Jump to content

Hacker attempt from known spammer


dra007

Recommended Posts

Posted

I just witnessed a firewall alert from an IP which has send spam to me in the past:

Rule "Default Block TransScout" blocked (67.111.137.238,2004)

Inbound TCP connection

Since I do not trust their abuse desk, is there any other action I can take?

PS. There are some interesting tidbits on this ISP on Google Abuse.

To paraphrase one of them:

>>

>> So, should I expect that this is a case of XO Communications being wholly

>> incompetent, or is it more likely that Concentric is knowingly and

>> willingly assisting in what is a very clear case of fraud?

>> 

Posted
Concentric is XO, they were bought out a few years ago.

/snip

I don't think it would be a waste to notify them.

20499[/snapback]

Sure thing, thanks Merlyn, just as a side issue, I am sure they also sent you this spam:

spam: Americas No 1 penis Enlargement pills

Fraudulent claim of security:

"Secure online shopping

    with secure debit and credit card processing."

while one's credit card data is sent unencrypted and

insecurely to http://csj.bhleecg.info/MC021/cart.php

(the BASE SITE on rackforce also fraudulently claims

to use "state of the art encryption")

---

spam FROM: w226.z206111198.lax-ca.dsl.cnc.net [206.111.198.226]

abuse[at]xo.com,postmaster[at]xo.com,

abuse[at]cnc.net,postmaster[at]cnc.net

Spamvertized URL: http://csj.bhleecg.info/?nAVWVcnGJX.jzTncsj

/snip

==========

[DETAILS:]

spam FROM: w226.z206111198.lax-ca.dsl.cnc.net [206.111.198.226]

OrgName:    XO Communications

OrgID:      XOXO

CIDR:    206.111.0.0/16

OrgAbuseEmail:  abuse[at]xo.com

So again, I have some doubts and trust issues...

Posted

Jim from the XO/Comcentric abuse desk used to hang out in NANAE but I haven't seen him in about 6 months. Maybe he was doing too good.

If you want I will email you his addy.

Posted

Interesting even my ISP cannot do anything about this hacker:

Mynmehere,

            We received the case that you submitted to us via the web about your hacker attack.  At this time we are not of the offending IP that is inciting the intrusion. It is recommend that you keep your firewall up and traffic from this IP blocked.  The most that we can do for this is contact XO Communications about this, however as you have already found out they are little help.

Hisnamethere

Customer Support Specialist

Posted

XO is only slightly more accomodating to their customers, which I am at work. I have gotten a few of these taken care of only after about 4-5 rounds of emails (that is not your address...I know it is the hacker's, my address is shown as the target in the logs I provided....oh). I may get more because I am also on the XO network (Leased T1 and DSL on opposite ends of the country).

Posted

How often do hackers attempt attacks, I have seen too many lately,

the latest:

Rule "Default Block Portal of Doom Trojan horse" blocked (66.98.154.94,3700)

Inbound UDP packet

and is listed in blackholes

I see them all over the place, Tx to Australia but can't tell why they harass me.

Posted

The Korean Offshore Pharmacy is getting nasty, last hacker attempt was from them:

Rule "Default Block NetBus Trojan horse" blocked (218.152.221.250,NetBus(12345))

Inbound TCP connection

Interestingly this IP is listed in several PLACES!

FIVETEN/korea.spam: added 2004-08-15; hosting *.0ffshorepharm.com on 221.139.2.78;

added 2004-10-07; hosting www.buyherbalsonline.com on 211.108.62.49; added 2001-04-23;

korea does not seem to care about spam; added 2003-08-17

Do we really have to start worring about spammers' retaliation or am I getting paranoid?

Posted

Like the spam, everybody gets it. No one person is singled out. IMHO, it is paranoid to think that you are the only one. Even if the spammers did retaliate against reporters, you still are not the only reporter (nor probably the most effective reporter). Since most people who report spam have a little bit of knowledge, they will have firewalls so even if the spammers did wish to retaliate purposefully in that manner, they would have to do something a little bit more clever.

IME, spammers are more likely to remove a tiresome reporter address than to retaliate.

