Quote:
|
Today one of my server got into regBOT Attack
|
What evidence lead you to this conclusion? What information is contained in your logs? Have you found the source of the 'problem'? Was your server actually involved?
Quote:
http://www.blocklist.de menu when i entered my ipaddress .i got the below status:
Service: regBot
Last attack: 25.04.2012 05:11:19 (on saturn)
Attacks count: 15 (only this month) / 26 (all time)
Reports: 26
Status: blocked
|
Ok, so you have wound up on a block list.
Looking at the site you list:
Quote:
regbot:
Are IP addresses, which are automated (robot holding) register with some honeypot forums.
On the pages is written in h2 that all registrations and postings are reported. Most IP addresses are also http://stopforumspam.com listed and will be passed on to SFS.
|
Which will refer you to another site (here is their FAQ):
http://stopforumspam.com/faq
This says that your machine is being accused of sending forum spam. If you, or one of your users using this IP address is not, then you need to investigate whether or not your machine has been compromised in a manner that explains this. Even if it has not, the evidence gathered will be usefull in explaining your case for getting de-listed. Given the nature of the problem, I would suggest that you make a very thorough investigation of your web document files, your /tmp and your /dev directories, etc and look for hidden files as someone may have planted something or is using content of your site in a xss manner.
The
Cert Intruder Detection Checklist provides details on commands to run to help find these types of files.
I would also look at your process output and cront tabs carefully to see if there are any rogue processes running on your system. This command will produce an output file that can assist with that:
Code:
( /bin/ps acxfwwwe 2>&1; /usr/sbin/lsof -Pwln 2>&1; /bin/netstat -anpe 2>&1; /usr/bin/lastlog 2>&1; /usr/bin/last 2>&1; /usr/bin/who -a 2>&1 ) > /tmp/log.txt
