Message-ID:

BOFH excuse #13: we're waiting for [the phone company] to fix that line

rocksolid / Rocksolid Nodes Help / Re: Identifying Attempt to create: lines

Subject: Identifying Attempt to create: lines
From: Marco Moock
Newsgroups: rocksolid.nodes.help
Organization: A noiseless patient Spider
Date: Thu, 15 Aug 2024 15:00 UTC

Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: mm+usenet-es@dorfdsl.de (Marco Moock)
Newsgroups: rocksolid.nodes.help
Subject: Identifying Attempt to create: lines
Date: Thu, 15 Aug 2024 17:00:34 +0200
Organization: A noiseless patient Spider
Lines: 20
Message-ID: <v9l56j$vgci$2@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 15 Aug 2024 17:00:35 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="41eaeb7c2593da61fea6503c303913de";
logging-data="1032594"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/3A9Wlyy+6Slr+3mAlhXje"
Cancel-Lock: sha1:kx6VAHMpdNaaJO5GNZyWCQeytAk=

View all headers

Hello!

What is a good way to identify the source of the Attempt to create:
lines in debug log?

I would like to identify the apache log strings to check if a f2b rule
is possible.

rocksolid Attempt to create:
/var/spool/rslight//de.admin.net-abuse.news
Fehlverhalten-data.db3 for: de.admin.net-abuse.news Fehlverhalt

This looks either like intended to destroy something or a bug.

--
kind regards
Marco

Send spam to 1723733944muell@cartoonies.org

Subject: Re: Identifying Attempt to create: lines
From: Retro Guy
Newsgroups: rocksolid.nodes.help
Organization: Rocksolid Light
Date: Thu, 15 Aug 2024 15:50 UTC
References: 1

View all headers

On Thu, 15 Aug 2024 17:00:34 +0200, Marco Moock wrote:

> Hello!
>
> What is a good way to identify the source of the Attempt to create:
> lines in debug log?
>
> I would like to identify the apache log strings to check if a f2b rule
> is possible.
>
> rocksolid Attempt to create:
> /var/spool/rslight//de.admin.net-abuse.news
> Fehlverhalten-data.db3 for: de.admin.net-abuse.news Fehlverhalt
>
> This looks either like intended to destroy something or a bug.

This was added to debug log to help me find causes (gaps in checking) of
malicious activity. Meaning people trying SQL injections, which are obvious
when you see them in the name of the file it tries to create.

If it's a real group name, it's most likely simply that this group is in
the Newsgroups header of a valid message, but you don't have the group that
it tries to create. This is not malicious, so not a good idea to block.

So, if the message header contains:
'Newsgroups: some.group,another.group'

and you have 'some.group', the message is accepted, but it can't also write
it to the article.db3 for 'another.group' because you don't have that
group. Not an error, just a notice.

You would need to ALSO check for obvious SQL statements in the line in
debug.log before adding a blocking rule to fail2ban.

If we eventually find zero attempts at SQL injection in the debug.log, that
means we are fully filtering these attmpts. If that proves to be true, I'll
remove the notices from debug.log.

I hope that makes sense :)

Subject: Re: Identifying Attempt to create: lines
From: Marco Moock
Newsgroups: rocksolid.nodes.help
Organization: A noiseless patient Spider
Date: Thu, 15 Aug 2024 18:15 UTC
References: 1 2

Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: mm+usenet-es@dorfdsl.de (Marco Moock)
Newsgroups: rocksolid.nodes.help
Subject: Re: Identifying Attempt to create: lines
Date: Thu, 15 Aug 2024 20:15:49 +0200
Organization: A noiseless patient Spider
Lines: 17
Message-ID: <v9lgkl$11kl7$1@dont-email.me>
References: <v9l56j$vgci$2@dont-email.me>
<9db316ad36ada0e0458fdc9f782b4e2d$1@novabbs.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 15 Aug 2024 20:15:50 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="7122fa20ffe10f011376961459f44262";
logging-data="1102503"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1839wBcdYP7xVQnEE4XvAm9"
Cancel-Lock: sha1:uuf+1NVRs4WNAeWlbYCom0AJ5r8=

View all headers

On 15.08.2024 um 08:50 Uhr Retro Guy wrote:

> You would need to ALSO check for obvious SQL statements in the line
> in debug.log before adding a blocking rule to fail2ban.

How can I identify the IP of that?
This would help me to find the lines in access apache log.

I would like to find out which action causes that, so I can find the
abusers and block them.

