In email-ul pe care l-ati primit de la "Botnet Tracker" in 29.10 si pe care ni l-ati trimis si noua, explicatiile sunt foarte clare, nu este nevoie de cunostinte vaste ca sa intelegi despre ce este vorba. Chih-Cherng Chin v-a trimis o explicatie scurta, clara si concisa. Mai mult, v-a rugat sa anuntati "victimele" ca sa faca curatenie. O spune foarte clar: "Please notify the victims (owners of those botnet computers) so that they can take appropriate action to clean their computers". Dar probabil ca voi nu intelegeti engleza.
"Victima" in cazul de fata am fost noi, clientii vostri. Nu numai ca ar fi trebuit sa ne anuntati, ar fi fost firesc sa ne ajutati sa rezolvam problema. Mai mult decat atat, prin consultare cu noi, ati fi putut contribui prin masuri care tin de voi sa fi redus accesul doar la IP-urile din Romania si puteati inchide porturile cu exceptia porturilor pe care le folosim noi pentru aplicatia pe care o rulam.
In loc de asta, fara sa ne anuntati, ne-ati suspendat serviciul fara macar sa ne comunicati motivele. Abia in a patra zi dupa suspendare ni s-a spus ca "departamentul Legal" de la voi (da, sigur aveti asa ceva) face o "investigatie" pentru ca noi "desfasuram activitati frauduloase".
Atasez email-ul:
Hello,
This is a notification of unauthorized uses of systems or networks.
On October 29, 2021, a total of 1 IP addresses from your networks
probed my servers for TCP open ports. Due to their dubious behavior, they
are suspected to be compromised botnet computers.
The log of TCP port scans is included below for your reference
(time zone is UTC). To prevent this mail from getting too big in size,
at most 5 attempts from each attacker IP are included. Those connection
attempts have all passed TCP's 3-way handshake, so you can trust the source
IP addresses to be correct.
If you regularly collect IP traffic information of your network, you will see
the IPs listed connected to various TCP ports of my server at the time logged,
and I suspect that they also connected to TCP ports of many other IPs.
If a Linux system was at the attacker's IP, you might want to use the
command "netstat -ntp" to list its active network connections. If there
is still some suspicious connection, find out what PID/program/user ID they
belong to. You might find something to help you solve this problem.
Please notify the victims (owners of those botnet computers) so that they
can take appropriate action to clean their computers, before even
more severe incidents, like data leakage, DDoS, and the rumored NSA spying
through hijacked botnets, arise. This also helps prevent botnets from
taking up your network bandwidth.
Chih-Cherng Chin
Daily Botnet Statistics