Need help looking this guy up.

Need help looking this guy up.

Post by Alexander Vi » Sat, 23 Oct 1999 04:00:00



In article <%D8Q3.53$1n5....@news.rdc1.wa.home.com>,

Suddn <Bo...@NoSpam.com> wrote:
>several people have tried to connect to port "12345"  (NetBus or something
>like that.)  Two of them were @HOME users and tried within 10 seconds of
>each other so I think its the same guy who is using two compromised
>computers.

>The third guy I can't track.

>Oct 22 00:51:01 C287853-A portsentry[6186]: attackalert: Connect from host:
>212.6.131.116/212.6.131.116 to TCP port: 12345

> A nslookup doesn't provide any help.  However, I read about a wonderful web
>site that does help.  http://spamcop.net/hosttracker.shtml  However, I'm
>unsure about what it is telling me.  It suggests:  nick...@zweitehand.de  Is
>it saying that this is the email address to which I should send my complaint
>or the email address of the bastard that launched the attack?

Don't *wham* use *wham* spamcop instead of your head *wham* *wham* *wham*.
Seriously, spamcop is, should we say it, not too accurate. Let's see:

a) attempt to do nslookup on 116.131.6.212.in-addr.arpa fails. No rDNS,
that is. OK, let's go a level higher. Ditto. 6.212.in-addr.arpa _does_
work, but it points to RIPE. Not too impressive.
b) which netblock it is?
$ whois -h whois.arin.net 212.6.131.116
European Regional Internet Registry/RIPE NCC (NET-RIPE-NCC-)
   These addresses have been further assigned to European users.
[snip]
OK, so it's in Europe.
$ whois -h whois.ripe.net 212.6.131.116
[snip]
inetnum:     212.6.131.0 - 212.6.132.255
netname:     ZWEITEHAND1
descr:       ZweiteHand
descr:       Verlags GmbH, Berlin
country:     DE
admin-c:     UN176-RIPE
tech-c:      WB198-RIPE
tech-c:      ESN4-RIPE
status:      ASSIGNED PA
mnt-by:      ESIB-MNT
changed:     u...@evosys.net 19980519
source:      RIPE

route:       212.6.128.0/17
descr:       Evolution Systems GmbH
origin:      AS8196
mnt-by:      ESIB-MNT
changed:     a...@evosys.net 19980428
source:      RIPE

role:        Evolution Systems NOC
address:     Evolution Systems GmbH
address:     Mobil-Oil-Str. 42
address:     D-84539 Ampfing
address:     Germany
phone:       +49 8636 9830 71
fax-no:      +49 8636 9830 99
e-mail:      n...@esib.net
admin-c:     AZ49-RIPE
tech-c:      RH171-RIPE
tech-c:      AD1047-RIPE
tech-c:      WZ666-RIPE
nic-hdl:     ESN4-RIPE
remarks:     role account
remarks:     24*7h available
notify:      hm-dbm-m...@ripe.net
mnt-by:      ESIB-MNT
changed:     a...@evosys.net 19980210
changed:     a...@evosys.net 19980421
changed:     a...@evosys.net 19980624
changed:     a...@esib.net 19981020
changed:     a...@esib.net 19990802
source:      RIPE

person:      Uta Nickerl
address:     ZweiteHand Verlags GmbH
address:     Am Treptower Park 75
address:     12435 Berlin
phone:       +49 30 53431651
fax-no:      +49 30 53431655
e-mail:      nick...@zweitehand.de
nic-hdl:     UN176-RIPE
mnt-by:      EVOSYS-MNT
changed:     u...@evosys.net 19980506
source:      RIPE

person:      Wolfgang Bornschein
address:     Am Treptower Park 75
address:     D-12435 Berlin
address:     Germany
phone:       +49 30 53431651
fax-no:      +49 30 53433435
e-mail:      na...@isv-gmbh.de
nic-hdl:     WB198-RIPE
remarks:     administrator contact
mnt-by:      BO-DOMREG
changed:     c...@dns.03.net 19971106
source:      RIPE

