HOW GEEK!

Author: kevin

  • New DDoS attacks exploit recursive DNS Servers

    Looks like some people are exploiting recursive DNS servers to conduct DDoS attacks.

    How? Simple: Some spoofed DNS requests appear to be sent from a victim host, they usually request for “.” (the root zone as it has a long answer) or a specific domain, if the DNS server is badly configured it will send back the full answer to the victim server. Here is what i got in my server logs:

    Jan 22 19:24:22 *************** named[27457]: client 66.230.128.15#17247: query (cache) ‘./NS/IN’ denied
    Jan 22 19:24:24 *************** named[27457]: client 66.230.160.1#31622: query (cache) ‘./NS/IN’ denied
    Jan 22 19:24:24 *************** named[27457]: client 66.230.128.15#60407: query (cache) ‘./NS/IN’ denied
    Jan 22 19:24:24 *************** named[27457]: client 66.230.160.1#57967: query (cache) ‘./NS/IN’ denied
    Jan 22 19:24:26 *************** named[27457]: client 66.230.160.1#40365: query (cache) ‘./NS/IN’ denied
    Jan 22 19:24:26 *************** named[27457]: client 66.230.160.1#13640: query (cache) ‘./NS/IN’ denied

    The victim in this case were the isprime.com NS servers.

    Today all the networksolutions DNS servers are very slow, it is possible that they are now the targets of those attacks..

    http://blog.networksolutions.com/2009/potential-latency-on-network-solutions-dns/

    http://isc.sans.org/diary.html?storyid=5713

    UPDATE:

    If you also want to get rid of this annoying stuff in your logs, do:

    iptables -A INPUT -j DROP -p udp –dport domain -m u32 –u32 “0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001”

    This will block those specific NS requests. If you get an error doing this, it’s because you don’t have xt_u32 enabled or compiled into your kernel. Try:

    modprobe xt_u32

    If you’re getting an error, try to compile a recent 2.6 kernel version, and be sure to enable the “u32” match support, in menuconfig it is in:

    networking support -> networking options -> Network packet filtering framework (Netfilter) -> Core Netfilter Configuration

  • emicro.fr / emicro.eu / rambaud maurice / air-email.eu spam

    If you’re a system admin, this guy may have broken your balls. After being kicked from several hostings, his sites are still alive.

    http://spamnation.info/go/domain/emicro.eu

    Name    E.Micro
    Domain    emicro.eu
    Type    bulkmailer or list vendor
    Count    37
    First sent    09.10.2007
    Last sent    10.12.2008

    Name      Domain     Count
    E.Micro    emicro.eu    37
    lesmails1.net    lesmails1.net    0
    lesmails5.fr    lesmails5.fr    0
    lesmails8.fr    lesmails8.fr    0
    novembre08.net    novembre08.net    0
    serveur07.net    serveur07.net    0
    serveur331.net    serveur331.net    0
    serveur332.net    serveur332.net    0
    serveur361.net    serveur361.net    0
    serveur371.net    serveur371.net    0
    serveur372.net    serveur372.net    0
    serveurtq1151.net    serveurtq1151.net    0
    Air Email    air-email.eu    22
    communication04.com    communication04.com    0
    E.Micro    emicro.fr    5
    envois-de-mails.com    envois-de-mails.com    1
    les-mels.com    les-mels.com    1
    Total     (17 sites)     66

    You can also add those to the list:

    lesmails1.info

    lesmails11.info

    lesmails4.fr

    decembre08.net

    Interestingly, lesmails1.info/Pages/ and other sites redirect to:

    http://81.56.175.112/Pages/

    Which is the site of his Mac reselling company emicro.fr .

    81.56.175.112 is also his home or work dsl, but his ISP Free.fr refused to disable his account claiming the spams aren’t sent directly from his dsl connection.

    His email marketing company is air-email.eu, do NOT buy from him, his emails are NOT opt-in even if he claims so, this will get your domain blacklisted and less than 1% of the mails will be read.

    After exchanging mails with the dedibox.fr abuse, where he sent spams for some days, they deleted his account, but he now sends them from Turkey:

    Received: from server58.mediaon.info (unknown [195.5.168.58]).

