[lug] TCP Wrapers and Going After Bad People
Kevin Fenzi
kevin at scrye.com
Wed Sep 12 11:42:25 MDT 2001
>>>>> "Greg" == Greg Horne <jeerygh at hotmail.com> writes:
Greg> Yo BLUG, yes. . . You CAN help Greg get the bad guys! So two
Greg> people stand out in my logs as always trying to break into my
Greg> systems. I get e-mails daily from the servers saying . . .Tried
Greg> NS1, tried MMS1, tried Webserver 1, etc. . .
Greg> My question is this: Have any of you tried to track some of
Greg> these people down? Any sucess stories to tell? If so, what
Greg> were your methods?
well, I gave up trying long ago... but if you have the time, by all
means go for it. ;)
Greg> For good measure i'll include the *evil* offenders.
Greg> attempt from APoitiers-103-1-1-165.abo.wanadoo.fr unknown
Greg> 193.253.254.165 to in.ftpd at Wed Sep 12 05:30:51 PDT 2001
Greg> attempt from HSE-QuebecCity-ppp3496564.sympatico.ca unknown
Greg> 65.92.224.5 to in.ftpd at Tue Sep 11 18:57:37 PDT 2001
Here's how I would track them down:
Find out what there network is and contact info:
whois 193.253.254.165 at whois.arin.net
European Regional Internet Registry/RIPE NCC (NETBLK-RIPE)
These addresses have been further assigned to European users.
Contact info can be found in the RIPE database, via the
WHOIS and TELNET servers at whois.ripe.net, and at
http://www.ripe.net/db/whois.html
NL
Netname: RIPE-CBLK
Netblock: 193.0.0.0 - 193.255.255.255
Maintainer: RIPE
Coordinator:
Reseaux IP European Network Co-ordination Centre Singel 258 (RIPE-NCC-ARIN) nicdb at RIPE.NET
+31 20 535 4444
ok, so query the ripe server:
whois 193.253.254.165 at whois.ripe.net
inetnum: 193.253.254.0 - 193.253.254.255
netname: IP2000-ADSL-BAS
descr: France Telecom IP2000 ADSL BAS
descr: BSPOI103 Poitiers Bloc2
country: FR
admin-c: WITR1-RIPE
tech-c: WITR1-RIPE
status: ASSIGNED PA
remarks: for hacking, spamming or security problems send mail to
remarks: postmaster at wanadoo.fr AND abuse at wanadoo.fr
remarks: for ANY problem send mail to gestionip.ft at francetelecom.com
notify: gestionip.ft at francetelecom.com
mnt-by: FT-BRX
changed: gestionip.ft at francetelecom.com 20001130
changed: gestionip.ft at francetelecom.com 20010912
source: RIPE
route: 193.253.0.0/16
descr: France Telecom
origin: AS3215
mnt-by: FT-BRX
changed: gestionip.ft at francetelecom.fr 20001018
source: RIPE
role: Wanadoo Interactive Technical Role
address: France Telecom Wanadoo Interactive
address: 41, rue Camille Desmoulins
address: 92442 ISSY LES MOULINEAUX Cedex
address: FR
phone: +33 1 41 33 39 00
fax-no: +33 1 41 33 39 01
e-mail: abuse at wanadoo.fr
e-mail: postmaster at wanadoo.fr
admin-c: FTI-RIPE
tech-c: TEFS1-RIPE
nic-hdl: WITR1-RIPE
notify: gestionip.ft at francetelecom.com
mnt-by: FT-BRX
changed: gestionip.ft at francetelecom.com 20010504
changed: gestionip.ft at francetelecom.com 20010912
source: RIPE
ok, the important thing here is the "abuse at wanadoo.fr" and
"postmaster at wanadoo.fr".
I would send them a note complaining about the users behavior.
Alas, I would expect that you will get no response and I can't think
of much you could do after that...
You could block the entire wanadoo.fr net from any access to your
network with a firewall.
as a side note, for spam I suggest the following:
- forward your spam to spamcop at spamcop.net, which will reply with a
url. You can then go to the URL and have spamcop complain to all the
hosts used in the spam.
- forward your spam to spam at orbz.org, which will scan your spams
headers and test all the ips found for open relays. Then you can use
orbz to block mail from them.
Greg> Thanks,
Greg> Greg Horne
kevin
--
Kevin Fenzi
MTS, tummy.com, ltd.
http://www.tummy.com/ KRUD - Kevin's Red Hat Uber Distribution
More information about the LUG
mailing list