posted 07-19-2001 01:12 PM            

Here's one I got ten minutes ago...

The firewall has blocked Internet access to your computer (HTTP) from 198.116.95.73 (TCP Port 3027) [TCP Flags: S].

Time: 7/19/2001 11:04:02 AM

NASA Ames Research Center (NETBLK-NETBLK-NSI198)
NASA Ames Research Center
MS 233-8
Moffett Field, CA 95014
US

Netname: NETBLK-NSI
Netblock: 198.116.0.0 - 198.123.255.255
Maintainer: NASA

Coordinator:
National Aeronautics and Space Administration (ZN7-ARIN) dns.support@nasa.gov
(256)544-5623

Domain System inverse mapping provided by:

NASANS1.NASA.GOV 192.77.84.32
MX.NSI.NASA.GOV 128.102.18.31
NS.ARC.NASA.GOV 128.102.16.2

Record last updated on 19-Nov-1999.
Database last updated on 18-Jul-2001 23:02:56 EDT.

[Edited 1 times, lastly by Lulu on 07-19-2001]

posted 07-19-2001 06:35 PM            

quote:

---

It was noticed that 6 machines on this netblock were infected with the
CodeRed worm. The client has applied the necessary patches and the
scanning has stopped. We thank you for the notification.

--
Chris Baker, GCIA
Network Security Administrator
Computer Incident Response Management Team

>>Please investigate this incident of Internet abuse and take appropriate action. Thank you.

The firewall has blocked Internet access to your computer (HTTP) from 209.16.54.97 (TCP Port 3775) [TCP Flags: S].

Time: 7/19/2001 12:46:08 PM

Alarm Log Data~
FWIN,2001/07/19,12:46:09 -7:00 GMT,209.16.54.97:3775,24.77.199.97:80,TCP (flags:S)

Insync Internet Services (NETBLK-INSYNC-2BLK)
5555 San Felipe, Suite 700
Houston, TX 77056
US

Netname: INSYNC-2BLK
Netblock: 209.16.0.0 - 209.16.63.255
Maintainer: SYNC

Coordinator:
Network Administrator (NA102-ORG-ARIN) network@INSYNC.NET
713-407-7000
Fax- 713-407-7070

Domain System inverse mapping provided by:

NS1.INSYNC.NET 209.113.65.2

---

quote:

---

Dear Sir or Madam;

I would like to thank you for warning us about the illegal actions of our customer.

We will take action about the problem on our side. Please don't hessitate to let us know if it repeats.

Sincerely,
-----Original Message-----
From: ***** **** [mailto:ter5555@home.com]
Sent: Wednesday, July 11, 2001 9:15 PM
To: Rahşan Alaç (Güvenlik ve Proje Yetkilisi - VESTELNET)
Subject: Port Probe from RIPE

Please investigate this incident of Internet abuse and take appropriate action. Thank you.

The firewall has blocked Internet access to your computer (TCP Port 1243) from 212.29.91.198 (TCP Port 2919) [TCP Flags: S].
Time: 7/11/2001 10:59:44 AM
Data from alarm log ~
FWIN,2001/07/11,10:59:44 -7:00 GMT,212.29.91.198:2919,24.77.199.97:1243,TCP (flags:S)

inetnum: 212.29.91.0 - 212.29.106.255
netname: VESTELNET
descr: Internet Service Provider
country: TR
admin-c: CS902-RIPE
tech-c: RA1833-RIPE
status: ASSIGNED PA
mnt-by: RIPE-NCC-NONE-MNT
changed: rahsan.alac@vestelnet.com 20010111
source: RIPE

route: 212.29.64.0/18
descr: TR-VESTELNET
origin: AS8927
mnt-by: SRYK-VESTELNET-MNT
changed: rahsan.alac@vestelnet.com 19990917
source: RIPE

person: Cem Soysal
address: Vestelnet A.S.
address: Maya Akar Center Buyukdere C.
address: No:100/102 K:19 D:75
address: 80280 Esentepe- ISTANBUL- TURKEY
phone: +90 212 216 7600
fax-no: +90 212 216 7600
nic-hdl: CS902-RIPE
changed: rahsan.alac@vestelnet.com 20001206
source: RIPE

person: Rahsan Alac
address: Maya Akar Center Buyukdere Cad, 100/102
phone: +90 212 2167600
fax-no: +90 212 2167666
e-mail: rahsan.alac@vestelnet.com
nic-hdl: RA1833-RIPE
notify: rahsan.alac@vestelnet.com
changed: rahsan.alac@vestelnet.com 19990922
source: RIPE

---

quote:

---

We will forward your complaint to our customer and remind him
of the fact that our terms and
conditions forbid all kinds of malicious activity. We will also ask for an
explanation of the traffic shown below.

Please let us know if you detect
any other suspicious behaviour.