Miss Betsy

Posted

The point I am trying to make is that spam, hacker attacs and viruses may not be random and independent. The hacker attempts come from the worst spammers which I report almost daily. So do viruses. So spam is not merely a nuisance but seems to be followed up by other sort of attacks. Whether it is for retaliation purposes is simply a conjecture. I have no proof to link them other than a common origin, and perhaps it is sent by zombie machines and not real people. But it is real people that rip the benefits of spamming.

Posted
perhaps it is send by zombie machines and not real people

This is the common belief. A machine is infected which allows it to be used to send spam (I have seen this myself with a friends computer). Of course, that also opens it up to more virus attacks as the anti-virus, if installed, is not effective.

Posted
The point I am trying to make is that spam, hacker attacs and viruses may not be random and independent.

The point that I am trying to make is that spam is totally random. Spammers collect addresses in all sorts of ways and then sell the lists to other spammers. The hacker attacks are spammers looking for zombie machines and are probably automatic - perhaps in response to reports, but not necessarily. The viruses come from irresponsible networks that don't notify customers and allow spammers. There may be patterns that relate to spam, reports, and viruses, but it is probably the same for every reporter. (just as I seem to receive a 419 spam after I have been plagued with viruses). No reporter is singled out - unless it is to listwash. Just like the spoofed domains in the return paths. The first time someone sees their domain, it seems like a personal attack, but it happens to a lot of people /randomly/ as the spammer starts a new list.

When there were fewer reporters, sometimes spammers did try to intimidate them, but there are too many now. The spammers have resorted to zombies and domain hopping, etc. rather than trying to stop reports.

The spammers DON"T CARE what people think of them or how much trouble and pain they cause people. They are looking for the clueless mark and can afford to send out a million spam to find hir. They may use viruses and trojans to further their ends, but more likely the viruses that come are because they are using an infected computer to send their spew and it also sends viruses. They are very unlikely to 'attack' on purpose users who have firewalls and anti-virus programs.

Miss Betsy

Posted
They are very unlikely to 'attack' on purpose users who have firewalls and anti-virus programs.

I couldn't agree more, they only stopped sending them when I started sending proof that their attacks get stopped on the server, and before they reach my computer.

  • 4 weeks later...
Posted

After spamming me daily for over a year guess who is trying to hack my computer?

IP=218.151.22.18

nodename=-

network=KORNET

location=(Korea)

maploc=(Korea)

mapll=37.30n, 127.00e

whois=

inetnum:        218.144.0.0 - 218.159.255.255

netname:        KORNET

descr:          KOREA TELECOM

descr:          Network Management Center

country:        KR

admin-c:        DL248-AP

tech-c:      GK40-AP

That's right. Kornet!

Details: Rule "Default Block NetBus Trojan horse" blocked (218.151.22.18,NetBus(12345))

Inbound TCP connection

Posted

Please see the following:

http://njabl.org/cgi-bin/lookup.cgi?query=218.151.22.18

http://openrbl.org/lookup?i=218.151.22.18 (seems to be down at present)

http://moensted.dk/spam/?addr=218.151.22.18&Submit=Submit

http://www.dnsstuff.com/tools/tracert.ch?ip=218.151.22.18

I don't remember ever getting a positive response from Kornet or Korea Telecom about my reports of their and/or their customers' relay attempts and spamming.

You are, of course, free to use korea.blackholes.us to filter or block them outright, but beware that bigfoot.com's mailserver lives there.

Posted

Also, you need to dig deeper when searching for IP blocks in Korea.

12/29/04 11:33:11 whois 218.151.22.18[at]whois.apnic.net

whois -h whois.apnic.net 218.151.22.18 ...

% [whois.apnic.net node-2]

% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      218.144.0.0 - 218.159.255.255

netname:      KORNET

descr:        KOREA TELECOM

descr:        Network Management Center

country:      KR

admin-c:      DL248-AP

tech-c:    GK40-AP

remarks:      ***********************************************

remarks:      KRNIC of NIDA is the National Internet Registry

remarks:      in Korea under APNIC. If you would like to

remarks:      find assignment information in detail

remarks:      please refer to the NIDA Whois DB

remarks:      http://whois.nida.or.kr/english/index.html

remarks:      ***********************************************

mnt-by:    MNT-KRNIC-AP

mnt-lower:    MNT-KRNIC-AP

changed:      hostmaster[at]apnic.net 20010924

status:    ALLOCATED PORTABLE

changed:      hm-changed[at]apnic.net 20041007

source:    APNIC

person:    Dong-Joo Lee

address:      128-9 Yeong-Dong Jongro-Ku Seoul

address:      Network Management Center

country:      KR

phone:        +82-2-766-1407

fax-no:    +82-2-766-6008

e-mail:    ip[at]ns.kornet.net

nic-hdl:      DL248-AP

mnt-by:    MAINT-NEW

changed:      hostmaster[at]nic.or.kr 20010425

source:    APNIC

person:    Gyung-Jun Kim

address:      KORNET

address:      128-9, Yeong-Dong, Jongro-Ku

address:      SEOUL

address:      110-763

country:      KR

phone:        +82-2-747-9213

fax-no:    +82-2-3673-5452

e-mail:    ip[at]ns.kornet.net

nic-hdl:      GK40-AP

mnt-by:    MNT-KRNIC-AP

changed:      hostmaster[at]nic.or.kr 20010906

source:    APNIC

inetnum:      218.151.22.0 - 218.151.22.255

netname:      KORNET-INFRA000001-KR

descr:        Korea Telecom

descr:        206 Jungja-dong, Bundang-gu, Sungnam city, Gyunggi-do, Korea, 463-711

descr:        GYUNGGI

descr:        463-711

country:      KR

admin-c:      IA44984-KR

tech-c:    IM53173-KR

remarks:      This IP address space has been allocated to KRNIC.

remarks:      For more information, using KRNIC Whois Database

remarks:      whois -h whois.nic.or.kr

mnt-by:    MNT-KRNIC-AP

remarks:      This information has been partially mirrored by APNIC from

remarks:      KRNIC. To obtain more specific information, please use the

remarks:      KRNIC whois server at whois.krnic.net.

changed:      hostmaster[at]nic.or.kr 20041228

source:    KRNIC

person:    IP Administrator

descr:        Korea Telecom

descr:        206 Jungja-dong, Bundang-gu, Sungnam city, Gyunggi-do, Korea, 463-711

descr:        GYUNGGI

descr:        463-711

country:      KR

phone:        +82-2-3674-5708

fax-no:    +82-2-747-8701

e-mail:    ip[at]ns.kornet.net

nic-hdl:      IA44984-KR

mnt-by:    MNT-KRNIC-AP

remarks:      This information has been partially mirrored by APNIC from

remarks:      KRNIC. To obtain more specific information, please use the

remarks:      KRNIC whois server at whois.krnic.net.

changed:      hostmaster[at]nic.or.kr 20041228

source:    KRNIC

person:    IP Manager

descr:        Korea Telecom

descr:        206 Jungja-dong, Bundang-gu, Sungnam city, Gyunggi-do, Korea, 463-711

descr:        GYUNGGI

descr:        463-711

country:      KR

phone:        +82-2-3674-5708

fax-no:    +82-2-747-8701

e-mail:    ip[at]ns.kornet.net

nic-hdl:      IM53173-KR

mnt-by:    MNT-KRNIC-AP

remarks:      This information has been partially mirrored by APNIC from

remarks:      KRNIC. To obtain more specific information, please use the

remarks:      KRNIC whois server at whois.krnic.net.

changed:      hostmaster[at]nic.or.kr 20041228

source:    KRNIC

12/29/04 11:33:30 whois 218.151.22.18[at]whois.nida.or.kr

whois -h whois.nida.or.kr 218.151.22.18 ...

Çѱ¹ÀÎÅͳÝÁ¤º¸¼¾ÅÍ(www.nic.or.kr)¿¡¼­ Á¦°øÇÏ´Â Whois ¼­ºñ½º ÀÔ´Ï´Ù.

query: 218.151.22.18

# ENGLISH

KRNIC is not a ISP but a National Internet Registry similar to APNIC.

The followings are information of the organization that is using the IPv4 address.

