{"id":97,"date":"2006-08-18T13:46:42","date_gmt":"2006-08-18T13:46:42","guid":{"rendered":"http:\/\/blog.bananasplit.info\/?p=97"},"modified":"2006-08-18T13:54:09","modified_gmt":"2006-08-18T13:54:09","slug":"layeredtech-shut-me-down","status":"publish","type":"post","link":"https:\/\/blog.stmellion.org\/?p=97","title":{"rendered":"LayeredTech shut me down"},"content":{"rendered":"

It’s finally happened, LayeredTech<\/a> have disconnected my server. They did this because I failed to respond in 12 hours to an email they sent me at 2334 last night. Like I sit up all night waiting for LayeredTech<\/a> to contact me!<\/p>\n

Below is the content of the shutdown message:<\/p>\n

\nTo: <\/p>\n

Server ID:
\n Base IP: <\/p>\n

NOTE TO STAFF: DISCONNECT server for abuse issue.<\/p>\n

NOTE TO CLIENT: Unfortunately, you have not replied to this issue in the time given, so we are disconnecting this server at this time.<\/p>\n

Thank you for your cooperation,<\/p>\n

Layered Technologies Abuse Team\n<\/p><\/blockquote>\n

Ironic that they should thank me for my cooperation when I haven’t even had chance to do any cooperating. Anyway, the cause of this shutdown was the following 2334 LayeredTech<\/a> email.<\/p>\n

\nFrom: abuse@layeredtech.com
\n To: <\/p>\n

Subject: Policy Enforcement of SID6321 at 72.21.33.202 for Spam Web & Infection<\/p>\n

NOTES: Cease & Desist the posting of trojanized links from this server.<\/p>\n

NOTES: See the Exploit Removal Guide below my signature block.<\/p>\n

Dear Client,<\/p>\n

We regret that it has become necessary to issue this Policy Enforcement Notice for violation of our Acceptable Use Policy available at http:\/\/www.layeredtech.com\/aup.shtml based on complaints and\/or logs of abuse attached or included below. We will review the complaints and\/or logs again if you believe this is an error. However, it is your responsibility to investigate your server and reply promptly to avoid disconnection. You are required to remove all domains, sites, users, and\/or exploits causing this issue.<\/p>\n

Pending your reply with your comments, questions, or actions to resolve this issue, the server is:<\/p>\n

[] Monitored for Additional Violations
\n[] Accessed for Investigation, Cleaning, Hardening, or Securing
\n[x] Disconnected in: [] 24-Hours [x] 12-Hours [] 6-Hours [] 3-Hour [] 0-Hours
\n[] Required Reload Request with: [] New Client Required [] No Data Recovery [] Data Recovery Allowed
\n at http:\/\/support.layeredtech.com under “Open a Ticket”
\n[] Hard Drives Seized for Investigation
\n[] Null-Routed
\n[] Port Shutdown
\n[] On 30-Day Probation
\n[] Reviewed for Possible Cancellation
\n[] Cancelled<\/p>\n

For the following reasons:<\/p>\n

[] Child Porn C Hosting, Distributing, or Linking to Pornography Involving a Person Under Legal Age
\n[] Copyright L Hosting, Distributing, or Linking to Copyright Infringed Materials
\n[] Cracking H Brute Force Access of Secured Network Devices
\n[] DoS H Denial of Service Attack of Network Devices
\n[] Forgery M Faking an IP Address, Hostname, E-Mail Address, or Header
\n[] Fraud Site H Hosting or Linking to a Website Intended to Deceive the Public
\n[] Hacking H Circumventing Security Systems of Network Devices
\n[] HYIP Site M Hosting or Linking to a Website of High Yield Investment Program, Ponzi Scheme, or Pyramid Scheme
\n[] ID Theft H Hosting, Distributing, or Linking to Stolen Account Identification Information
\n[x] Infection M Hosting, Distributing, or Linking to Exploits, Trojans, Viruses, or Worms
\n[] IRC Malicious M Malicious Use of Internet Relay Chat
\n[] IRC Unregistered L Internet Relay Chat Server not Registerd with Layered Technologies
\n[] Phishing H Identity Theft by Email Under False Pretense
\n[] ROKSO Spamhaus C ROKSO Blacklisting of an IP at www.spamhaus.org for Malicious Activity
\n[] Scanning M Probing for Vulnerabilities of Network Devices
\n[] Shells H Hosting Accounts Primarily for Shell Access
\n[] Spam Cannon E Sending High Volume Spam (UCE or UBE)
\n[] Spam Email L Unsolicited Commercial Email (UCE) or Unsolicited Bulk Email (UBE)
\n[] Spam List M Hosting, Distributing, or Linking to Email Address Lists for Spam
\n[] Spam Proxy C Hosting an Open Proxy Server Used for Spam
\n[] Spam Relay C Hosting an Open Mail Rely Used for Spam
\n[] Spam Hijack C Distributing Spam Through a Third Party Server Vulnerability
\n[] Spam Site L A Site Advertised by Spam Email or Spam Web
\n[] Spam Ware M Hosting, Distributing, or Linking to Software Designed for Spamming
\n[x] Spam Web L Unsolicited, Bulk, or Forged Site Advertisement in Web Logs, Forums, or Guestbooks
\n[] Terrorist Site C Hosting or Linking to a Site Advocating Terrorism
\n[] Tools L Hosting, Distributing, or Linking to Cracking, DoS, Forgery, Infection, or Scanning Software or Instruction
\n[] Trademark L Hosting, Distributing, or Linking to Trade Mark Infringed Materials
\n[] Wares L Hosting, Distributing, or Linking to Cracks, Hacks, KeyGens, Serials, or Pirated Software<\/p>\n