Regards,

Marnix de Lange
Novaxess Customer Service Center

----- Forwarded message from ***** **** -----

> From: "***** ****"
> To:
> Cc:
> Subject: Port Scan from 213.201.131.233 RIPE.NET
> Date: Tue, 17 Jul 2001 15:48:32 -0700
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 5.00.2919.6700
> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
>
>
>
>Please investigate this internet abuse. Thank you.
>
> Alarm Log Data ~
> FWIN,2001/07/17,15:35:03 -7:00
GMT,213.201.131.233:1111,24.77.199.97:111,TCP (flags:S)
>
>
> Reverse DNS Lookup of 213.201.131.233
> The computer name ("domain name") identified for this IP address is:
>
> netname: NOVAXESS-Interplein-1
> descr: NovaXess customer network for Interplein
> country: NL
> admin-c: CH10056-RIPE
> tech-c: NOV2-RIPE
> status: ASSIGNED PA
> mnt-by: AS15569-MNT
> changed: Yasar.ertur@NovaXess.NET 20010622
> source: RIPE
>
>
>
> role: Novaxess Operations
> address: Novaxess B.V.
> address: Joop Geesinkweg 222, Amsterdam
> address: the Netherlands
> phone: +31 20 798 98 98
> e-mail: netadmin@noc.novaxess.net
> admin-c: TP226-RIPE
> tech-c: YE70-RIPE
> tech-c: TP226-RIPE
> nic-hdl: NOV2-RIPE
>
> person: Chris Hermans
> address: Steenovenweg 3
> address: 5708 HN Helmond
> address: The Netherlands
> phone: +31 492 502452
> fax-no: +31 492 502459
> e-mail: chermans@interplein.nl
> nic-hdl: CH10056-RIPE
> mnt-by: AS15569-MNT
> changed: Yasar.ertur@NovaXess.NET 20010622

----- End forwarded message -----
Hostmaster of the day

Novaxess B.V.
Amsterdam

>>I have had contact with the customer responsible for the server where these
packets originated. The customer explained one of their machines had been
hacked. They were unable to login to the server themselves.

The customer has taken his machine offline and will not bring it back online
before it is completely rebuilt.

Regards,

Marnix de Lange
Novaxess CSC

---

quote:

---

Dear ***** ****:

Thank you for your email. We have taken appropriate action with this
subscriber under the terms and conditions of our End User agreement.

Rogers@Home strictly enforces abuses against their End User Agreement and
customers who abuse the network risk having their service terminated. Should
you encounter any further Internet Abuse originating within the Rogers@Home
network, please do not hesitate to contact us again at
abuse@rogers.home.net.

Sincerely,
Rogers@Home
Network Security Department
http://rogers.home.com/help/content/news/internet_security/

-----Original Message-----
Date: 17-Jul-2001 22:49:28
From: ***** **** ter5555@home.com
Subject: Port scan from 24.156.232.171 Rogers@Home

Please investigate this attempted port scan. Thank you.

Alarm Log Data~
FWIN,2001/07/17,19:33:18 -7:00
GMT,24.156.232.171:3464,24.77.199.97:27374,TCP (flags:S)

Reverse DNS Lookup of 24.156.232.171

The computer name ("domain name") identified for this IP address is:

cr766646-a.lndn1.on.wave.home.com

Rogers@Home (NETBLK-ROGERS-6-BLOCK) ROGERS-6-BLOCK 24.156.0.0 -
24.157.255.255
Rogers@Home Lndn (NETBLK-ON-ROG-4-3LNDN-2) ON-ROG-4-3LNDN-2
24.156.232.0 - 24.156.232.255

Rogers@Home (NETBLK-ROGERS-6-BLOCK)
1 Mount Pleasant Road
Toronto, ON M4Y 2Y5
CA

Netname: ROGERS-6-BLOCK
Netblock: 24.156.0.0 - 24.157.255.255
Maintainer: RHON

Coordinator:
Network Security, Fraud (AD30-ARIN) abuse@rogers.home.net
(416) 935-4729

Domain System inverse mapping provided by:

NS.ON.ROGERS.WAVE.CA 24.112.32.2
NS.BC.ROGERS.WAVE.CA 24.112.31.254

Record last updated on 10-Apr-2001.
Database last updated on 16-Jul-2001 23:04:52 EDT.

Rogers@Home Lndn (NETBLK-ON-ROG-4-3LNDN-2)
1 Mount Pleasant Road
Toronto, ON M4Y 2Y5
CA

Netname: ON-ROG-4-3LNDN-2
Netblock: 24.156.232.0 - 24.156.232.255

Coordinator:
Network Security, Fraud (AD30-ARIN) abuse@rogers.home.net
(416) 935-4729

Record last updated on 07-Oct-2000.
Database last updated on 16-Jul-2001 23:04:52 EDT.

---

quote:

---

Hi *****:

The IP involved in the attack belong to:

NEWCOM AMERICAS (NETBLK-AMNET-BLK1-GT-NWCOM3)
13 CALLE 3-40 ZONA 10, EDIFICIO ATLANTIS, OFICINA 1501
GUATEMALA, GUATEMALA
GT

Netname: AMNET-BLK1-GT-NWCOM3
Netblock: 200.12.235.0 - 200.12.235.63

Coordinator:
SANCHEZ, JOSE (JS2405-ARIN) JSANCHEZ@NEWCOMAMERICAS.NET
+502-366-1588

Record last updated on 08-Feb-2001.
Database last updated on 18-Jul-2001 23:02:56 EDT.

We are giving a copy to them to stop this action.

Don’t hesitate in contact us if this problem continues.