--
kind regards
Marco

Send spam to 1723704656muell@cartoonies.org

Subject: Re: Identifying Attempt to create: lines
From: Retro Guy
Newsgroups: rocksolid.nodes.help
Organization: Rocksolid Light
Date: Thu, 15 Aug 2024 18:47 UTC
References: 1 2 3

Path: eternal-september.org!news.eternal-september.org!feeder3.eternal-september.org!i2pn.org!i2pn2.org!.POSTED!not-for-mail
From: retroguy@novabbs.com (Retro Guy)
Newsgroups: rocksolid.nodes.help
Subject: Re: Identifying Attempt to create: lines
Date: Thu, 15 Aug 2024 18:47:21 +0000
Organization: Rocksolid Light
Message-ID: <9a40aec4afc0bbd31355805f971b7be5@www.novabbs.org>
References: <v9l56j$vgci$2@dont-email.me> <9db316ad36ada0e0458fdc9f782b4e2d$1@novabbs.org> <v9lgkl$11kl7$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: i2pn2.org;
logging-data="2694524"; mail-complaints-to="usenet@i2pn2.org";
posting-account="gg+dDWHMzVrdxGO9Gmt8aqyeWDXqlxfqiuS0jX/WMXY";
User-Agent: Rocksolid Light
X-Face: .&YR-G(w(DZ$$,}%k=]*5*!p'=(anr"IT`wZG'2VWdfl\r)l[42u7JH`n(JUQ*e5*A|XCDf
?&\X&uwkl38"CYX3O8m}C8E4p'%N$2#kSTVzx{Ly|DjLT\Vk7NE}NQ(VC$Yq]i:7|z[.9iv^g>*8_B
H0=hZt'[%)4kG|
X-Rslight-Site: $2y$10$3Pc3ksgnWP.EubKHMW3V..D3u6OE0fWwzIaTAAC7gQ716uroxoPC2
X-Rslight-Posting-User: a93aefeeff923def71455caae2dbfb277a59e046
X-Spam-Checker-Version: SpamAssassin 4.0.0

View all headers

On Thu, 15 Aug 2024 18:15:49 +0000, Marco Moock wrote:

> On 15.08.2024 um 08:50 Uhr Retro Guy wrote:
>
>> You would need to ALSO check for obvious SQL statements in the line
>> in debug.log before adding a blocking rule to fail2ban.
>
> How can I identify the IP of that?
> This would help me to find the lines in access apache log.
>
> I would like to find out which action causes that, so I can find the
> abusers and block them.

You should be able to see them entirely in the apache log. A filter
would need to look for SQL commands. My comment above is incorrect, you
do not need to ALSO check the rslight log. Don't know what I was
thinking.

So, a f2b filter regex that looks for common SQL commands should do it.
You don't need to bother with the rslight log for that.

--
Retro Guy

Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: mm+usenet-es@dorfdsl.de (Marco Moock)
Newsgroups: rocksolid.nodes.help
Subject: Re: Identifying Attempt to create: lines
Date: Fri, 16 Aug 2024 15:34:45 +0200
Organization: A noiseless patient Spider
Lines: 33
Message-ID: <v9nkhm$1eo2c$2@dont-email.me>
References: <v9l56j$vgci$2@dont-email.me>
<9db316ad36ada0e0458fdc9f782b4e2d$1@novabbs.org>
<v9lgkl$11kl7$1@dont-email.me>
<9a40aec4afc0bbd31355805f971b7be5@www.novabbs.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 16 Aug 2024 15:34:46 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="5c3f4fa4ba7a3c78d04e83115955cab6";
logging-data="1531980"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX186doDJMAnyHisEngZzlJQY"
Cancel-Lock: sha1:gwuhND+zsUhPabWpWXe8Keul1ms=

View all headers

On 15.08.2024 um 18:47 Uhr Retro Guy wrote:

> On Thu, 15 Aug 2024 18:15:49 +0000, Marco Moock wrote:
>
> > On 15.08.2024 um 08:50 Uhr Retro Guy wrote:
> >
> >> You would need to ALSO check for obvious SQL statements in the line
> >> in debug.log before adding a blocking rule to fail2ban.
> >
> > How can I identify the IP of that?
> > This would help me to find the lines in access apache log.
> >
> > I would like to find out which action causes that, so I can find the
> > abusers and block them.
>
> You should be able to see them entirely in the apache log. A filter
> would need to look for SQL commands. My comment above is incorrect,
> you do not need to ALSO check the rslight log. Don't know what I was
> thinking.
>
> So, a f2b filter regex that looks for common SQL commands should do
> it. You don't need to bother with the rslight log for that.

I tried to find it, I can't find it.
I've grepped for various terms, I can't find something problematic.