[] OTHER:<\/p>\n

Following is a table explaining the typical times allowed for a response from clients informing us of their active investigation into an abuse issue. These times are not a guarantee and may be reduced on a case-by-case basis depending on abuse history, number of current complaints, upstream provider requirements, and other factors:<\/p>\n

L = 24-Hour Low Issue
\nM = 12-Hour Medium Issue
\nH = 6-Hour High Issue
\nC = 3-Hour Critical Issue
\nE = 0-Hour Emergency Issue<\/p>\n

Thank you for your cooperation,<\/p>\n

Layered Technologies Abuse Team<\/p>\n

Date: Thu, 17 Aug 2006 15:28:24 -0500<\/p>\n

BlueCross BlueShield of South Carolina Network Security has identified a
\nuser associated with the IP address of 72.21.33.202, that has launched a
\nmalicious attack against one of our IP addresses, 208.60.144.5.<\/p>\n

The IP in question attempted to bring down our web server by repeatedly
\nrunning an executable located on the server.<\/p>\n

Sampling from webserver log:<\/p>\n

<><\/p>\n

72.21.33.202 – – [17\/Aug\/2006:09:22:22 -0400] “POST \/scripts\/trweb.exe
\nHTTP\/1.1” 200 1188 www3.bcbssc.com –<\/p>\n

72.21.33.202 – – [17\/Aug\/2006:09:22:22 -0400] “POST \/scripts\/trweb.exe
\nHTTP\/1.1” 200 1188 www3.bcbssc.com –<\/p>\n

72.21.33.202 – – [17\/Aug\/2006:09:22:22 -0400] “POST \/scripts\/trweb.exe
\nHTTP\/1.1” 200 1188 www3.bcbssc.com –<\/p>\n

72.21.33.202 – – [17\/Aug\/2006:09:22:22 -0400] “POST \/scripts\/trweb.exe
\nHTTP\/1.1” 200 1188 www3.bcbssc.com –<\/p>\n

72.21.33.202 – – [17\/Aug\/2006:09:22:22 -0400] “POST \/scripts\/trweb.exe
\nHTTP\/1.1” 200 1188 www3.bcbssc.com –<\/p>\n

72.21.33.202 – – [17\/Aug\/2006:09:22:22 -0400] “POST \/scripts\/trweb.exe
\nHTTP\/1.1” 500 305 www3.bcbssc.com –<\/p>\n

72.21.33.202 – – [17\/Aug\/2006:09:22:22 -0400] “POST \/scripts\/trweb.exe
\nHTTP\/1.1” 500 305 www3.bcbssc.com –<\/p>\n

72.21.33.202 – – [17\/Aug\/2006:09:22:22 -0400] “POST \/scripts\/trweb.exe
\nHTTP\/1.1” 500 305 www3.bcbssc.com –<\/p>\n

<<\/snip>><\/p>\n

If further information is required please contact:<\/p>\n

network.security@bcbssc.com<\/p>\n

Please respond to network.security@bcbssc.com as soon as possible.<\/p>\n

Thank you,<\/p>\n

Tom
\nLayered Technologies
\nPolicy Enforcement Technician\n<\/p><\/blockquote>\n

So my Tor server is being used to perform a DoS attack over HTTP on 208.60.144.5. Strange, that address in a range belonging to BellSouth.net Inc. and it doesn’t appear to have any web service running on it. To use a Tor server to conduct a DoS attack is ridiculous anyway, the performance of the network is such that Steve Murdoch’s attempts to DoS a 400MHz PII test webserver couldn’t even load it to 1%. My response to LayeredTech<\/a> was:<\/p>\n

\nDear LT,<\/p>\n

This is a bit harsh. Being located in the UK, you gave me notification
\nat 2335 last night. This hardly gives me much time to address your
\nprevious email. I’m sorry for not responding sooner but I don’t have
\n24×7 operations.<\/p>\n

In response to the complaint from the bluecross, I assume this “attack”
\nis the result of someone accessing their website through the Tor server
\nI operate on 72.21.33.202. The very nature of Tor makes it totally
\nunsuitable for any kind of DoS attack as the latency within the system
\nmakes it far too slow. I also heavily cap the bandwidth in order to
\nremain within my LT monthly quota. I can only assume that the script in
\nquestion on the bluecross website places an enourmous overhead on their
\nown system. To prevent a reoccurance of this instance I can block all
\noutgoing traffic to their domain. In your opinion, is this an
\nacceptable solution?<\/p>\n

Regards
\nSteve\n<\/p><\/blockquote>\n

I’m currently awaiting their response without much hope of them liking my solution. Previous dealings of this nature with LayeredTech<\/a> suggest they will percieve me as the guilty party and expect me to terminate the service. Whatever the outcome I’m now seriously worried that LayeredTech<\/a> are unsuitable for running services. They disconnected my server without any serious effort to contact me and without any kind of investigation into the cause of the problem. This being despite previous discussions at length with them regarding the nature of Tor. In addition to taking out Tor, the server in question ran mailing lists, secondary MX’s and DNS services, all of which are now down.<\/p>\n","protected":false},"excerpt":{"rendered":"

It’s finally happened, LayeredTech have disconnected my server. They did this because I failed to respond in 12 hours to an email they sent me at 2334 last night. Like I sit up all night waiting for LayeredTech to contact me! Below is the content of the shutdown message: To: Server ID: Base IP: NOTE… Continue reading LayeredTech shut me down<\/span><\/a><\/p>\n","protected":false},"author":24,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-97","post","type-post","status-publish","format-standard","hentry","category-layered-technologies","entry"],"_links":{"self":[{"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/posts\/97","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/users\/24"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=97"}],"version-history":[{"count":0,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/posts\/97\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=97"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=97"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=97"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}