Regards,

NOC AMNET
12410 NW 39ST
Coral Springs, Fl 33065
Email to: inetcontact@amnetus.com
Phone: 954-346-0324
Fax: 954-575-9831

-----Original Message-----
From: ***** **** [mailto:ter5555@home.com]
Sent: Thursday, July 19, 2001 1:18 PM
To: inetcontact@amnetus.com
Subject: (HTTP) from 200.12.235.179

Please investigate this incident of Internet abuse and take appropriate action. Thank you.

The firewall has blocked Internet access to your computer (HTTP) from 200.12.235.179 (TCP Port 2796) [TCP Flags: S].

Time: 7/19/2001 12:06:38 PM

Alarm Log Data~

FWIN,2001/07/19,12:06:39 -7:00 GMT,200.12.235.179:2796,24.77.199.97:80,TCP (flags:S)

AMNET US LLC. (NETBLK-AMNET-BLK1)
12410 NW 39ST
Coral Springs, FL 33076
US

Netname: AMNET-BLK1
Netblock: 200.12.224.0 - 200.12.239.255
Maintainer: AMN

Coordinator:
Contact, Internet (CS257-ARIN) inetcontact@amnetus.com
954-326-0324 (FAX) 954-575-9831 (FAX) +1-954-327-2389

Domain System inverse mapping provided by:

DNS1.AMNETUS.COM 200.12.224.5
DNS2.AMNETUS.COM 200.12.224.6

ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

Record last updated on 07-Mar-2001.
Database last updated on 18-Jul-2001 23:02:56 EDT

---

[Edited 2 times, lastly by Lulu on 07-20-2001]

posted 07-19-2001 10:25 PM            

Netname: IFE-RED
Netblock: 200.34.164.0 - 200.34.167.255

Coordinator:
Torres A., Jorge H. (JHT3-ARIN) jorge@IFE.ORG.MX
+52 5 628 4226

Record last updated on 17-May-1999.
Database last updated on 18-Jul-2001 23:02:56 EDT.
_________________________________________

This one originated outside of Montreal, canada, and was routed through Washington DC Before reaching me.

Stentor National Integrated Communications Network (NET-STENTOR8)
One Brunswick Square
Saint John, NB E2L 4K2
CA

Netname: STENTOR8
Netblock: 142.166.0.0 - 142.166.255.255

Coordinator:
NBTel DNS Admin (ND-ORG-ARIN) hostmaster@NBNET.NB.CA
506-694-6270
Fax- 506-694-2830

Domain System inverse mapping provided by:

OPAL.NBNET.NB.CA 198.164.30.2
ONYX.NBNET.NB.CA 198.164.4.2

Record last updated on 01-Oct-1998.
Database last updated on 14-Jul-2001 23:02:13 EDT.

__________________________________

Here's one that bounced ALL OVER THE PLACE before hitting me:

Cablenet, Division of Cogico Cable Inc (CGOCABLE2-DOM)
950 Syscon Road
Burlington, Ontario L7R 4M6
CANADA

Domain Name: CGOCABLE.NET

Administrative Contact, Technical Contact:
DNS Administrator (DA21024-OR) dnsadmin@CGOCABLE.NET
Cogeco - CGOCable.net
950 Syscon Road
Burlington, ON L7R 4M6
CANADA
416-333-5343 x 7557
Fax- 416-333-0895
Billing Contact:
Bennett, Kelly (KB13066) KBennett@INTERNET.CGOCABLE.NET
Cogeco Cable Systems Inc.
950 Syscon Road
Burlington
Ont.
L7R 4M6
CA
+1 905-333-7879 (FAX) +1 905-333-8127

Record last updated on 31-Jan-2001.
Record expires on 06-Feb-2003.
Record created on 04-Feb-1996.
Database last updated on 11-Jul-2001 11:46:00 EDT.

Domain servers in listed order:

NS.CGOCABLE.NET 24.226.1.11
NS1.CGOCABLE.NET 24.226.1.20
NS2.CGOCABLE.NET 24.226.1.42
NS3.CGOCABLE.NET 24.226.1.21
_____________________________________

Here's one all the way from Seoul!
Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html
(whois6.apnic.net)

inetnum: 210.226.0.0 - 210.231.255.255
netname: JPNIC-NET-JP
descr: Japan Network Information Center
country: JP
admin-c: JNIC1-AP
tech-c: JNIC1-AP
remarks: JPNIC Allocation Block
remarks: Authoritative information regarding assignments and
remarks: allocations made from within this block can also be
remarks: queried at whois.nic.ad.jp. To obtain an English
remarks: output query whois -h whois.nic.ad.jp x.x.x.x/e
mnt-by: MAINT-JPNIC
changed: apnic-ftp@nic.ad.jp 19991208
source: APNIC

role: Japan Network Information Center
address: Fuundo Bldg. 3F, 1-2 Kanda-Ogawamachi
address: Chiyoda-ku, Tokyo 101-0052, Japan
country: JP
phone: +81-3-5297-2311
fax-no: +81-3-5297-2312
e-mail: hostmaster@nic.ad.jp
admin-c: NM6-AP
tech-c: YM15-AP
tech-c: IK6-AP
tech-c: KM19-AP
nic-hdl: JNIC1-AP
mnt-by: MAINT-JPNIC
changed: apnic-ftp@nic.ad.jp 19990629
source: APNIC