Aha. We got something - 512-address block, apparently somehow connected with
evosys.net. DNS admins didn't care to provide reverse mappings. OK, so what
do we have about evosys.net? Is it really their block? nslookup on their
domain (server ns0.evosys.net;ls -d evosys.net) shows no addresses in that
block. Ditto for esib.net (same nameserver, nothing suitable). Hmm... From
what I can recall 'ZweiteHand' should mean something like second-hand...
Reseller? OK, let's try zweitehand.{de,com,net}.
$ nslookup -type=ns zweitehand.de
Server:  leibniz.math.psu.edu
Address:  146.186.130.2

Non-authoritative answer:
zweitehand.de   nameserver = ns.uk.ibm.net
zweitehand.de   nameserver = voltaire.zweitehand.de

Authoritative answers can be found from:
ns.uk.ibm.net   internet address = 152.158.16.48
voltaire.zweitehand.de  internet address = 194.115.26.34

Ho-hum... OK, let's see:
$ nslookup
[snip]

> ls -d zweitehand.de.

[voltaire.zweitehand.de]
[snip lots of addresses in 194.115.26/24]

Nope. Doesn't look like they have anything with that, except the similarity
between their domain name and the netblock name we are after (and considering
the probable meaning of said name... well, not too impressive).

What about their upstream? Let's see:
$ traceroute 212.6.131.1
[woa... 30 hops and still nothing]
$ traceroute -m 50 212.6.131.1
[psu.edu routers]
[PSC]
[AT&T]
[BBNPLANET]
[CARRIER1]
[ESIB.NET]
[CNT.NET]
[blinx.de and there we are looping over gate2cnt, access1 and access2]

OK, who the hell is blinx.de? Addresses of the routers were in 195.115.26/24,
so it _may_ have some connection with zweitehand.de. Hmmm... Their nameserver
being voltaire.zwetehand.de. Let's see:
$ nslookup - voltaire.zweitehand.de
[snip]

> ls -d blinx.de.

[snip]
ppp-240                 1D IN A         212.6.131.116
[snip]
Gotcha. Our hexapedal friend lived on ppp-240.blinx.de, whatever the fsck it
is. Probably an ISP dialup, considering the amount of ppp-<number> addresses.

$ whois -h whois.ripe.net blinx.de

% Rights restricted by copyright. See http://www.ripe.net/db/dbcopyright.html

domain:      blinx.de
descr:       ISV GmbH
descr:       Am Treptower Park 75
descr:       D-12435 Berlin
descr:       Germany
admin-c:     SW4-RIPE
tech-c:      SW4-RIPE
zone-c:      NI9-RIPE
nserver:     voltaire.zweitehand.de
nserver:     ns.uk.ibm.net
mnt-by:      DE-DOM
changed:     j...@nic.de 19951124
changed:     hostmas...@nic.de 19970513
source:      RIPE

role:        NIC IBM
address:     IBM Global Services - Network Services
address:     Boerhaavelaan 11
address:     2713 HA Zoetermeer
address:     The Netherlands
phone:       +31 79 322 3474
phone:       +31 79 322 2966
phone:       +31 79 322 8737
phone:       +31 79 322 8956
phone:       +31 79 322 4247
phone:       +31 79 322 3470
fax-no:      +31 79 322 4411
e-mail:      euibm...@nl.ibm.com
e-mail:      euibm...@nl.ibm.com
trouble:     Mailbox for Internet Abuse reports:   ab...@ibm.net
trouble:     Mailbox for Internet Spam reports:    postmas...@ibm.net
admin-c:     LO436-RIPE
admin-c:     RB1243-RIPE
tech-c:      LO436-RIPE
tech-c:      RB1243-RIPE
nic-hdl:     NI9-RIPE
remarks:     Global object for the IBM EMEA NIC Team
remarks:     Contact: Liliane Ortega (3474)
remarks:     Mailbox for IP(X) Addressing issues:  euibm...@nl.ibm.com
remarks:     Mailbox for Domain Name Registration: euibm...@nl.ibm.com
remarks:     Mailbox for Internet Abuse reports:   ab...@ibm.net
remarks:     Mailbox for Internet Spam reports:    postmas...@ibm.net
notify:      euibm...@nl.ibm.com
notify:      hm-dbm-m...@ripe.net
mnt-by:      EU-IBM-NIC-MNT
changed:     mi...@nl.ibm.com 19990416
changed:     mi...@nl.ibm.com 19990421
changed:     mi...@nl.ibm.com 19990722
source:      RIPE

