[lug] TCP Wrapers and Going After Bad People

Kyle Moore kmoore at trustamerica.com
Wed Sep 12 14:01:50 MDT 2001 

NTP (Network Time Protocal) http://www.ntp.org

or on Debian

# apt-get install ntp


Greg Horne wrote:

> Thanks for all the responses and ideas guys!  I really enjoyed the bit 
> from Kevin.  Thanks.  I'll also look into that 64.whatever ip address 
> you have been firewalling.  BTW my intent was not to catch or punish 
> them, just to find a way to go after somebody when something more major 
> happens.  Oh yeah, the NCP (was that the acronym) thing about keeping 
> accurate time i'll look into.  Thanks (sorry I can't remember who 
> mentioned that).
> 
> Greg Horne
> 
>> From: Kevin Fenzi <kevin at scrye.com>
>> Reply-To: lug at lug.boulder.co.us
>> To: lug at lug.boulder.co.us
>> Subject: Re: [lug] TCP Wrapers and Going After Bad People
>> Date: Wed, 12 Sep 2001 11:42:25 -0600
>>
>> >>>>> "Greg" == Greg Horne <jeerygh at hotmail.com> writes:
>>
>> Greg> Yo BLUG, yes. . . You CAN help Greg get the bad guys!  So two
>> Greg> people stand out in my logs as always trying to break into my
>> Greg> systems.  I get e-mails daily from the servers saying . . .Tried
>> Greg> NS1, tried MMS1, tried Webserver 1, etc. . .
>>
>> Greg> My question is this: Have any of you tried to track some of
>> Greg> these people down?  Any sucess stories to tell?  If so, what
>> Greg> were your methods?
>>
>> well, I gave up trying long ago... but if you have the time, by all
>> means go for it. ;)
>>
>> Greg> For good measure i'll include the *evil* offenders.
>>
>> Greg> attempt from APoitiers-103-1-1-165.abo.wanadoo.fr unknown
>> Greg> 193.253.254.165 to in.ftpd at Wed Sep 12 05:30:51 PDT 2001
>>
>> Greg> attempt from HSE-QuebecCity-ppp3496564.sympatico.ca unknown
>> Greg> 65.92.224.5 to in.ftpd at Tue Sep 11 18:57:37 PDT 2001
>>
>> Here's how I would track them down:
>>
>> Find out what there network is and contact info:
>>
>> whois 193.253.254.165 at whois.arin.net
>> European Regional Internet Registry/RIPE NCC (NETBLK-RIPE)
>>    These addresses have been further assigned to European users.
>>    Contact info can be found in the RIPE database, via the
>>    WHOIS and TELNET servers at whois.ripe.net, and at
>>    http://www.ripe.net/db/whois.html
>>    NL
>>
>>    Netname: RIPE-CBLK
>>    Netblock: 193.0.0.0 - 193.255.255.255
>>    Maintainer: RIPE
>>
>>    Coordinator:
>>       Reseaux IP European Network Co-ordination Centre Singel 258  
>> (RIPE-NCC-ARIN)  nicdb at RIPE.NET
>>       +31 20 535 4444
>>
>> ok, so query the ripe server:
>>
>> whois 193.253.254.165 at whois.ripe.net
>>
>> inetnum:      193.253.254.0 - 193.253.254.255
>> netname:      IP2000-ADSL-BAS
>> descr:        France Telecom IP2000 ADSL BAS
>> descr:        BSPOI103 Poitiers Bloc2
>> country:      FR
>> admin-c:      WITR1-RIPE
>> tech-c:       WITR1-RIPE
>> status:       ASSIGNED PA
>> remarks:      for hacking, spamming or security problems send  mail to
>> remarks:      postmaster at wanadoo.fr AND abuse at wanadoo.fr
>> remarks:      for ANY problem send mail to gestionip.ft at francetelecom.com
>> notify:       gestionip.ft at francetelecom.com
>> mnt-by:       FT-BRX
>> changed:      gestionip.ft at francetelecom.com 20001130
>> changed:      gestionip.ft at francetelecom.com 20010912
>> source:       RIPE
>>
>> route:        193.253.0.0/16
>> descr:        France Telecom
>> origin:       AS3215
>> mnt-by:       FT-BRX
>> changed:      gestionip.ft at francetelecom.fr 20001018
>> source:       RIPE
>>
>> role:         Wanadoo Interactive Technical Role
>> address:      France Telecom Wanadoo Interactive
>> address:      41, rue Camille Desmoulins
>> address:      92442 ISSY LES MOULINEAUX Cedex
>> address:      FR
>> phone:        +33 1 41 33 39 00
>> fax-no:       +33 1 41 33 39 01
>> e-mail:       abuse at wanadoo.fr
>> e-mail:       postmaster at wanadoo.fr
>> admin-c:      FTI-RIPE
>> tech-c:       TEFS1-RIPE
>> nic-hdl:      WITR1-RIPE
>> notify:       gestionip.ft at francetelecom.com
>> mnt-by:       FT-BRX
>> changed:      gestionip.ft at francetelecom.com 20010504
>> changed:      gestionip.ft at francetelecom.com 20010912
>> source:       RIPE
>>
>> ok, the important thing here is the "abuse at wanadoo.fr" and
>> "postmaster at wanadoo.fr".
>>
>> I would send them a note complaining about the users behavior.
>>
>> Alas, I would expect that you will get no response and I can't think
>> of much you could do after that...
>>
>> You could block the entire wanadoo.fr net from any access to your
>> network with a firewall.
>>
>> as a side note, for spam I suggest the following:
>>
>> - forward your spam to spamcop at spamcop.net, which will reply with a
>> url. You can then go to the URL and have spamcop complain to all the
>> hosts used in the spam.
>>
>> - forward your spam to spam at orbz.org, which will scan your spams
>> headers and test all the ips found for open relays. Then you can use
>> orbz to block mail from them.
>>
>> Greg> Thanks,
>> Greg> Greg Horne
>>
>> kevin
>> -- 
>> Kevin Fenzi
>> MTS, tummy.com, ltd.
>> http://www.tummy.com/  KRUD - Kevin's Red Hat Uber Distribution
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 
> 
> 
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 


-- 
Kyle Moore
UNIX Systems Administrator
Trust Company of America

More information about the LUG mailing list