ablogin
Newbie | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору
[more] Здравствуйте. Прислали абузу на сайт. Помогите понять на что жалоба.
Вижу только один файл: m_o_u_s_e_2_._e_x_e
Но не из-за него одного же такое сообщение
-----------------------------------------------------------------------------------
Abuse Message [AbuseID:090DA0:17]: AbuseNormal:
[clean-mx-viruses-2476772](46.4.71.21)-->(abuse@hetzner.de) viruses sites (1 so far) within your network, please close them! status: As of
2012-10-27 18:16:14 CEST
----- attachment -----
Return-path: <abuse@clean-mx.de>
Envelope-to: abuse@hetzner.de
Delivery-date: Sat, 27 Oct 2012 18:17:44 +0200
Received: from [62.67.240.20] (helo=relayn.net4sec.com)
by lms.your-server.de with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.74)
(envelope-from <abuse@clean-mx.de>)
id 1TS94u-00080o-6H
for abuse@hetzner.de; Sat, 27 Oct 2012 18:17:44 +0200
Received: from relayn.net4sec.com (localhost [127.0.0.1])
by relayn.net4sec.com (Postfix) with ESMTP id 7B7841EB80AC
for <abuse@hetzner.de>; Sat, 27 Oct 2012 18:17:31 +0200
(CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=clean-mx.de; h=from:to
:subject:cc:mime-version:message-id:date:content-type; s=sel;
bh=pVlqfm+nzv1VyZT6cmwdSSIxn/g=; b=b6OyrQ4oCe56SOO3qQ232C3WSeP/
DDsy5BGGW1rTlbDVOA/BW8fZIyM4YkCZ9t7RwjXgTV+jvbU1pUaXZ8b2GqckR9Ed
EWi85tDgY1qwkdLVzMLtjD9sO8LOtm8l0Hlq3c7SaxfR6SOnQ6HOJvTKIeJy4jag
MVGBYNiJQJnKDGA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=clean-mx.de; h=from:to
:subject:cc:mime-version:message-id:date:content-type; q=dns; s=
sel;
b=IEFTvFNLA+zeZ417KfrRK40GBkoGQkePG4GC04NFRcpgJNB07MmCNw5GC
TIwhPrKOHFeFjJTtSANoqWl2KRI2u6xUrXlJwtnuK8gaE0XVw6mWznosVIzz5a6O
oiN9ySycqO5GHpGBAG41bg1d6uDpdWSdv4ZRy5n/nZWbFk6wpE=
Received: from dbserv.netpilot.net (unknown [195.214.79.22])
by localhost (Postfix) with ESMTP id 592371EB80BE
for <abuse@hetzner.de>; Sat, 27 Oct 2012 16:17:31 +0000 (UTC)
From: abuse@clean-mx.de
to: abuse@hetzner.de
Subject: [clean-mx-viruses-2476772](*.*.*.*)-->(abuse@hetzner.de)
viruses sites (1 so far) within your network, please close them!
status: As of 2012-10-27 18:16:14 CEST
cc: certbund@bsi.bund.de
Precedence: bulk
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-Mailer: clean mx secure mailer
X-Virus-Scanned: by netpilot GmbH at clean-mx.de
Message-Id: <20121027.1351354574@dbserv.netpilot.net>
Date: Sat, 27 Oct 2012 18:16:14 +0200
content-Type: multipart/signed;
boundary="----------=_1351354651-22721-7132"; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Virus-Scanned: Clear (ClamAV 0.97.5/15513/Sat Oct 27 02:50:49 2012)
X-Spam-Score: 0.6 (/)
Delivered-To: he1-abuse@hetzner.de
This is a multi-part message in MIME format.
It has been signed conforming to RFC3156.
Produced by clean-mx transparent crypt gateway.
Version: 2.01.0619 http://www.clean-mx.de You need GPG to check the signature.
------------=_1351354651-22721-7132
Content-type: multipart/mixed; boundary="----=_NextPart"
This is a multi-part message in MIME format.
------=_NextPart
Content-Type: text/plain; charset="iso-8859-1"
Dear abuse team,
please help to close these offending viruses sites(1) so far.
status: As of 2012-10-27 18:16:14 CEST
http://support.clean-mx.de/clean-mx/viruses.php?email=abuse@hetzner.de&response=alive
(for full uri, please scroll to the right end ...
We detected many active cases dated back to 2007, so please look at the date column below.