inetnum: 210.231.110.0 - 210.231.110.255
netname: TOSHIMA
descr: Toshima (Toshima Cable Network CO.LTD)
country: JP
admin-c: NT524JP
tech-c: NT524JP
remarks: This information has been partially mirrored by APNIC from
remarks: JPNIC. To obtain more specific information, please use the
remarks: JPNIC whois server at whois.nic.ad.jp. (This defaults to
remarks: Japanese output, use the /e switch for English output)
remarks: This information has been partially mirrored by APNIC from
remarks: JPNIC. To obtain more specific information, please use the
remarks: JPNIC whois server at whois.nic.ad.jp. (This defaults to
remarks: Japanese output, use the /e switch for English output)
changed: apnic-ftp@nic.ad.jp 19981019
changed: apnic-ftp@nic.ad.jp 20010705
source: JPNIC

________________________________________

This one is probably just a business gathering info. on computer users, but who knows?

Registrant:
EXCALIBUR Group, A Time Warner Company (RR6-DOM)
13241 Woodland Park Rd
Herndon, VA 20171
US

Domain Name: RR.COM

Administrative Contact, Technical Contact, Billing Contact:
Road Runner (NO789-ORG) abuse@RR.COM
Road Runner
13241 Woodland Park Rd
Herndon, VA 20171
US
703-345-3416
Fax- 703-345-2518

Record last updated on 31-May-2001.
Record expires on 02-Oct-2010.
Record created on 01-Oct-1996.
Database last updated on 11-Jul-2001 11:46:00 EDT.

Domain servers in listed order:

DNS1.RR.COM 24.30.200.3
DNS2.RR.COM 24.30.201.3
DNS3.RR.COM 24.30.199.7
DNS4.RR.COM 65.24.0.172

________________________________________

I will include others later but my computer just started malfunctioning and I'm going to reboot.

posted 07-19-2001 10:52 PM            

Domain Name: DIALSPRINT.NET

Administrative Contact:
Corporate Brand Management (CB9814-ORG) abuse@DIALSPRINT.NET
Sprint-Advanced Network Services
6330 Sprint Parkway Mailstop
KOPHA0106-1A710
Overland Park , KS 66251
US
913-762-1983
Fax- 913-762-0127
Technical Contact:
Sprint DNS administrator (SD2272-ORG) dns-admin@SPRINT.NET
Sprint Internet Services
12490 Sunrise Valley Dr.
Reston , VA 22090
US
800-232-6895
Fax- - 703-478-5471
Billing Contact:
idNames, Accounting (IA90-ORG) accounting@IDNAMES.COM
idNames from Network Solutions, Inc
440 Benmar
Suite 3325
Houston, TX 77060
US
703-742-4777
Fax- - 281-447-1160

Record last updated on 29-Jun-2001.
Record expires on 13-Feb-2003.
Record created on 12-Feb-1996.
Database last updated on 19-Jul-2001 13:42:00 EDT.

Domain servers in listed order:

NS1.DIALSPRINT.NET 206.134.151.45
NS2.DIALSPRINT.NET 206.134.79.44
NS3.DIALSPRINT.NET 205.149.192.145

It says that this domain is registered in Kansas, but it came from Arizona. Anyone know why that would be, seriously? I'm interested to know.
_________________________________

Here's an interesting and rather disturbing one:
Centro Nacional de Informacion y Documentacion sobre Salud de (NET-CENIDS)
Insurgentes Sur 1397 2o Piso
Col. Insurgentes Mixcoac
MX

Netname: CENIDS
Netblock: 200.10.143.0 - 200.10.143.255

Coordinator:
Ruiz, Benjamin (BR46-ARIN) cenids@REDVAX1.DGSCA.UNAM.MX
+5 598-9875

Domain System inverse mapping provided by:

ARTEMISSA.CENIDS.SSA.GOB.MX 200.10.143.1

Record last updated on 06-Jun-1994.
Database last updated on 18-Jul-2001 23:02:56 EDT.

Now, my Spanish is rusty, but I believe this says something to the effect of "National Center of Information and Documentation About Health." Anyone who speaks spanish, please let me know if that is what is actually being stated. If it if, it's quite interesting, huh? It originated in Mexico City.
_________________________________

Here's another interesting one. Note the words Network Security, Fraud... I'm not sure what that is in reference to, but it IS eye-catching! This is also from Canada, bounced through eight different points across the entire width of the United States.