IPv4 Address    : 218.151.22.0-218.151.22.255

Network Name    : KORNET-INFRA000001

Connect ISP Name : KORNET

Connect Date    : 20031130

Registration Date  : 20031209

[ Organization Information ]

Organization ID    : ORG1600

Org Name        : Korea Telecom

State              : GYUNGGI

Address            : 206 Jungja-dong, Bundang-gu, Sungnam city, Gyunggi-do, Korea, 463-711

Zip Code        : 463-711

[ Admin Contact Information]

Name            : IP Administrator

Org Name        : Korea Telecom

State              : GYUNGGI

Address            : 206 Jungja-dong, Bundang-gu, Sungnam city, Gyunggi-do, Korea, 463-711

Zip Code        : 463-711

Phone              : +82-2-3674-5708

Fax                : +82-2-747-8701

E-Mail          : ip[at]ns.kornet.net

[ Technical Contact Information ]

Name            : IP Manager

Org Name        : Korea Telecom

State              : GYUNGGI

Address            : 206 Jungja-dong, Bundang-gu, Sungnam city, Gyunggi-do, Korea, 463-711

Zip Code        : 463-711

Phone              : +82-2-3674-5708

Fax                : +82-2-747-8701

E-Mail          : ip[at]ns.kornet.net

--------------------------------------------------------------------------------

If the above contacts are not reachable, please see the following ISP contacts

for further information or network abuse.

[ ISP IPv4 Admin Contact Information ]

Name            : IP Administrator

Phone              : +82-2-3674-5708

Fax                : +82-2-747-8701

E-Mail          : ip[at]ns.kornet.net

[ ISP IPv4 Tech Contact Information ]

Name            : IP Manager

Phone              : +82-2-3674-5708

Fax                : +82-2-747-8701

E-Mail          : ip[at]ns.kornet.net

[ ISP Network Abuse Contact Information ]

Name            : Network Abuse

Phone              : +82-2-3675-1499

Fax                : +82-2-747-8701

E-Mail          : abuse[at]kornet.net

# KOREAN

KRNICÀº ±¹³» ÀÎÅͳÝÁÖ¼ÒÀÚ¿øÀ» °ü¸®ÇÏ´Â °÷ÀÔ´Ï´Ù.

Á¶È¸ÇϽŠIPv4ÁÖ¼ÒÀÇ »ç¿ë±â°ü Á¤º¸´Â ¾Æ·¡¿Í °°½À´Ï´Ù.

IPv4 ÁÖ¼Ò          : 218.151.22.0-218.151.22.255

³×Æ®¿öÅ© À̸§      : KORNET-INFRA000001

¿¬°á ISP¸í      : KORNET

ISP ¿¬°á³¯Â¥    : 20031130

ÇÒ´ç³»¿ª µî·ÏÀÏ    : 20031209

[ IPv4 »ç¿ë ±â°ü Á¤º¸ ]

±â°ü°íÀ¯¹øÈ£    : ORG1600

±â°ü¸í          : Çѱ¹Åë½Å

½Ãµµ¸í          : °æ±â

ÁÖ¼Ò            : ¼º³²½Ã ºÐ´ç±¸ Á¤ÀÚµ¿ 206 Çѱ¹Åë½Å e-Bizº»ºÎ ±âȹÆÀ

[ ³×Æ®¿öÅ© Ã¥ÀÓÀÚ Àι° Á¤º¸ ]

À̸§            : IPÁÖ¼Ò°ü¸®ÀÚ

±â°ü¸í          : KORNET

½Ãµµ¸í          : °æ±â

ÁÖ¼Ò            : ¼º³²½Ã ºÐ´ç±¸ Á¤ÀÚµ¿ 206 Çѱ¹Åë½Å e-Bizº»ºÎ ±âȹÆÀ

ÀüÈ­ ¹øÈ£          : +82-2-3674-5708

Fax                : +82-2-747-8701

ÀüÀÚ ¿ìÆí          : ip[at]ns.kornet.net

[ ³×Æ®¿öÅ© ´ã´çÀÚ Àι° Á¤º¸ ]