You may also subscribe to our MalwareWatch list http://lists.clean-mx.com/cgi-bin/mailman/listinfo/viruswatch
This information has been generated out of our comprehensive real time database, tracking worldwide viruses URI's
most likely also affected pages for these ip may be found via passive dns please have a look on these other domains correlated to these ip
example: see http://www.bfk.de/bfk_dnslogger.html?query=*.*.*.*
If your review this list of offending site, please do this carefully, pay attention for redirects also!
Also, please consider this particular machines may have a root kit installed !
So simply deleting some files or dirs or disabling cgi may not really solve the issue !
Advice: The appearance of a Virus Site on a server means that someone intruded into the system. The server's owner should disconnect and not return the system into service until an audit is performed to ensure no data was lost, that all OS and internet software is up to date with the latest security fixes, and that any backdoors and other exploits left by the intruders are closed. Logs should be preserved and analyzed and, perhaps, the appropriate law enforcement agencies notified.
DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY PROBLEM, THEY WILL BE BACK!
You may forward my information to law enforcement, CERTs, other responsible admins, or similar agencies.
+-----------------------------------------------------------------------------------------------
We denote domains and url in this fancy way, because your spamfilter will not pass this !
If you lower your filter drop us a note to reset this attribute for your email contact!
|date |id |virusname |ip
|domain |Url|
+-----------------------------------------------------------------------------------------------
|2012-10-27 12:29:59 CEST |2476772 |TR/Rogue.kdv.665369
|46.4.71.21 |_b_a_t_n_i_k_._c_o_m
|_h_t_t_p_:_/_/_b_a_t_n_i_k_._c_o_m_/_k_a_c_h_/_m_o_u_s_e_2_._e_x_e
+-----------------------------------------------------------------------------------------------
Your email address has been pulled out of whois concerning this offending network block(s).
If you are not concerned with anti-fraud measurements, please forward this mail to the next responsible desk available...
If you just close(d) these incident(s) please give us a feedback, our automatic walker process may not detect a closed case
explanation of virusnames:
==========================
unknown_html_RFI_php not yet detected by scanners as RFI, but pure
php code for injection
unknown_html_RFI_perl not yet detected by scanners as RFI, but pure
perl code for injection
unknown_html_RFI_eval not yet detected by scanners as RFI, but
suspect javascript obfuscationg evals
unknown_html_RFI not yet detected by scanners as RFI, but
trapped by our honeypots as remote-code-injection
unknown_html not yet detected by scanners as RFI, but suspious,
may be in rare case false positive
unknown_exe not yet detected by scanners as malware, but high
risk!
all other names malwarename detected by scanners ==========================
yours
Gerhard W. Recher
(Geschäftsführer)
NETpilot GmbH
Wilhelm-Riehl-Str. 13
D-80687 München
GSM: ++49 171 4802507
Handelsregister München: HRB 124497
w3: http://www.clean-mx.de
e-Mail: mailto:abuse@clean-mx.de
PGP-KEY: Fingerprint: A4E317B6DC6494DCC9616366A75AB34CDD0CE552 id:
0xDD0CE552
Location:
http://www.clean-mx.de/downloads/abuse-at-clean-mx.de.pub.asc
------=_NextPart--
------------=_1351354651-22721-7132
Content-Type: application/pgp-signature; name="signature.asc"
Content-Disposition: inline; filename="signature.asc"
Content-Transfer-Encoding: 7bit
Content-Description: Digital Signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJQjAkbAAoJEBTGcx9kwGtzr+YIAJjh2P0H2mcURJBCbZe3pNil
xQU7HwzYn1/clTb9rZESDGRfJmUbyE3BSa5OsgUzzYARXGCSArS3KA7aa8GLBl13
f5Jpqt2MtceMobx7qvsjW4Gvb0GplWIbIkhQXibfyYCN77QsMVfHBqO7ObQjTJFF
o1IziLRvPP3/Mxl+b7aS9/uSPOmDj3woMzdF9PG6KpRpM0x5izzjph1ObJWaP617
j+vmPI6jrDEkXgJQhF8epSQ/kZcCZfPwGWi/t2S+eJfDgbHdG3faugHsYoT/Hs3u
VffrmJ1BgPS3BTVv0+Nqz/H0OshgvS/bZHtWIHl6br8ECkRyw4X1X0aGwLkFMfg=
=KaUY
-----END PGP SIGNATURE-----
------------=_1351354651-22721-7132--
|