Rogers@Home MTMK (NETBLK-ON-ROG-CR2MTMK-6)
1 Mount Pleasant Road
Toronto, ON M4Y 2Y5
CA

Netname: ON-ROG-CR2MTMK-6
Netblock: 24.101.201.0 - 24.101.201.255

Coordinator:
Network Security, Fraud (AD30-ARIN) abuse@rogers.home.net
(416) 935-4729

Record last updated on 13-Jul-2001.
Database last updated on 18-Jul-2001 23:02:56 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
_____________________________________
I've also received several untraceable pings and attempts to open certain ports on my computer. The pings continue to come in all the time. Here is the question that I have: I am a 19 year old college kid. What on earth is so interesting about me??

posted 07-19-2001 11:32 PM            

Port Scan from 63.172.30.205

Alarm LogData ~

FWIN,2000/12/06,15:30:44 -8:00 GMT,63.172.30.205:2551,24.71.88.96:21,TCP

Sprint (NETBLK-SPRN-BLKS)
12502 Sunrise Valley Drive,
Mailstop VARESA0104
Reston, VA 20196
US

Netname: SPRN-BLKS
Netblock: 63.160.0.0 - 63.175.255.255
Maintainer: SPRN

Coordinator:
12490 SunriseValley Drive (SPRINT-NOC-ARIN) NOC@SPRINT.NET
800-232-6895Fax- 703-478-5471

Domain System inverse mapping provided by:

NS1-AUTH.SPRINTLINK.NET 206.228.179.10
NS2-AUTH.SPRINTLINK.NET 144.228.254.10
NS3-AUTH.SPRINTLINK.NET 144.228.255.10

ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

Record last updated on 19-Sep-2000.
Database last updated on 14-Jul-2001 23:02:13 EDT.
Domain Name: SPRINTLINK.NET
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Name Server: NS1-AUTH.SPRINTLINK.NET
Name Server: NS2-AUTH.SPRINTLINK.NET
Name Server: NS3-AUTH.SPRINTLINK.NET
Updated Date: 29-jun-2001

>>> Last update of whois database: Mon, 16 Jul 2001 02:01:03 EDT <<<

GENEVA COLLEGE (NETBLK-FON-106824396854807)
3200 COLLEGE AVENUE
BEAVER FALLS, PA 15010
US

Netname: FON-106824396854807
Netblock: 63.172.28.0 - 63.172.31.255

Coordinator:
HINES, JOE (JH1246-ARIN) jdh@geneva.edu
7248476518

Record last updated on 11-Jul-2000.
Database last updated on 14-Jul-2001 23:02:13 EDT

And those Rogers@Home people, busy little beavers, just today...

The firewall has blocked Internet access to your computer (HTTP) from 24.102.66.113 (TCP Port 3833) [TCP Flags: S].

Time: 7/19/2001 3:59:36 PM

Alarm Log Data~
FWIN,2001/07/19,15:59:37 -7:00 GMT,24.102.66.113:3833,24.77.199.97:80,TCP (flags:S)

Rogers@Home (NETBLK-ROGERS-8-BLOCK)
1 Mount Pleasant Road
Toronto Ontario, 2Y5
CA

Netname: ROGERS-8-BLOCK
Netblock: 24.100.0.0 - 24.102.223.255
Maintainer: RHON

Coordinator:
Network Security, Fraud (AD30-ARIN) abuse@rogers.home.net
(416) 935-4729

Domain System inverse mapping provided by:

NS.ON.ROGERS.WAVE.CA 24.112.32.2
NS.BC.ROGERS.WAVE.CA 24.112.31.254

ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

Record last updated on 27-Jun-2001.
Database last updated on 18-Jul-2001 23:02:56 EDT.

It would seem you are on the same "hit list" as I, check the time 23:02:56 EDT. Those "Home" people also go by "Shaw" or "Rogers", to me it's all the same, and they are relentless on trying to gain access.
(This... Network Security, Fraud (AD30-ARIN) abuse@rogers.home.net ... is where you send your abuse complaints to)

Road Runner, also busy, busy. Daily. Excaliber came my way as well.

UUNET Technologies, just don't know when to quit, also daily.

And don't let me get started on those Koreans...

Don't speak spanish, so I can't help you there ShadowDancer.

Your other hits are interesting, but I don't recognize any of them. Do you have any specific examples of "untraceable" pings and/or attempted port scan IPs? I could check them out for you if you like.

>>I am a 19 year old college kid. What on earth is so interesting about me??<<
You're young, you're bright and most certainly very interesting!!! , but seriously, who knows why these attempts...
I'm just as perplexed. Today I've had so far a total of 50 attempted entries!

posted 07-20-2001 04:35 AM            

Result of the Reverse Lookup
IP address Result
210.104.229.125 210.104.229.125

WHOIS Query Result for 210.104.229.125:
% Rights restricted by copyright. See http //www.apnic.net/db/dbcopyright.html
% (whois7.apnic.net) inetnum 210.104.0.0 - 210.107.255.255
Origin KRNIC-KR
descr KRNIC
descr Korea Network Information Center
country KR
Admin. Contact HM127-AP
Tech. Contact HM127-AP
remarks ******************************************
remarks KRNIC is the National Internet Registry
remarks in Korea under APNIC. If you would like to
remarks find assignment information in detail
remarks please refer to the KRNIC Whois DB
remarks http://whois.nic.or.kr/english/index.html
remarks ******************************************
mnt-by APNIC-HM
mnt-lower MNT-KRNIC-AP
changed drc@apnic.net 19970829
changed hostmaster@apnic.net 20010606
source APNIC
person Host Master
address Korea Network Information Center
address Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-ku, Seoul, 137-070, Republic of Korea
country KR
phone +82-2-2186-4500
fax-no +82-2-2186-4496
e-mail hostmaster@nic.or.kr
NIC Handle HM127-AP
mnt-by MNT-KRNIC-AP
changed hostmaster@nic.or.kr 20010514
source APNIC

posted 07-20-2001 11:20 AM            

# ENGLISH

IP Address : 210.104.229.64-210.104.229.127
Network Name : ANYANG-GCH
Connect ISP Name : PUBNET
Registration Date : 20010101

