دیروز یه سرور مجازی گرفتیم
یه چند ساعتی روشن بود بعد برام پیام اومد و سرور مسدود شد
سوال کردم چرا مسدود شده جواب:
Your VPS server was part of a botnet and was sending/posting spam.
الان برام یه فایل فرستادن
ممکنه دوستان راهنمایی کنند؟
دیروز یه سرور مجازی گرفتیم
یه چند ساعتی روشن بود بعد برام پیام اومد و سرور مسدود شد
سوال کردم چرا مسدود شده جواب:
Your VPS server was part of a botnet and was sending/posting spam.
الان برام یه فایل فرستادن
ممکنه دوستان راهنمایی کنند؟
حالا به هر طریقی، امکان داره جزو فایل های خودتون بوده یا هکر تونسته شل آپلود کنه و روت کنه و ... روی وی پی اس شما بات نصب شده و از بات معمولا برای اسپم و دیداس استفاده میکنند. معمولا لینوکس هایی که به طور پیش فرض روی وی پی اس میریزند باید تیونینگ بشه و با یه فایروال پورت ها رو کنترل کنید.
نرم افزار بات یا خودتون نصب کردین یا کسی نصب کرده بدون اینکه شمابدونی
(بعضی موقع ها در قالب یک نرم افزار و اسکریپت به خورد ادم میدن و شما نمی فهمی
محتوای فایل ارسال شده از دیتا سنتر
- - - Updated - - -کد PHP:
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: binary
Content-Description: transaction 2054881
MIME-Version: 1.0
X-Mailer: MIME-tools 5.503 (Entity 5.503)MIME-Version: 1.0
X-Dkim: OpenDKIM Filter v2.0.1 reporting2.blocklist.de 1661423C4B3D0
X-Report-ID: 495856968
X-Mailer: blocklist.de
Errors-To: autogenerated@blocklist.de
Auto-Submitted: auto-generated
X-Xarf: PLAIN
Message-ID: <20140424092928.F41082DE22157@reporting1.blocklist.de>
Content-Type: multipart/mixed;
boundary="Abuse-18abad315acc99c6ac34a064b23b5943"
Reply-To: "Abuse-Team" <abuse-team@blocklist.de>
Received: from localhost (localhost [127.0.0.1]) by kes.ghostnet.de
(Postfix) with ESMTP id 491F646C2F8 for <confixx-du-899@kes.ghostnet.de>;
Thu, 24 Apr 2014 11:18:37 +0200 (CEST)
Received: from kes.ghostnet.de ([127.0.0.1]) by localhost (kes.ghostnet.de
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14319-02 for
<confixx-du-899@kes.ghostnet.de>; Thu, 24 Apr 2014 11:18:37 +0200 (CEST)
Received: from reporting2.blocklist.de (reporting2.blocklist.de
[109.239.50.114]) by kes.ghostnet.de (Postfix) with ESMTP id 25FB246C29A
for <abuse@ghostnet.de>; Thu, 24 Apr 2014 11:18:37 +0200 (CEST)
Received: by reporting2.blocklist.de (Postfix, from userid 1003) id
2CA7723C4B3D3; Thu, 24 Apr 2014 11:20:57 +0200 (CEST)
Received: from reporting1.blocklist.de (unknown [109.239.57.114]) (using
TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate
requested) by reporting2.blocklist.de (Postfix) with ESMTPS id
1661423C4B3D0 for <abuse@ghostnet.de>; Thu, 24 Apr 2014 11:20:57 +0200
(CEST)
Received: by reporting1.blocklist.de (Postfix, from userid 1002) id
F41082DE22157; Thu, 24 Apr 2014 11:29:28 +0200 (CEST)
Delivered-To: web65p24@kes.ghostnet.de
Subject: [noreply] abuse report about 11.11.11.11 - Thu, 24 Apr 2014
11:18:29 +0200 -- service: badbot (First x 1) RID: 495856968
Return-Path: <autogenerated@blocklist.de>
X-Original-To: confixx-du-899@kes.ghostnet.de
Date: Thu, 24 Apr 2014 11:29:28 +0200 (CEST)
Sender: abuse-team@blocklist.de
To: "Abuse-Team of IP: 11.11.11.11" <abuse@ghostnet.de>
Content-Transfer-Encoding: 7bit
From: "Abuse-Team (auto-generated)" <autogenerated@blocklist.de>
RT-Squelch-Replies-To: abuse-team@blocklist.de
RT-Detectedautogenerated: true
Content-Length: 0
This is a multi-part message in MIME format...
--Abuse-18abad315acc99c6ac34a064b23b5943
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-RT-Original-Encoding: utf-8
Content-Length: 3117
Hello Abuse-Team,
your Server/Customer with the IP: *11.11.11.11* has attacked one of our servers/partners.
The attackers used the method/service: *badbot* on: *Thu, 24 Apr 2014 11:18:29 +0200*.
The time listed is from the server-time of the Blocklist-user who submitted the report.
The attack was reported to the Blocklist.de-System on: *Thu, 24 Apr 2014 11:29:22 +0200*
The IP has been automatically blocked for a period of time. For an IP to be blocked, it needs
to have made several failed logins (ssh, imap....), tried to log in for an "invalid user", or have
triggered several 5xx-Error-Codes (eg. Blacklist on email...), all during a short period of time.
The Server-Owner configures the number of failed attempts, and the time period they have
to occur in, in order to trigger a ban and report. Blocklist has no control over these settings.