À̸§            : IPÁÖ¼Ò´ã´çÀÚ

±â°ü¸í          : KORNET

½Ãµµ¸í          : °æ±â

ÁÖ¼Ò            : ¼º³²½Ã ºÐ´ç±¸ Á¤ÀÚµ¿ 206 Çѱ¹Åë½Å e-Bizº»ºÎ ±âȹÆÀ

¿ìÆí ¹øÈ£          : 463-711

ÀüÈ­ ¹øÈ£          : +82-2-3674-5708

Fax                : +82-2-747-8701

ÀüÀÚ ¿ìÆí          : ip[at]ns.kornet.net

--------------------------------------------------------------------------------

¸¸¾à À§ÀÇ IPv4ÁÖ¼Ò »ç¿ë±â°ü Á¤º¸°¡ ¿Ã¹Ù¸£Áö ¾ÊÀ» °æ¿ì¿¡´Â

¾Æ·¡ÀÇ ÇØ´ç ¿¬°á ISP ´ç´çÀÚ¿¡°Ô ¹®ÀÇÇϽñ⠹ٶø´Ï´Ù.

[ ¿¬°áISPÀÇ IPv4ÁÖ¼Ò Ã¥ÀÓÀÚ Á¤º¸ ]

À̸§            : IPÁÖ¼Ò°ü¸®ÀÚ

ÀüÈ­ ¹øÈ£          : +82-2-3674-5708

Fax                : +82-2-747-8701

ÀüÀÚ ¿ìÆí          : ip[at]ns.kornet.net

[ ¿¬°áISPÀÇ IPv4ÁÖ¼Ò °ü¸®ÀÚ Á¤º¸ ]

À̸§            : IPÁÖ¼Ò´ã´çÀÚ

ÀüÈ­ ¹øÈ£          : +82-2-3674-5708

Fax                : +82-2-747-8701

ÀüÀÚ ¿ìÆí          : ip[at]ns.kornet.net

[ ¿¬°áISPÀÇ Network Abuse ´ã´çÀÚ Á¤º¸ ]

À̸§            : ½ºÆÔ/ÇØÅ·´ã´ç

ÀüÈ­ ¹øÈ£          : +82-2-3675-1499

Fax                : +82-2-747-8701

ÀüÀÚ ¿ìÆí          : abuse[at]kornet.net

- KRNIC Whois Service -

whois.krnic.net and whois.nida.or.kr are other names for server whois.nic.or.kr [202.30.50.120].
Posted
Bigfoot deserves to be blocked due to their move to offshore servers.......

21990[/snapback]

What, they're not allowed to save a few bucks like anybody else?
Posted

If you take a look at how many services have moved offshore to save money you will notice what an effect it has had on our economy. Sure everone can save dollars going offshore and after everyone does it I guess we will have to move our families offshore so we can get a job ;)

Posted

Thank you both for the input...I simply posted the firewall log's analysis, I don't expect to get a response from Kornet. Seems odd that they would attempt sending me a trojan. They must surely know I report them. As for Telecom, I get viruses from telecoms from all around the world, which makes me think there may be a connection.

Posted

Firewall logs, especially when couched as in your sample, aren't always the most accurate things. For example, your firewall may offer up the same entry for 'any' traffic on that port.

As much as I miss analyzing my firewall logs (?) ... the current hardware firewall doesn't capture/report that kind of data, just listing the all-important status of the attempted traffic;

202.96.147.241	UDP: 1029	Blocked
70.247.93.169	UDP: 1026	Blocked
70.240.6.66	UDP: 1027	Blocked
70.247.152.127	UDP: 1026	Blocked
64.244.8.243	UDP: 1026	Blocked
64.22.142.238	UDP: 1027	Blocked
200.120.85.0	UDP: 1026	Blocked
200.70.165.54	UDP: 1027	Blocked
202.102.170.138	UDP: 1434	Blocked
70.240.224.236	UDP: 1027	Blocked
70.247.106.80	UDP: 1026	Blocked
221.215.100.97	UDP: 1434	Blocked
212.24.19.46	UDP: 1027	Blocked
218.28.79.46	TCP: 17901Blocked
222.88.173.5	UDP: 1026	Blocked
220.117.16.68	TCP: 25	Blocked

Software firewalls on the end systems handle other issues, but look at all the time I have left over not worrying so much about "blocked" traffic <g>

Posted

Those were the logs from Norton Internet Security, I was on line during the alert and went to see the IP identified, an option in NIS. I have a DSL modem with internal IP which works as physical firewall, no logs provided..

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...