[ Organization Information ]
Orgnization ID : ORG20890

[ Admin Contact Information]
Name : Pansuk Lee
Org Name : Kumsong Elementary School
State : KYONGNAM
Address : 686-1 Chojun-dong Chinju-si
Zip Code : 660-360
Phone : 0591-761-0158
Fax : 0591-758-7891
E-Mail : ip@ns.pubnet.ne.kr

[ Technical Contact Information ]
Name : Byonghwa Lee
Org Name : MOCHON ELEMENTARY SCHOOL
State : KYONGBUK
Address : 670 Mochon-dong,Mongyong-si Kyongbuk,Korea
Zip Code : 745-050
Phone : 0581-555-0272
Fax : 0581-555-0274
E-Mail : byhwl@ns.mochon-e.ed.kyongbuk.kr

--------------------------------------------------------------------------------
This 2 days ago...
The firewall has blocked Internet access to your computer (TCP Port 111) from 210.99.176.130 (TCP Port 3711) [TCP Flags: S].
Time: 7/18/2001 4:26:20 PM

Asia Pacific Network Information Center (NETBLK-APNIC-CIDR-BLK)
These addresses have been further assigned to Asia-Pacific users.
Contact info can be found in the APNIC database,
at WHOIS.APNIC.NET or http://www.apnic.net/
Please do not send spam complaints to APNIC.
AU

Netname: APNIC-CIDR-BLK2
Netblock: 210.0.0.0 - 211.255.255.255

Coordinator:
Administrator, System (SA90-ARIN) [No mailbox]
+61-7-3367-0490

Domain System inverse mapping provided by:

NS.APNIC.NET 203.37.255.97
SVC00.APNIC.NET 202.12.28.131
NS.TELSTRA.NET 203.50.0.137
NS.RIPE.NET 193.0.0.193

Regional Internet Registry for the Asia-Pacific Region.

*** Use whois -h whois.apnic.net *** *** or see http://www.apnic.net/db/ for database assistance *** Record last updated on 03-May-2000. Database last updated on 17-Jul-2001 23:04:49 EDT. Search results for '210.99.176.130' inetnum 210.99.0.0 - 210.99.255.255
netname KRNIC-KR
descr KRNIC
descr Korea Network Information Center
country KR
admin-c HM127-AP, inverse
tech-c HM127-AP, inverse
remarks ******************************************
remarks KRNIC is the National Internet Registry
remarks in Korea under APNIC. If you would like to
remarks find assignment information in detail
remarks please refer to the KRNIC Whois DB
remarks http://whois.nic.or.kr/english/index.html
remarks ******************************************
mnt-by APNIC-HM, inverse
mnt-lower MNT-KRNIC-AP, inverse
changed hostmaster@apnic.net 19980310
changed hostmaster@apnic.net 20010606
source APNIC

person Host Master, inverse
address Korea Network Information Center
address Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-ku, Seoul, 137-070, Republic of Korea
country KR
phone +82-2-2186-4500
fax-no +82-2-2186-4496
e-mail hostmaster@nic.or.kr, inverse
nic-hdl HM127-AP, inverse
mnt-by MNT-KRNIC-AP, inverse
changed hostmaster@nic.or.kr 20010514
source APNIC
# ENGLISH

IP Address : 210.99.176.128-210.99.176.191
Network Name : DONGGYO-E
Connect ISP Name : PUBNET
Connect Date : 1998416
Registration Date : 19980916

[ Organization Information ]
Orgnization ID : ORG33314
Org Name : Seoul Donggyo Primary School
State : SEOUL
Address : 426-5 Mangwon-2dong Mapo-gu
Zip Code : 121-232

[ Admin Contact Information]
Name : Seungseo Hong
Org Name : Seoul Donggyo Primary School
State : SEOUL
Address : 122, Donggyo-dong, Chungrang-gu
Zip Code : 121-232
Phone : 02-324-5901
Fax : 02-332-1471
E-Mail : ip@ns.pubnet.ne.kr

[ Technical Contact Information ]
Name : Seungseo Hong
Org Name : Seoul Donggyo Primary School
State : SEOUL
Address : 122, Donggyo-dong, Chungrang-gu
Zip Code : 121-232
Phone : 02-324-5901
Fax : 02-332-1471
E-Mail : ip@ns.pubnet.ne.kr

--------------------------------------------------------------------------------

Alarm Log Data~
FWIN,2001/07/18,20:42:12 -7:00 GMT,211.184.248.253:2190,24.77.199.97:111,TCP (flags:S)

Asia Pacific Network Information Center (NETBLK-APNIC-CIDR-BLK)
These addresses have been further assigned to Asia-Pacific users.
Contact info can be found in the APNIC database,
at WHOIS.APNIC.NET or http://www.apnic.net/
Please do not send spam complaints to APNIC.
AU

Netname: APNIC-CIDR-BLK2
Netblock: 210.0.0.0 - 211.255.255.255

Coordinator:
Administrator, System (SA90-ARIN) [No mailbox]
+61-7-3367-0490

Domain System inverse mapping provided by:

NS.APNIC.NET 203.37.255.97
SVC00.APNIC.NET 202.12.28.131
NS.TELSTRA.NET 203.50.0.137
NS.RIPE.NET 193.0.0.193

Regional Internet Registry for the Asia-Pacific Region.

