Building AntiBot Scripts

Forum Moderators: phranque

Message Too Old, No Replies

Building AntiBot Scripts

Brett_Tabke

9:26 am on Jul 4, 2002 (gmt 0)

What would you think of a script that would send the following in response to a exploit attempt on one of several known exploits:

To: abuse@example.isp.com
Subject: Hacking from your services

Dear Admin,

This is an automated response to inform you that on "date", we received a hack or exploit attempt from your service. Below are the apache log lines showing the time and IP address. Most probably, this was an attempt to exploit known security faults in either the Microsoft II server (code red/nimda/variants), or the currently popular "formmail" script.

example.isp.com [xx.xx.xx.xx] -
File does not exist: /www/example/cgi-local/formmail.cgi
File does not exist: /www/example/cgi-local/formmail.pl

Please note, hacking is a very serious offense. ISP operators are under moral, ethical, and legal obligations to attempt to put a halt to hacking activity from their services.

Thank you
site: example.com

What's your opinion on doing something like that?

PsychoTekk

9:30 am on Jul 4, 2002 (gmt 0)

i like that idea! :)
i would also add the GMT date and time stamp

how would you put that into practice,
would you get the whois info automatically and
extract the ISPs abuse email?

Sinner_G

9:33 am on Jul 4, 2002 (gmt 0)

Nice idea, I'm just not sure it would be enough to get a reaction from the ISP. Maybe sendig it additionally to a couple of newsgroups/list would help...

PsychoTekk

9:35 am on Jul 4, 2002 (gmt 0)

some ISPs (the german telekom --> t-online for example) take it VERY serious!

bird

11:09 am on Jul 4, 2002 (gmt 0)

Such an approach is certainly worth some consideration.

However, as with all automated solutions, it comes with some serious questionmarks attached.

As already mentioned, you need a way to get to the right e-mail address from the IP.

Do you expect the ISPs to be happy about automated reports?

Which types of attacks do you select? (the formmail example may or may not qualify as "hacking")

How do you handle repeated attempts, resp. how many repeats do you wait for before the message is triggered?

Do you really want to send the same canned message for all types of attacks?

Ideally, you'd have a consenting direct contact at an ISP, which allows your reports to immediately pop up on someone's desktop, instead of stacking up in some queue. This would allow the recipient to verify the identity of the perpetrator while hs is still online, and maybe even to directly check on his activities. The reports may then have immediate and specific consequences, and might be most interesting from individual high-traffic sites like this forum.

An alternative would be to send broader reports from as many sites as possible to a "collector" address. In that case, the reactive measures wouldn't be immediate and individual, but the ISPs would get a chance to discover trends early and take more general preventive measures.

In any case, I assume it would be a good idea to contact the targeted ISPs beforehand, so that you know you're not sending your reports to some sophisticated bit bucket.

Crazy_Fool

11:18 am on Jul 4, 2002 (gmt 0)

i reckon it'll just be ignored in most cases. if you could create a script to automatically email the ISP concerned with the IP address and all the other info, and if you could distribute the script, and if ISPs could set up a good reporting service which they then follow up on with criminal proceedings, then it might have an effect. but how could you convince ISPs and other people to do this?

for those who arent aware, hacking is a criminal offence in the UK under the Computer Misuse Act 1990, although it appears that the hacker must do more than "gain unauthorised access", ie, they must download files or send unauthorised emails or something. this Act is available online from www.hmso.gov.uk