person:      Stefan Wenzel
address:     dasburo.de
address:     Schlesische Str. 27
address:     D-10997 Berlin
address:     Germany
phone:       +49 30 611281 41
fax-no:      +49 30 611281 38
e-mail:      s...@dasburo.de
nic-hdl:     SW4-RIPE
mnt-by:      DENIC-P
changed:     s...@dasburo.de 19981014
source:      RIPE

Not too lovely... OK, hell knows where did spamcop dig the address out,
_but_:
        a) if anything, it's a spamcop's idea of complaint address.
        b) while zweitehand.de and blinx.de are very likely to have a
connection I wouldn't bet on them being the same thing.
        c) I would try ab...@blinx.de and _if_ it will fail - contact
address.
        d) I would try to ask in de.* analog of nanae - de.admin.net-abuse.mail
They may have a better idea of the situation with blinx.de and the contact
addresses in question.

--
"You're one of those condescending Unix computer users!"
"Here's a nickel, kid.  Get yourself a better computer" - Dilbert.

 
 
 

Need help looking this guy up.

Post by Sudd » Sun, 24 Oct 1999 04:00:00


several people have tried to connect to port "12345"  (NetBus or something

each other so I think its the same guy who is using two compromised
computers.

The third guy I can't track.

Oct 22 00:51:01 C287853-A portsentry[6186]: attackalert: Connect from host:
212.6.131.116/212.6.131.116 to TCP port: 12345

 A nslookup doesn't provide any help.  However, I read about a wonderful web
site that does help.  http://spamcop.net/hosttracker.shtml  However, I'm

it saying that this is the email address to which I should send my complaint
or the email address of the bastard that launched the attack?

Thanks.

 
 
 

Need help looking this guy up.

Post by William Watso » Sun, 24 Oct 1999 04:00:00


Quote:> Don't *wham* use *wham* spamcop instead of your head *wham* *wham* *wham*.
> Seriously, spamcop is, should we say it, not too accurate. Let's see:

I've been letting SpamCop's HostTracker do the work for me for a couple
of months now, and have probably reported 40 or 50 spammers to the abuse
addresses provided therefrom.  NONE of the ISPs thus contacted have said
"it's not our problem".

While it does have some limitations, in the vast majority of cases it

address, rather than the address(es) listed in DNS and/or the domain
registration (many of which often don't work, in my experience).

YMMV, of course...

- bill

 
 
 

1. m$-win guy needs linux help-need content fitering software

hello and thanks,
i am a 25+yr m$ guy.
i work for a company installing network servers into schools so the kids can
cruise the internet.
we have been using w2k. after using linux a bit, i am clear i could use it
instead.
the problem is finding all the software i need.
i need some kind of server based content filtering.
not ip packfiltering as done in a firewall but some filter or proxy that
could check for certain bad words and phrases in the web pages and that do
something. also to filter email messages as well.
i tried freshmeat and linux.org but i cannot find any.

thanks so much,
dave

2. How to request unique IP addresses?

3. Need help setting up 1:1 NAT rules, can you guys help???

4. Linux alternative to NT Load Balancing Service?

5. Shape Ups,Men's Shape Ups,Men's Skechers Shape Ups - new styles!

6. Newbie question

7. I'm a designer, not a UNIX guy, but I need help

8. PCI Soundcards

9. Looking for information that will help in porting the ups debugger..

10. hi guys need some help

11. need help guys pls....

12. New guy needs help and parts

13. Linux guy needs help