*** Use whois -h whois.apnic.net *** *** or see http://www.apnic.net/db/ for database assistance *** Record last updated on 03-May-2000. Database last updated on 17-Jul-2001 23:04:49 EDT. 211.172.0.0 - 211.199.255.255
netname KRNIC-KR
descr KRNIC
descr Korea Network Information Center
country KR
admin-c HM127-AP, inverse
tech-c HM127-AP, inverse
remarks ******************************************
remarks KRNIC is the National Internet Registry
remarks in Korea under APNIC. If you would like to
remarks find assignment information in detail
remarks please refer to the KRNIC Whois DB
remarks http://whois.nic.or.kr/english/index.html
remarks ******************************************
mnt-by APNIC-HM, inverse
mnt-lower MNT-KRNIC-AP, inverse
changed hostmaster@apnic.net 20000607
changed hostmaster@apnic.net 20010606
source APNIC

person Host Master, inverse
address Korea Network Information Center
address Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-ku, Seoul, 137-070, Republic of Korea
country KR
phone +82-2-2186-4500
fax-no +82-2-2186-4496
e-mail hostmaster@nic.or.kr, inverse
nic-hdl HM127-AP, inverse
mnt-by MNT-KRNIC-AP, inverse
changed hostmaster@nic.or.kr 20010514
source APNIC
IP Address : 211.184.248.192-211.184.248.255
Network Name : YOUNGJU-H
Connect ISP Name : PUBNET
Connect Date : 20001114
Registration Date : 20001125

[ Organization Information ]
Orgnization ID : ORG147827
Org Name : YOUNGJU HIGH SCHOOL
State : KYONGBUK
Address : 470BEONJI HAMANGDONG YOUNGJUSI
Zip Code : 750-040

[ Admin Contact Information]
Name : SUGGE JUNG
Org Name : YOUNGJU HIGH SCHOOL
State : KYONGBUK
Address : 470BEONJI HAMANGDONG YOUNGJUSI
Zip Code : 750-040
Phone : +82-11-9580-1463
E-Mail : daegu2@soback.kornet.net

[ Technical Contact Information ]
Name : SUGGE JUNG
Org Name : YOUNGJU HIGH SCHOOL
State : KYONGBUK
Address : 470BEONJI HAMANGDONG YOUNGJUSI
Zip Code : 750-040
Phone : +82-11-9580-1463
E-Mail : daegu2@soback.kornet.net

--------------------------------------------------------------------------------
Be leery of any IPs starting with 210 or 211. I've even had a Korean Blind School attempt a hack into my computer. Gives education a whole new meaning.

First of all I have zone alarm installed; it can be downloaded free from the net for personal use at http://www.zonealarm.com/
then when I get a port scan or NetBIOS hack attempt (a pop-up window notifies me), I use several whois to trace back. First one will be when I ask for more info on zone alarm ping. This is a list of other I use depending on origin ie. if it's a RIPE ISP I use RIPE Whois etc...
http://www.arin.net/whois/index.html
A good general who is database.

http://www.amnesi.com/hostinfo/ipinfo.jhtml
Another good reverse lookup IP.

http://www.nic.mil/dodnic/
A DoD database where you just might find the info that can't be found anywhere else, especially good to use to trace back all the .mil visitors we get here at the forum.

http://www.nic.gov/cgi-bin/whois
NIC.GOV WHOIS DATABASE

http://www.networldmap.com/TryIt.htm
This one I really like because it will tell you the locale of the IP anywhere in the world, so generously donated by Thermit. Note the statistical probability.

http://www.apnic.net/apnic-bin/whois2.pl?key=211.220.193.240+&results=a&type=all& source=&inv=
A very handy Asia Pacific Network Information Centre whois database.

http://whois.nic.or.kr/english/index.html
I use this Korea Network Information Center a lot as well.

http://www.ripe.net/perl/whois
RIPE NCC is a must have. Europe, Russia, Middle East and parts of Africa.

http://www.networksolutions.com/cgi-bin/whois/whois
Networks Solution whois

http://www.networksolutions.com/en_US/;jsessionid=YZ02M3OIDVCM1WFI3EFCFEQ?_request id=1732637
Network Solutions Domain Name Registration Services

http://www.internic.net/whois.html
Let's you look up Domain names (ex. internic.net), Registrar(ex. ABC Registrar, Inc.) and Nameserver (ex. NS.EXAMPLE.COM or 192.16.0.192) for North and South America and parts of Africa.

http://www.iana.org/assignments/port-numbers
The port numbers are divided into three ranges: the Well Known Ports,
the Registered Ports, and the Dynamic and/or Private Ports.

I am sure there are other whois databases out there. Anyone care to add to the list?