--
kind regards
Marco

Send spam to 1723740441muell@cartoonies.org

Subject: Re: Identifying Attempt to create: lines
From: Retro Guy
Newsgroups: rocksolid.nodes.help
Organization: Rocksolid Light
Date: Fri, 16 Aug 2024 13:59 UTC
References: 1 2 3 4 5

Path: eternal-september.org!news.eternal-september.org!feeder3.eternal-september.org!i2pn.org!i2pn2.org!.POSTED!not-for-mail
From: retroguy@novabbs.com (Retro Guy)
Newsgroups: rocksolid.nodes.help
Subject: Re: Identifying Attempt to create: lines
Date: Fri, 16 Aug 2024 13:59:13 +0000
Organization: Rocksolid Light
Message-ID: <6cc896abdc8e6d2978d31e6156f01fa7@www.novabbs.org>
References: <v9l56j$vgci$2@dont-email.me> <9db316ad36ada0e0458fdc9f782b4e2d$1@novabbs.org> <v9lgkl$11kl7$1@dont-email.me> <9a40aec4afc0bbd31355805f971b7be5@www.novabbs.org> <v9nkhm$1eo2c$2@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: i2pn2.org;
logging-data="2784098"; mail-complaints-to="usenet@i2pn2.org";
posting-account="gg+dDWHMzVrdxGO9Gmt8aqyeWDXqlxfqiuS0jX/WMXY";
User-Agent: Rocksolid Light
X-Spam-Checker-Version: SpamAssassin 4.0.0
X-Rslight-Site: $2y$10$inn7ujFg60sUIyMkzogi4.VNNsNXBG4s1vRfiPC9GHIU.Z7RPPOee
X-Rslight-Posting-User: a93aefeeff923def71455caae2dbfb277a59e046
X-Face: .&YR-G(w(DZ$$,}%k=]*5*!p'=(anr"IT`wZG'2VWdfl\r)l[42u7JH`n(JUQ*e5*A|XCDf
?&\X&uwkl38"CYX3O8m}C8E4p'%N$2#kSTVzx{Ly|DjLT\Vk7NE}NQ(VC$Yq]i:7|z[.9iv^g>*8_B
H0=hZt'[%)4kG|

View all headers

On Fri, 16 Aug 2024 13:34:45 +0000, Marco Moock wrote:

> On 15.08.2024 um 18:47 Uhr Retro Guy wrote:
>
>> On Thu, 15 Aug 2024 18:15:49 +0000, Marco Moock wrote:
>>
>>> On 15.08.2024 um 08:50 Uhr Retro Guy wrote:
>>>
>>>> You would need to ALSO check for obvious SQL statements in the line
>>>> in debug.log before adding a blocking rule to fail2ban.
>>>
>>> How can I identify the IP of that?
>>> This would help me to find the lines in access apache log.
>>>
>>> I would like to find out which action causes that, so I can find the
>>> abusers and block them.
>>
>> You should be able to see them entirely in the apache log. A filter
>> would need to look for SQL commands. My comment above is incorrect,
>> you do not need to ALSO check the rslight log. Don't know what I was
>> thinking.
>>
>> So, a f2b filter regex that looks for common SQL commands should do
>> it. You don't need to bother with the rslight log for that.
>
> I tried to find it, I can't find it.
> I've grepped for various terms, I can't find something problematic.
>

Maybe there is nothing problematic.

I'm not sure of the name of apache access log so using access.log as an
example. Maybe just try to grep a few things:

grep -E "AND" access.log

Use a SQL command in the quotes, and use upper case.

I find stuff like:
208.131.130.90 - - [16/Aug/2024:05:34:35 +0000] "GET
/computers/article-flat.php?group=%27nvOpzp;%20AND%201=1%20OR%20(%3C%27%22%3EiKO)),&id=%27nvOpzp;%20AND%201=1%20OR%20(%3C%27%22%3EiKO)),&first=%27nvOpzp;%20AND%201=1%20OR%20(%3C%27%22%3EiKO)),&last=%27nvOpzp;%20AND%201=1%20OR%20(%3C%27%22%3EiKO)),
HTTP/1.1" 404 1889 "-" "-"

--
Retro Guy

Subject	Author
Identifying Attempt to create: lines	Marco Moock
Re: Identifying Attempt to create: lines	Retro Guy
Re: Identifying Attempt to create: lines	Marco Moock
Re: Identifying Attempt to create: lines	Retro Guy
Re: Identifying Attempt to create: lines	Marco Moock
Re: Identifying Attempt to create: lines	Retro Guy