Difference between revisions of "Security Information"

From SchoolsWiki
Jump to: navigation, search
Line 52: Line 52:
     s5 - SOCKS5         http-80         HTTP PROXY (port 80)
     s5 - SOCKS5         http-80         HTTP PROXY (port 80)
     s4 - SOCKS4         http-81         HTTP PROXY (port 81)
     s4 - SOCKS4         http-81         HTTP PROXY (port 81)
     wg - WINGATE http-8080 HTTP PROXY (port 8080)
     wg - WINGATE       http-8080       HTTP PROXY (port 8080)
     hc - HTTP CONNECT http-8081 HTTP PROXY (port 8081)
     hc - HTTP CONNECT http-8081 HTTP PROXY (port 8081)
     h2 - HTTP CONNECT socks4         SOCKS4 PROXY
     h2 - HTTP CONNECT socks4         SOCKS4 PROXY

Latest revision as of 08:31, 14 April 2011


What does 'cbl' mean? The Composite Blocking List is a list of IPs that have been reported as open proxies, spambots, etc. It is maintained here. IPs can be looked up via the following syntax: http://cbl.abuseat.org/lookup.cgi?ip=IPADDRESS&.submit=Lookup


What does 'bots' mean? Many different types of malware use IRC (Internet Relay Chat) as a control mechanism for coordinating their activities. In some cases these IRC connections can be detected and used to identify infected hosts, sometimes even with the specific type of malware the host is infected with. The bots report is based on the logs of botnet detectors located within several large IRC networks.


What does 'malwareurl' mean? This section contains URLs we believe to be some type of malware.


What does 'openresolvers' mean? One of your hosts is acting as an open DNS resolver. These systems are now being included in reports due to the possibility that they may be used in DNS amplification attacks. Open resolvers can be verified with the following command:

 dig @client-dns-server-ip www.slashdot.org

If this returns a response then the server is an open resolver.


What does 'spam' mean? HEAnet receive reports from several different groups that have taken on the spam problem by setting up "spamtraps," automated collection scripts that are designed to detect IPs used to relay spam. The detected IPs are placed in blackhole lists (or blocking lists) which can be downloaded and used to block incoming mail from these source IPs. Some of these groups have given us permission to include their data in the daily reports so that you may be informed when an IP in your network appears on a blackhole list. Being listed on a *BL list may indicate that the host in question has been compromised in some way and is now being used as a relay for forwarding spam messages. Hosts may also get included in *BL lists sometimes if they are infected with malware that attempts to spread via email (e.g. Mytob).

Please note that we usually cannot provide "evidence" as to why these IPs are being included in the blackhole lists. The organizations that maintain *BL lists generally do not keep the original spam messages as storing and managing them for any length of time is problematic. However most *BL organizations have procedures in place for requesting removal of listed IPs if you believe that their data is in error. Please consult the websites for each *BL for more details on their procedures and detection methodologies.

spam - greylist

What does 'spam - greylist' mean? In addition to the *BL lists, we also collect data from some sites that perform greylisting. This data reflects probable spam hosts that attempted to deliver mail to a recipient once, but never came back again after being given a deferral response code. Any RFC-compliant mail server would re-attempt delivery after a deferral, whereas many spam senders do not. As with the *BL-listed hosts, these hosts may be compromised and acting as a relay, infected with malware, or "legitimately" controlled by a spammer. Data from greylisting is tagged with a source of "greylist".

spam - heuristics

What does 'spam - heuristics' mean? Data from providers that perform heuristic-based analysis of incoming messages (which may include *BLs, internal filters, and a number of other complex methodologies) will be tagged with a "heuristics" source.


What does 'spreaders' mean? These are IP addresses that have been detected spreading malware.


What does 'phishing' mean? "Phishing" is the act of using a forged version of a trusted website (commonly a bank or financial institution) to trick unsuspecting customers into revealing personal information about themselves such as credit card numbers, passwords, social security numbers, secret identification questions, etc. Phishing is quickly becoming the most frequent and profitable activity in the underground economy. Once a phisher obtains someone's personal data he can either use it to impersonate the victim or trade it to other miscreants in exchange for bots, warez and other services. You can learn more about phishing at sites like http://www.antiphishing.org

The IPs listed in this report may be hosts infected with some form of malware and subsequently turned into web servers, or they may be legitimate hosting servers that are providing the forged web sites without the owner's knowledge. When possible the URL being used by the phisher is included with the report for verification purposes.


What does 'proxy' mean? Pen proxies are routinely abused by the miscreants for all sorts of purposes. These proxies can be used to relay spam, control botnets, access illegal web and ftp sites, and join IRC chatrooms from anonymous locations. Miscreants often trade in illicit goods and services while using open proxies. If the transactions are traced, they will only lead to the open proxy, not to the actual perpetrator of the crime. Proxies thus have high value in the underground economy and are regularly hunted and traded.

Malware can take advantage of proxies as well. One such example is SOBIG. The point is the same, be it malware or a miscreant - an unsecured proxy is a risk to everyone. It's up to all of us to keep our proxies restricted to only those with a legitimate business use for them.

Several anonymous sources share logs of blocked proxies based on spam signatures and tools such as proxycheck and wgmon. The logs are processed daily, Monday through Friday. The file format is as follows:

The PROXY-PORT column uses the following indicators, based on the output from proxycheck or wgmon:

   s5 - SOCKS5	        http-80	        HTTP PROXY (port 80)
   s4 - SOCKS4	        http-81	        HTTP PROXY (port 81)
   wg - WINGATE        http-8080       HTTP PROXY (port 8080)
   hc - HTTP CONNECT	http-8081	HTTP PROXY (port 8081)
   h2 - HTTP CONNECT	socks4	        SOCKS4 PROXY
   ho - HTTP POST	socks5	        SOCKS5 PROXY
   hu - HTTP PUT	squid	        SQUID PROXY
   fu - FTP USER	wingate	        WINGATE PROXY
   relay - open SMTP relay on TCP 25