When I send in (e-mail)a complaint I include the specific incriminating data from my alarm log. this can be found through Windows directory...Internet logs...ZAlog. You must include this vital piece of info which has the time zone the hack attempt originated in and other important info needed to trace back the culprit. I also include in my complaint as much whois info as possible (mostly for my own records, but also the more info, the more abuse contact e-mail you'll have to add to cc (carbon copy).

The point is hack attempts are illegal. Only if we lodge a complaint will the incident be brought to light and the proper action taken. Follow up with inquiries if you haven't heard back. As soon as I get the hack attempt I follow it back and get the complaint e-mail sent off. Why put off to tommorrow what can be done today I always say.

posted 07-20-2001 12:10 PM            

Why...because they can.

Are we going to sit back and take this abuse...NO!!!

RTW, "control" + "c" held down together will cut whatever your cursor has highlighted by left click mousie, "control" + "v" will paste where your cursor left clicks. Check your browser's "edit" functions to see if you can cut/paste from there as well. Yes, it would seem that there is a "hit list".


[Edited 1 times, lastly by Lulu on 07-20-2001]

posted 07-20-2001 12:24 PM            

FWIN,2001/07/19,17:13:11 -5:00 GMT,12.28.248.4:2078,216.135.24.67:80,TCP (flags:S)

ECOLOCHEM INC (NETBLK-ECOLO-248-0 )
4545 PATENT RD
NORFOLK, VA 23502
US

Netname: ECOLO-248-0
Netblock: 12.28.248.0 - 12.28.248.7

Coordinator:
Collister, Jim (JC1259-ARIN ) jim.collister@ecolochem1.com
(757)855-9000

posted 07-20-2001 12:36 PM            

WHOIS Query Result for 216.177.33.29:
Technology Advancement Group Inc. (NETBLK-TECHADVGR)
22355 TAG WAY
Dulles, VA 20166-9310
US

Netname: TECHADVGR
Netblock: 216.177.32.0 - 216.177.63.255
Maintainer: TAGI

Coordinator:
Varada, Ganesh (GV73-ARIN) ganesh.varada@tag.com
703.406.3000

Domain System inverse mapping provided by:

NS1.MAEDULLES.NET 216.177.32.2
NS2.MAEDULLES.NET 216.177.32.3
NS1.TAG.NET 151.200.136.2
NS2.TAG.NET 151.200.136.3

ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

Record last updated on 27-Jun-2001.
Database last updated on 19-Jul-2001 23:08:10 EDT.

posted 07-20-2001 02:30 PM            

Just thought I'd post this info for the others that might not be able to access the site... ...I hope I'm not the only one confused by the above alarm messages and responses!!

MollyGainYa, with love

posted 07-20-2001 04:04 PM            

amber, starting with a general ARIN whois for 172.173.174.144
America Online, Inc. (NETBLK-AOL-172BLK)
12100 Sunrise Valley Drive
Reston, VA 20191
US

Netname: AOL-172BLK
Netblock: 172.128.0.0 - 172.191.255.255
Maintainer: AOL

Coordinator:
America Online, Inc. (AOL-NOC-ARIN) domains@AOL.NET
703-265-4670

Domain System inverse mapping provided by:

DAHA-01.NS.AOL.COM 152.163.159.233
DAHA-02.NS.AOL.COM 205.188.157.233

ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

Record last updated on 28-Mar-2001.
Database last updated on 19-Jul-2001 23:08:10 EDT.

The Locale whois came back with a 58% probabilty of being from Hialeah, FLA (I wouldn't trust such a low probability).
My DoD whois is "timing out" on me now (could be the CodeRed worm "degradation" thingy). I will try later, also do you you have the domain name? it helps to have more than the IPs to do a trace back. Thanks.

posted 07-22-2001 04:48 PM            

WHOIS Query Result for 213.33.200.146:
inetnum 213.33.128.0 - 213.33.255.255
Origin RU-SOVINTEL-20010111
descr EDN Sovintel
descr PROVIDER
country RU
Admin. Contact SR113-RIPE
Tech. Contact SR113-RIPE
Tech. Contact AR1442-RIPE
Tech. Contact AR1442-RIPE
status ALLOCATED PA
mnt-by RIPE-NCC-HM-MNT
mnt-lower SOVINTEL-MNT
changed hostmaster@ripe.net 20010111
source RIPE
route 213.33.128.0/17
descr EDN Sovintel
Origin AS8773
mnt-by SOVINTEL-MNT
changed slyadovoy@sovintel.net 20010118
source RIPE
person Serguei Rochtchine
address EDN Sovintel
address 80 Nevsky Prospekt,
address St.Petersburg, Russia, 191025
phone +7 501 802 4047
fax-no +7 501 802 4050
e-mail sergr@sovintel.ru
NIC Handle SR113-RIPE
Notify ncc@sovintel.ru
mnt-by SOVINTEL-MNT
changed andy@sovintel.ru 19980429
source RIPE
person Andrey Rouskol
address EDN Sovintel
address Dubovaya roscha, 25
address Moscow, Russia, 127427
phone +7 501 2152183
fax-no +7 501 9412708
e-mail anry@sovintel.ru
NIC Handle AR1442-RIPE
Notify ncc@sovintel.ru
mnt-by SOVINTEL-MNT
changed anry@sovintel.ru 19990518
source RIPE