocks to make bigger ones... so sometimes if I get a lot of adjacent IP blocks to what I already have, the merge will actually make the database smaller. I'm looking for an experienced Python programmer to learn from me and to make this more streamlined.... I did the web based front end using 3 methods (as an experiment). 1) As a normal web CGI running in "cgi-bin" 2) As a mod-Python module inside Apache (for that, I had to use Apache 2 because it would handle threads properly) 3) As a twisted-Python Web based server (and avoiding the use of Apache alltogether). Of these three, (2) seemed to have the best performance, but was harder to implement (because of the pain and suffering trying to build Apache with Mod-Python - because versions are critical for sucessful install on OpenBSD). I think I would go with (3) this time, because TwistedMatrix now has some really good authentication mechanisms, and since it's in the raw packet form can allow me to have some really unexplicable protocols not used anywhere else making it insanely difficult to hack. This is an exherp of an ISP report card report... IP Address Domain Num spams ========== ====== ========= 206.71.55.17 galaxyvisions.com 304 206.71.51.24 galaxyvisions.com 155 66.109.17.61 galaxyvisions.com 137 206.221.177.50 arin.net 111 <--- 111 Bogus Whois to ARIN 218.16.121.18 ns.chinanet.cn.net 81 200.35.84.45 lacnic.net 74 <--- 74 Bogus Whois to LACNIC 206.71.63.6 galaxyvisions.com 63 210.74.232.51 cnnic.net.cn 54 200.73.172.196 NTZN.COM 53 61.141.32.45 nic.or.kr 47 61.141.32.38 nic.or.kr 46 What you are seeing here, is the IP address of a specific trojan, it's domain or ISP hosting it, and the number of spams I got from it over a period of about a week, sorted in order of the number of spams it generated. The "<--- 111 Bogus Whois to ARIN" means this IP when looked up has invalid and bogus whois data, so the report Email is invalid. I mark these because these are then sent up to the upstream provider and THEY get hit with the spam reports, but appended to the reports is an extra little prose that goes like this... This means the 111 spam reports for that IP are going to their upstream provider. I add the following to my reports I send to upstreamers. "Although this IP is not directly controlled by your organization, we determined it was assiged to one of your downstream providers, and seek your assistance in obtaining contact information for them. Until we get updated information, you will be recieving these spam reports until such time we are fed with proper contact info" This usually wakes them up, especially when they start getting hundreds of these complaints per day. I usually get their attention within a week. John _______________________________________________ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
