Monday, June 04, 2007

Snort init script still not working...

Yeah, I thought I'd nailed this, but there is still an issue with my Slackware machine's Snort startup/shutdown script. For some reason, it'll start fine, will not shut down cleanly and will error out. The script will not start on its own and requires manual intervention (dunno why). I'll have to add some debugging code to it so that I can track the issue. It must be some flag that I'm using when implementing 'ps', because that's the only difference between the two scripts (the OpenBSD and Slackware).

I wish I had more time (and willpower) to give this the attention that it needs. I can always visit the Snort mailing list and post my concerns, but I'd like to be able to nail this one myself. :)

Vrtservers.net - Malicious IP scanning

IP 64.56.65.150, an IP that belongs to Vrtservers.net, has been very active lately. The machine has been compromised twice in 30 days and does a multitude of scans. Last month I reported this IP to isc.sans.org and the machine was eventually taken offline (after waiting over two weeks). I reported it again this weekend when I noticed the IP was scanning against port 80 on my public server.

I've attempted to do some digging via Google but have found nothing solid, other than finding people's web stats highlighting this IP. This post's intention is to let people know that this IP has a history of being compromised.

Putting the IP into web-sniffer.net shows the following:

**I'll capture a screenshot when I can, as the Blogger console attempts to render the data as HTML**

That's not good. Using Links (a text-based browser that is good to use
when you're afraid to visit a webpage with IE or Firefox), the .txt files
appear to be IPs that are being harvested for further exploitation.

I'm thinking of reporting this IP to the US-CERT, since SANS isn't being
proactive.