The IP has send a SPAM-Comment on a Honeypot-Forum or Honeypot-Wiki with URLs to e.g. buy viagra
or link to other spamvertised sites. He used xrumer or other Tools or had a false configured mod_rewrite/mod_***** who is abused:
http://blog.blocklist.de/2011/03/14/erlauterung-der-einzelnen-dienste-badbots-apacheddos-postfix/#badbots
If the IP is a Tor-Server: http://blog.blocklist.de/tor-server-owner/
Please check the machine behind the IP 11.11.11.11 (aroma-stream.net) and fix the problem.
To search for AS-Number/IPs that you control, to see if any others have been infected/blocked, please go to:
http://www.blocklist.de/en/search.html?as=12586
If you need the logs in another format (rather than an attachment), please let us know.
You can see the Logfiles online again: https://www.blocklist.de/en/logs.html?rid=495856968&ip=11.11.11.11
You can parse this abuse report mail with X-ARF-Tools from http://www.x-arf.org/tools.html e.g. validatexarf-php.tar.gz.
You can find more information about X-Arf V0.2 at http://www.x-arf.org/specification.html
This message will be sent again in one day if more attacks are reported to Blocklist.
In the attachment of this message you can find the original logs from the attacked system.
To pause this message for one week, you can use our "Stop Reports" feature on Blocklist.de to submit
the IP you want to stop recieving emails about, and the email you want to stop receiving them on.
If more attacks from your network are recognized after the seven day grace period, the reports will start
being sent again.
To pause these reports for one week:
http://www.blocklist.de/en/insert.html?ip=11.11.11.11&email=abuse@ghostnet.de
We found this abuse email address in the Whois-Data from the IP under the SearchString "abuse-c"
Reply to this message to let us know if you want us to send future reports to a different email. (e.g. to abuse-quiet or a special address)
------------------------------
blocklist.de Abuse-Team
This message was sent automatically. For questions please use our Contact-Form (autogenerated@ is not monitored!):
https://www.blocklist.de/en/contact.html?RID=495856968
Logfiles: https://www.blocklist.de/en/logs.html?rid=495856968&ip=11.11.11.11
------------------------------
--Abuse-18abad315acc99c6ac34a064b23b5943
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; name="report.txt"
Content-Transfer-Encoding: 7bit
X-RT-Original-Encoding: utf-8
Content-Length: 376
---
Reported-From: abuse-team@blocklist.de
Category: info
Report-Type: info
Service: badbot
Version: 0.2
User-Agent: Fail2BanFeedBackScript blocklist.de V0.2
Date: Thu, 24 Apr 2014 11:18:29 +0200
Source-Type: ip-address
Source: 11.11.11.11
Port: 80
Report-ID: 495856968@blocklist.de
Schema-URL: http://www.blocklist.de/downloads/schema/info_0.1.2.json
Attachment: text/plain
--Abuse-18abad315acc99c6ac34a064b23b5943
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; name="logfile.log"
Content-Transfer-Encoding: 7bit
X-RT-Original-Encoding: utf-8
Content-Length: 302
11.11.11.11 - - [24/Apr/2014:11:18:29 +0200] "POST /posting.php HTTP/1.0" 200 2027 "-" "-"
How many are there in a book? <a href=\" hxxp://www.vanillaactive.com/physical-signs-my-wife-is-cheating/ \">spy ware on cell phones</a> That ticking clock is driving me crazy. WTF
--Abuse-18abad315acc99c6ac34a064b23b5943--
نیازمند راهنمایی شما جهت رفع مشکل
بگین سیستم رو ریلود کنین و او اس تمیز بهتون بدن بعدش هم بیخیال برنامه هایی شین که دیروز نصب کردین! همین
ویرایش توسط sssoheil : May 16th, 2014 در ساعت 20:06
شرکت پیشگامان فناوری اطلاعات تیناب(سکویا سرور) شماره ثبت:44188موبایل:09163066823 و 09386398967 ----- Telegram:@sekoyaserverمدیریت:علیرضا فقیه
جناب این ایمیل تنها باید سرویس دهندتون بهش جواب میدادند و فرم بررسی رو پر میکردند که سرور برسی شده ، بررسی نکردند ای پی شما رو بلاک کردند ، خبر از هک نیست جناب هک معنی نداره اصلا
با سلام
به نظر میرسد یکی از وب سایت ها هک شده است و از طریق آن درخواست حملات BruteForce بر روی برخی از آی پی های دیتاسنتر رخ داده است که باعث شده است که Abuse براتون بیاد.
باید ترافیک های خروجی سرور تان کنترل شود و سپس وب سایت مربوطه شناسایی شود و سپس جلوی این حملات گرفته شود تا آی پی شما از دیتاسنتر مسدود نگردد.
باتشکر
ارایه دهنده خدمات ایمن سازی سرور های مبتنی بر لینوکس و ویندوز
My Crime Is My Advisory . Hacking Is The Best But Security Is The First
The Best Secure Hosting in Iran http://SecureHost.ir
جهت تماس در شبکه IRC :mHUB.HIRCNetwork.com#Linux@Secure_Host
این لفظ قلم حرف زدن بعضی ها خیلی جالبه! انگار یه مداد کردن تو ما تحت شون
در حال حاضر 1 کاربر در حال مشاهده این موضوع است. (0 کاربران و 1 مهمان ها)