    Here is more info about him:

    SARL au capital de 1000 € – RCS Grenoble 504213521 – Siège social : Les Barillats – 38160 Saint Romans (France)

    person:      Maurice Rambaud
    address:     E . MICRO
    address:     les Barillats
    address:     38160 Saint-Romans
    country:     FR
    phone:       +33 4 76 38 84 09
    fax-no:      +33 4 76 38 84 09
    e-mail:      mrambaud@emicro.fr
    liste-r:     N
    nic-hdl:     MR643-FRNIC
    mnt-by:      OVH-MAINTAINER01
    changed:     04/08/2004
    source:      FRNIC

    Feel free to spam him at mrambaud@emicro.fr or mail@air-email.eu .

    For the record, here’s the latest spam i got from them:

    Received: from server58.mediaon.info (unknown [195.5.168.58])
    by *********** (Postfix) with ESMTPS id D899A33100A7
    for <***********>; Wed, 21 Jan 2009 00:54:06 +0100 (CET)
    Received: from serveur95 (unknown [195.154.90.97])
    by server58.mediaon.info (Postfix) with ESMTP id C6AC215187
    for <***********>; Wed, 21 Jan 2009 01:05:34 +0100 (CET)
    Received: from workstation ([192.168.0.1])
    by (Merak 8.0.3) with SMTP id UB106958
    From:”Communication” <postmaster@lesmails1.info>
    To: ***********
    Subject: Energie solaire, c’est le moment !
    Message-ID: <***********@lesmails1.info>
    Date: Wed, 21 Jan 2009 00:58:40 +0100
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary=”—-=_NextPart_000_0001_29C34C2E.3663F848″
    X-Priority: 3
    X-Mailer: Office Outlook 12.0

    This is a multi-part message in MIME format.

    ——=_NextPart_000_0001_29C34C2E.3663F848
    Content-Type: text/plain;
    charset=”iso-8859-1″
    Content-Transfer-Encoding: quoted-printable

    Si vous ne visualisez pas correctement ce message, Cliquez ici=0D=0A =0D=
    =0ASi vous ne souhaitez plus recevoir d’email de notre part, =
    nous nous excusons de la g=C3=AAne occasionn=C3=A9e,=0D=0Aet =
    nous vous proposons de vous supprimer de notre liste de diffusion.=0D=0A=
    Pour d=C3=A9sinscrire *********** de notre NewsLetter =
    : Cliquez ici

    ——=_NextPart_000_0001_29C34C2E.3663F848
    Content-Type: text/html;
    charset=”iso-8859-1″
    Content-Transfer-Encoding: quoted-printable

    <!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>=0D=0A<H=
    TML><HEAD>=0D=0A<META http-equiv=3DContent-Type content=3D”text/html; =
    charset=3Diso-8859-1″>=0D=0A<META content=3D”MSHTML 6.00.2900.2180″ =
    name=3DGENERATOR></HEAD>=0D=0A<BODY style=3D”TEXT-ALIGN: center”><FONT=
    size=3D-1>Si vous ne visualisez pas correctement ce message, =
    <A href=3D”http://www.lesmails4.fr/693_4454.jpg”>Cliquez ici=0D=0A<P><=
    /P></A></FONT><IMG height=3D842 alt=3D”” src=3D”http://www.lesmails4.f=
    r/693_4454.jpg” width=3D593 useMap=3D#Map border=3D0> <MAP name=3DMap>=
    <AREA shape=3DRECT coords=3D119,812,473,838 href=3D”http://www.lesmail=
    s4.fr/Pages/4044454.lasso?email=3D***********&amp;clic1=3DClic1&=
    amp;client=3D4454″><AREA shape=3DRECT coords=3D234,653,355,670 =
    href=3D”http://www.lesmails4.fr/Pages/4044454m1.lasso?email=3D***********&amp;clic2=3DClic2&amp;client=3D4454″><AREA shape=3DRECT =
    coords=3D232,391,355,408 href=3D”http://www.lesmails4.fr/Pages/4044454=
    m1-1.lasso?email=3D***********&amp;clic3=3DClic3&amp;client=3D44=
    54″><FONT face=3DGeneva,Arial,Helvetica,sans-serif color=3D#666666 =
    size=3D2>=0D=0A<P></P>Si vous ne souhaitez plus recevoir d’email =
    de notre part, nous nous excusons de la g=C3=AAne occasionn=C3=A9e,=0D=
    =0A<P></P>et nous vous proposons de vous supprimer de notre =
    liste de diffusion.<FONT size=3D-2></FONT>=0D=0A<P></P><FONT =
    face=3DGeneva,Arial,Helvetica,sans-serif color=3D#666666 size=3D2>Pour=
    d=C3=A9sinscrire *********** de notre NewsLetter : </FONT><FONT=
    size=3D2><A href=3D”http://www.lesmails4.fr/Pages/1004454.lasso?nosub=
    scribehide=***********”>Cliquez ici=0D=0A<P></P>=0D=0A<P></P></FO=
    NT></A></FONT></MAP></BODY></HTML>

