-Google-ADS
2011
03:14

Since we from time to feedback received, the example, the label "DDoS" is wrong at a single IP address, here again a short explanation why the name is correct:

ApacheDDOS:


In a single domain or IP address access to a lot of different IP addresses (DDoS). These are with Fail2Ban on certain characteristics such as certain user agent (Firefox 1.x, 2.x) or certain URL Views: domain.tld / File gibts-nicht.txt identified and blocked.
These are then over (default) reportet 4 Views of us.
For the recipient of the reports of view, it looks like a DOS (since only an IP has been reported). From the perspective of the affected server, it is of course a DDOS.

Recipient of a ApacheDDOS -Report: please checks the clients as these infected with a Trojan horse and are part of a botnet.

enter

enter

enter

BadBots:


These are IP addresses which create honeypot forums, wikis or honeypot honeypot domains with guestbooks or comment feature items which other URL's (buy Viagra ....) Bespammen.
Here a lot of comments to be made manually via a VPN service.
And yes, a comment on a blog with eg:
[url=http://www.tramadol2011.co.cc]morphine tramadol dosage equivalent[/url]
[url=http://www.tramadol2011.co.cc/link/tramadol/1_pharma.html][img:61396c6b8b]http://www.tramadol2011.co.cc/img0/tramadol/1_pharma.png[/img:61396c6b8b][/url]

[url=http://www.tramadol2011.co.cc/link/tramadol/2_pharma.html][img:61396c6b8b]http://www.tramadol2011.co.cc/img0/tramadol/2_pharma.png[/img:61396c6b8b][/url]

[url=http://www.tramadol2011.co.cc/link/tramadol/3_pharma.html][img:61396c6b8b]http://www.tramadol2011.co.cc/img0/tramadol/3_pharma.png[/img:61396c6b8b][/url]

Is as bad as SPAM!

enter

enter

enter

postfix:


These are major messages by already multiple 5xx messages.
When a mail server hard errors such as the following does not understand, this is misconfigured or a bot:
Mar 13 10:14:03 server5 postfix/smtpd[27364]: NOQUEUE: reject: RCPT from unknown[211.147.3.74]: 554 5.7.1 Service unavailable; Client host [211.147.3.74] blocked using xbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=211.147.3.74; from=<anwalttzv @gmx.de> to=<info@domain.tld> proto=SMTP helo=<gmx.de>
And even if this means accepting the spam mail has been inhibited, the PC / Server is still infected and sends to another server that does not spamhaus.org employing a spam mail!

enter

enter

enter

regbot:


Are IP addresses, which automates (Bot halt) register in some honeypot forums.

On the pages written in H2, which are all registrations and postings reported. Most IP addresses are also on http://stopforumspam.com listed and will pass on to SFS.

-Google-ADS

3 comments so far

Comment
  1. And where's the rest; p

  2. [...] Sites. He used xrumer or other tools or had a false configured mod_rewrite / mod_proxy who is abused: http://blog.blocklist.de/2011/03/14/ ... stfix / # badbots Please check the machine behind the IP **** ****** (***********. rdns.ubiquityservers.com) and fix [...]

  3. [...] He used xrumer or other tools or had a false configured mod_rewrite / mod_proxy who is abused: http://blog.blocklist.de/2011/03/14/ ... stfix / # regbots If the IP is a Tor server : http://blog.blocklist.de/tor-server-owner/ Please check the machine [...]

Your Comment