Hello everybody,
we currently have the following issue: one of the mirrors which is behind http://centos.mirrors.as250.net has the hostname set to the EICAR AntiVirus test string, and now every connection from our network to these mirrors triggers alerts.
Is there any way to identify the person(s) rsponsible for the operation of the mirror and ask them if they could change this?
Best Regards, Tobias
[cid:image001.png@01D77704.F2A62BF0]
Tobias Hahn
IT-Security Expert GIAC certified Incident Handler (GCIH) & Forensic Analyst (GCFA)
Deutsche Lufthansa AG Computer Emergency Response Team, FRA GIXSC Airportring, Lufthansa Aviation Center (LAC) D-60549 Frankfurt am Main
Mobile: +49 151 589 22792 Email: tobias.hahn@dlh.demailto:tobias.hahn@dlh.de Internet: http://www.lufthansagroup.comhttp://www.lufthansagroup.com/
SMIME-Certificate available at https://lh.securemail.lhsystems.com/certportal/ Lufthansa Root-CA available at https://www.lufthansagroup.com/de/ext/public-key-infrastructure.html
Sitz der Gesellschaft / Corporate Headquarters: Deutsche Lufthansa Aktiengesellschaft, Koeln, Registereintragung / Registration: Amtsgericht Koeln HR B 2168 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Dr. Karl-Ludwig Kley Vorstand / Executive Board: Carsten Spohr (Vorsitzender / Chairman), Christina Foerster, Harry Hohmeister, Dr. Detlef Kayser, Dr. Michael Niggemann, Remco Steenbergen
Hello Tobias,
as far as I know the mail of the responsible admin should be cdnops at as250.net!
That was the mail used to register the mirror back in 2014 and it was given as contact mail. https://lists.centos.org/pipermail/centos-mirror/2014-August/008106.html
Greetings from Mannheim to Frankfurt Lukas/Alpix
Am Sa., 24. Juli 2021 um 10:13 Uhr schrieb HAHN, TOBIAS <tobias.hahn@dlh.de
:
Hello everybody,
we currently have the following issue: one of the mirrors which is behind http://centos.mirrors.as250.net has the hostname set to the EICAR AntiVirus test string, and now every connection from our network to these mirrors triggers alerts.
Is there any way to identify the person(s) rsponsible for the operation of the mirror and ask them if they could change this?
Best Regards,
Tobias
*Tobias Hahn*
IT-Security Expert
GIAC certified Incident Handler (GCIH) & Forensic Analyst (GCFA)
Deutsche Lufthansa AG
Computer Emergency Response Team, FRA GIXSC
Airportring, Lufthansa Aviation Center (LAC)
D-60549 Frankfurt am Main
Mobile: +49 151 589 22792
Email: *tobias.hahn@dlh.de tobias.hahn@dlh.de*
Internet: http://www.lufthansagroup.com
SMIME-Certificate available at https://lh.securemail.lhsystems.com/certportal/
Lufthansa Root-CA available at https://www.lufthansagroup.com/de/ext/public-key-infrastructure.html
Sitz der Gesellschaft / Corporate Headquarters: Deutsche Lufthansa Aktiengesellschaft, Koeln, Registereintragung / Registration: Amtsgericht Koeln HR B 2168 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Dr. Karl-Ludwig Kley Vorstand / Executive Board: Carsten Spohr (Vorsitzender / Chairman), Christina Foerster, Harry Hohmeister, Dr. Detlef Kayser, Dr. Michael Niggemann, Remco Steenbergen
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
Hey Alpix,
thanks for the quick reply. I was able to quickly reach the responsible admin using the address you provided, although his replies came from noc@as250.netmailto:noc@as250.net His feedback to this issue: the EICAR string is transmitted on purpose, there are no plans to change this. I will check internally how we can handle this issue (either adjust detection or switch to another mirror).
Thanks & best Regards, Tobias
Von: CentOS-mirror centos-mirror-bounces@centos.org Im Auftrag von Alpix Gesendet: Samstag, 24. Juli 2021 12:25 An: Mailing list for CentOS mirrors. centos-mirror@centos.org Betreff: Re: [CentOS-mirror] Mirror server with EICAR test string as hostname
Hello Tobias,
as far as I know the mail of the responsible admin should be cdnops at as250.nethttp://as250.net!
That was the mail used to register the mirror back in 2014 and it was given as contact mail. https://lists.centos.org/pipermail/centos-mirror/2014-August/008106.html
Greetings from Mannheim to Frankfurt Lukas/Alpix
Am Sa., 24. Juli 2021 um 10:13 Uhr schrieb HAHN, TOBIAS <tobias.hahn@dlh.demailto:tobias.hahn@dlh.de>: Hello everybody,
we currently have the following issue: one of the mirrors which is behind http://centos.mirrors.as250.net has the hostname set to the EICAR AntiVirus test string, and now every connection from our network to these mirrors triggers alerts.
Is there any way to identify the person(s) rsponsible for the operation of the mirror and ask them if they could change this?
