[lug] TCP Wrapers and Going After Bad People

Greg Horne jeerygh at hotmail.com
Wed Sep 12 15:52:18 MDT 2001 

Thanks for all the responses and ideas guys!  I really enjoyed the bit from 
Kevin.  Thanks.  I'll also look into that 64.whatever ip address you have 
been firewalling.  BTW my intent was not to catch or punish them, just to 
find a way to go after somebody when something more major happens.  Oh yeah, 
the NCP (was that the acronym) thing about keeping accurate time i'll look 
into.  Thanks (sorry I can't remember who mentioned that).

Greg Horne

>From: Kevin Fenzi <kevin at scrye.com>
>Reply-To: lug at lug.boulder.co.us
>To: lug at lug.boulder.co.us
>Subject: Re: [lug] TCP Wrapers and Going After Bad People
>Date: Wed, 12 Sep 2001 11:42:25 -0600
>
> >>>>> "Greg" == Greg Horne <jeerygh at hotmail.com> writes:
>
>Greg> Yo BLUG, yes. . . You CAN help Greg get the bad guys!  So two
>Greg> people stand out in my logs as always trying to break into my
>Greg> systems.  I get e-mails daily from the servers saying . . .Tried
>Greg> NS1, tried MMS1, tried Webserver 1, etc. . .
>
>Greg> My question is this: Have any of you tried to track some of
>Greg> these people down?  Any sucess stories to tell?  If so, what
>Greg> were your methods?
>
>well, I gave up trying long ago... but if you have the time, by all
>means go for it. ;)
>
>Greg> For good measure i'll include the *evil* offenders.
>
>Greg> attempt from APoitiers-103-1-1-165.abo.wanadoo.fr unknown
>Greg> 193.253.254.165 to in.ftpd at Wed Sep 12 05:30:51 PDT 2001
>
>Greg> attempt from HSE-QuebecCity-ppp3496564.sympatico.ca unknown
>Greg> 65.92.224.5 to in.ftpd at Tue Sep 11 18:57:37 PDT 2001
>
>Here's how I would track them down:
>
>Find out what there network is and contact info:
>
>whois 193.253.254.165 at whois.arin.net
>European Regional Internet Registry/RIPE NCC (NETBLK-RIPE)
>    These addresses have been further assigned to European users.
>    Contact info can be found in the RIPE database, via the
>    WHOIS and TELNET servers at whois.ripe.net, and at
>    http://www.ripe.net/db/whois.html
>    NL
>
>    Netname: RIPE-CBLK
>    Netblock: 193.0.0.0 - 193.255.255.255
>    Maintainer: RIPE
>
>    Coordinator:
>       Reseaux IP European Network Co-ordination Centre Singel 258  
>(RIPE-NCC-ARIN)  nicdb at RIPE.NET
>       +31 20 535 4444
>
>ok, so query the ripe server:
>
>whois 193.253.254.165 at whois.ripe.net
>
>inetnum:      193.253.254.0 - 193.253.254.255
>netname:      IP2000-ADSL-BAS
>descr:        France Telecom IP2000 ADSL BAS
>descr:        BSPOI103 Poitiers Bloc2
>country:      FR
>admin-c:      WITR1-RIPE
>tech-c:       WITR1-RIPE
>status:       ASSIGNED PA
>remarks:      for hacking, spamming or security problems send  mail to
>remarks:      postmaster at wanadoo.fr AND abuse at wanadoo.fr
>remarks:      for ANY problem send mail to gestionip.ft at francetelecom.com
>notify:       gestionip.ft at francetelecom.com
>mnt-by:       FT-BRX
>changed:      gestionip.ft at francetelecom.com 20001130
>changed:      gestionip.ft at francetelecom.com 20010912
>source:       RIPE
>
>route:        193.253.0.0/16
>descr:        France Telecom
>origin:       AS3215
>mnt-by:       FT-BRX
>changed:      gestionip.ft at francetelecom.fr 20001018
>source:       RIPE
>
>role:         Wanadoo Interactive Technical Role
>address:      France Telecom Wanadoo Interactive
>address:      41, rue Camille Desmoulins
>address:      92442 ISSY LES MOULINEAUX Cedex
>address:      FR
>phone:        +33 1 41 33 39 00
>fax-no:       +33 1 41 33 39 01
>e-mail:       abuse at wanadoo.fr
>e-mail:       postmaster at wanadoo.fr
>admin-c:      FTI-RIPE
>tech-c:       TEFS1-RIPE
>nic-hdl:      WITR1-RIPE
>notify:       gestionip.ft at francetelecom.com
>mnt-by:       FT-BRX
>changed:      gestionip.ft at francetelecom.com 20010504
>changed:      gestionip.ft at francetelecom.com 20010912
>source:       RIPE
>
>ok, the important thing here is the "abuse at wanadoo.fr" and
>"postmaster at wanadoo.fr".
>
>I would send them a note complaining about the users behavior.
>
>Alas, I would expect that you will get no response and I can't think
>of much you could do after that...
>
>You could block the entire wanadoo.fr net from any access to your
>network with a firewall.
>
>as a side note, for spam I suggest the following:
>
>- forward your spam to spamcop at spamcop.net, which will reply with a
>url. You can then go to the URL and have spamcop complain to all the
>hosts used in the spam.
>
>- forward your spam to spam at orbz.org, which will scan your spams
>headers and test all the ips found for open relays. Then you can use
>orbz to block mail from them.
>
>Greg> Thanks,
>Greg> Greg Horne
>
>kevin
>--
>Kevin Fenzi
>MTS, tummy.com, ltd.
>http://www.tummy.com/  KRUD - Kevin's Red Hat Uber Distribution
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

More information about the LUG mailing list