    ——=_NextPart_000_0001_29C34C2E.3663F848–

    UPDATE: 17/02/2009

    Still spamming! I will update below the list of the (new) servers/domains he is using, and his customers:

    • Servers sending spam:

    123.179.154.195.alicepro.te-dns.org [195.154.179.123]

    server58.mediaon.info (195.5.168.58)

    server201.mediaon.info (unknown [195.5.168.201])

    • Servers hosting the spam images:

    lesmails27.info (78.40.37.210) redirects to lesmails64.info

    lesmails5.info (78.40.37.210) redirects to lesmails64.info

    lesmails64.info which resolves to: 72.167.232.203 (secureserver.net/GoDaddy)

    lesmails9.info (78.40.37.210) redirecting to lesmails64.info

    lesmails20.info

    redirect104.info

    • Servers hosting the pages to unsubscribe:

    redirect0.info resolves to 81.56.175.112 (Free/Proxad), same IP as before.

    • His customers:

    amprod.fr

    air-email.eu (yes he spams for himself)

    animopassion.com

    UPDATE: May 2009

    No more spam from him and all his servers, sites including the free.fr hosting space and emicro.fr are dead!

    UPDATE: 8 June 2009

    Still spamming, according to a comment on the blog: aamels-1.info

    UPDATE: 10 June 2009

    New domain: les-mels6.net.

  • XMMS Skin for Winamp

    It’s available here:

    http://dainori.deviantart.com/art/XMMS-skin-for-Winamp-94211214

    Created by dainori.

    For the lazy people, here is the wsz file:

    Download xmms.wsz

  • Best Linux graphical editor for large files

    You might need a graphical editor to edit large dump files. Most of the graphical editors on linux cannot handle large files, so check out nedit, using it i was able to edit a 17mb file without delay.

  • Portupgrade pkgdb.db “unexpected file type or format” error

    # portupgrade -a
    [Updating the pkgdb <format:bdb_btree> in /var/db/pkg … /var/db/pkg/pkgdb.db: unexpected file type or format — Invalid argument; rebuild needed] [Rebuilding the pkgdb <format:bdb_btree> in /var/db/pkg … [Updating the pkgdb <format:bdb_btree> in /var/db/pkg … /var/db/pkg/pkgdb.db: unexpected file type or format — Invalid argument; rebuild needed] [Rebuilding the pkgdb <format:bdb_btree> in /var/db/pkg … /var/db/pkg/pkgdb.db: unexpected file type or format — Invalid argument: Cannot update the pkgdb!]: Cannot update the pkgdb!]
    Command failed [exit code 1]: /usr/local/sbin/pkgdb -aFOQ

    If this error happens to you, just do:

    rm /var/db/pkg/pkgdb.db

    And run portupgrade again, it will rebuild the database by itself.

  • Finally opened!

    This is it! My blog is finally opened, i really thought i’d never open one.. I will mostly post my personal experiences related to IT, so i will use it as a notebook to write some notes that i should remember and hopefully help other people with them. I often found many tutorials and interesting articles in personal blogs, so now i think it is time for me to help the community as well.

    Enjoy your stay.