Best Regards, Tobias
[cid:image001.png@01D78535.961B4750]
Tobias Hahn
IT-Security Expert GIAC certified Incident Handler (GCIH) & Forensic Analyst (GCFA)
Deutsche Lufthansa AG Computer Emergency Response Team, FRA GIXSC Airportring, Lufthansa Aviation Center (LAC) D-60549 Frankfurt am Main
Mobile: +49 151 589 22792 Email: tobias.hahn@dlh.demailto:tobias.hahn@dlh.de Internet: http://www.lufthansagroup.comhttp://www.lufthansagroup.com/
SMIME-Certificate available at https://lh.securemail.lhsystems.com/certportal/ Lufthansa Root-CA available at https://www.lufthansagroup.com/de/ext/public-key-infrastructure.html
Sitz der Gesellschaft / Corporate Headquarters: Deutsche Lufthansa Aktiengesellschaft, Koeln, Registereintragung / Registration: Amtsgericht Koeln HR B 2168 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Dr. Karl-Ludwig Kley Vorstand / Executive Board: Carsten Spohr (Vorsitzender / Chairman), Christina Foerster, Harry Hohmeister, Dr. Detlef Kayser, Dr. Michael Niggemann, Remco Steenbergen
Sitz der Gesellschaft / Corporate Headquarters: Deutsche Lufthansa Aktiengesellschaft, Koeln, Registereintragung / Registration: Amtsgericht Koeln HR B 2168 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Dr. Karl-Ludwig Kley Vorstand / Executive Board: Carsten Spohr (Vorsitzender / Chairman), Christina Foerster, Harry Hohmeister, Dr. Detlef Kayser, Dr. Michael Niggemann, Remco Steenbergen
_______________________________________________ CentOS-mirror mailing list CentOS-mirror@centos.orgmailto:CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
Hey Tobias,
no problem!
Why do they send the EICAR string???
Greetings Lukas
Am Mo., 2. Aug. 2021 um 10:09 Uhr schrieb HAHN, TOBIAS tobias.hahn@dlh.de:
Hey Alpix,
thanks for the quick reply. I was able to quickly reach the responsible admin using the address you provided, although his replies came from noc@as250.net His feedback to this issue: the EICAR string is transmitted on purpose, there are no plans to change this. I will check internally how we can handle this issue (either adjust detection or switch to another mirror).
Thanks & best Regards,
Tobias
*Von:* CentOS-mirror centos-mirror-bounces@centos.org *Im Auftrag von * Alpix *Gesendet:* Samstag, 24. Juli 2021 12:25 *An:* Mailing list for CentOS mirrors. centos-mirror@centos.org *Betreff:* Re: [CentOS-mirror] Mirror server with EICAR test string as hostname
Hello Tobias,
as far as I know the mail of the responsible admin should be cdnops at as250.net!
That was the mail used to register the mirror back in 2014 and it was given as contact mail.
https://lists.centos.org/pipermail/centos-mirror/2014-August/008106.html
Greetings from Mannheim to Frankfurt
Lukas/Alpix
Am Sa., 24. Juli 2021 um 10:13 Uhr schrieb HAHN, TOBIAS < tobias.hahn@dlh.de>:
Hello everybody,
we currently have the following issue: one of the mirrors which is behind http://centos.mirrors.as250.net has the hostname set to the EICAR AntiVirus test string, and now every connection from our network to these mirrors triggers alerts.
Is there any way to identify the person(s) rsponsible for the operation of the mirror and ask them if they could change this?
Best Regards,
Tobias
*Tobias Hahn*
IT-Security Expert
GIAC certified Incident Handler (GCIH) & Forensic Analyst (GCFA)
Deutsche Lufthansa AG
Computer Emergency Response Team, FRA GIXSC
Airportring, Lufthansa Aviation Center (LAC)
D-60549 Frankfurt am Main
Mobile: +49 151 589 22792
Email: *tobias.hahn@dlh.de tobias.hahn@dlh.de*
Internet: http://www.lufthansagroup.com
SMIME-Certificate available at https://lh.securemail.lhsystems.com/certportal/
Lufthansa Root-CA available at https://www.lufthansagroup.com/de/ext/public-key-infrastructure.html
Sitz der Gesellschaft / Corporate Headquarters: Deutsche Lufthansa Aktiengesellschaft, Koeln, Registereintragung / Registration: Amtsgericht Koeln HR B 2168 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Dr. Karl-Ludwig Kley Vorstand / Executive Board: Carsten Spohr (Vorsitzender / Chairman), Christina Foerster, Harry Hohmeister, Dr. Detlef Kayser, Dr. Michael Niggemann, Remco Steenbergen
Sitz der Gesellschaft / Corporate Headquarters: Deutsche Lufthansa Aktiengesellschaft, Koeln, Registereintragung / Registration: Amtsgericht Koeln HR B 2168 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Dr. Karl-Ludwig Kley Vorstand / Executive Board: Carsten Spohr (Vorsitzender / Chairman), Christina Foerster, Harry Hohmeister, Dr. Detlef Kayser, Dr. Michael Niggemann, Remco Steenbergen
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
On 30/07/2021 11:25, HAHN, TOBIAS wrote:
Hey Alpix,
thanks for the quick reply. I was able to quickly reach the responsible admin using the address you provided, although his replies came from noc@as250.net mailto:noc@as250.net His feedback to this issue: the EICAR string is transmitted on purpose, there are no plans to change this. I will check internally how we can handle this issue (either adjust detection or switch to another mirror).
Thanks & best Regards,
Tobias
Hi Tobias,
Thanks a lot for the initial report and follow-up with the mirror admin. I've disabled it from mirrors so shouldn't appear in yum/dnf lists in the next hour.
I'll also send mail to them to explain the reason why (but they should be subscribed to this list but apparently not reacting to initial email you sent here)
Kind Regards,
-
Alpix -
Fabian Arrotin -
HAHN, TOBIAS