dra007 Posted November 24, 2004 Posted November 24, 2004 I just witnessed a firewall alert from an IP which has send spam to me in the past: Rule "Default Block TransScout" blocked (67.111.137.238,2004) Inbound TCP connection Since I do not trust their abuse desk, is there any other action I can take? PS. There are some interesting tidbits on this ISP on Google Abuse. To paraphrase one of them: >> >> So, should I expect that this is a case of XO Communications being wholly >> incompetent, or is it more likely that Concentric is knowingly and >> willingly assisting in what is a very clear case of fraud? >>
Merlyn Posted November 24, 2004 Posted November 24, 2004 Concentric is XO, they were bought out a few years ago. XO is extremely large and like any other Large provider you will find lots of info bad or good about them on Google. Yes they have lot's of spammers. see: http://www.spamhaus.org/sbl/listings.lasso?isp=xo.com I don't think it would be a waste to notify them.
dra007 Posted November 24, 2004 Author Posted November 24, 2004 Concentric is XO, they were bought out a few years ago. /snip I don't think it would be a waste to notify them. 20499[/snapback] Sure thing, thanks Merlyn, just as a side issue, I am sure they also sent you this spam: spam: Americas No 1 penis Enlargement pills Fraudulent claim of security: "Secure online shopping with secure debit and credit card processing." while one's credit card data is sent unencrypted and insecurely to http://csj.bhleecg.info/MC021/cart.php (the BASE SITE on rackforce also fraudulently claims to use "state of the art encryption") --- spam FROM: w226.z206111198.lax-ca.dsl.cnc.net [206.111.198.226] abuse[at]xo.com,postmaster[at]xo.com, abuse[at]cnc.net,postmaster[at]cnc.net Spamvertized URL: http://csj.bhleecg.info/?nAVWVcnGJX.jzTncsj /snip ========== [DETAILS:] spam FROM: w226.z206111198.lax-ca.dsl.cnc.net [206.111.198.226] OrgName: XO Communications OrgID: XOXO CIDR: 206.111.0.0/16 OrgAbuseEmail: abuse[at]xo.com So again, I have some doubts and trust issues...
Merlyn Posted November 24, 2004 Posted November 24, 2004 Jim from the XO/Comcentric abuse desk used to hang out in NANAE but I haven't seen him in about 6 months. Maybe he was doing too good. If you want I will email you his addy.
dra007 Posted November 29, 2004 Author Posted November 29, 2004 Interesting even my ISP cannot do anything about this hacker: Mynmehere, We received the case that you submitted to us via the web about your hacker attack. At this time we are not of the offending IP that is inciting the intrusion. It is recommend that you keep your firewall up and traffic from this IP blocked. The most that we can do for this is contact XO Communications about this, however as you have already found out they are little help. Hisnamethere Customer Support Specialist
Merlyn Posted November 29, 2004 Posted November 29, 2004 XO has also moved up in position to #9 according to Spamhaus this week.
StevenUnderwood Posted November 29, 2004 Posted November 29, 2004 XO is only slightly more accomodating to their customers, which I am at work. I have gotten a few of these taken care of only after about 4-5 rounds of emails (that is not your address...I know it is the hacker's, my address is shown as the target in the logs I provided....oh). I may get more because I am also on the XO network (Leased T1 and DSL on opposite ends of the country).
Merlyn Posted November 29, 2004 Posted November 29, 2004 Same here... When a spammer was close to us XO removed them after a half dozen phone calls.
dra007 Posted December 2, 2004 Author Posted December 2, 2004 How often do hackers attempt attacks, I have seen too many lately, the latest: Rule "Default Block Portal of Doom Trojan horse" blocked (66.98.154.94,3700) Inbound UDP packet and is listed in blackholes I see them all over the place, Tx to Australia but can't tell why they harass me.
Merlyn Posted December 2, 2004 Posted December 2, 2004 Ha! we get thousands each day on our servers. It has just become part of all the internet noise.
dra007 Posted December 6, 2004 Author Posted December 6, 2004 The Korean Offshore Pharmacy is getting nasty, last hacker attempt was from them: Rule "Default Block NetBus Trojan horse" blocked (218.152.221.250,NetBus(12345)) Inbound TCP connection Interestingly this IP is listed in several PLACES! FIVETEN/korea.spam: added 2004-08-15; hosting *.0ffshorepharm.com on 221.139.2.78; added 2004-10-07; hosting www.buyherbalsonline.com on 211.108.62.49; added 2001-04-23; korea does not seem to care about spam; added 2003-08-17 Do we really have to start worring about spammers' retaliation or am I getting paranoid?
Miss Betsy Posted December 6, 2004 Posted December 6, 2004 Like the spam, everybody gets it. No one person is singled out. IMHO, it is paranoid to think that you are the only one. Even if the spammers did retaliate against reporters, you still are not the only reporter (nor probably the most effective reporter). Since most people who report spam have a little bit of knowledge, they will have firewalls so even if the spammers did wish to retaliate purposefully in that manner, they would have to do something a little bit more clever. IME, spammers are more likely to remove a tiresome reporter address than to retaliate. Miss Betsy
dra007 Posted December 6, 2004 Author Posted December 6, 2004 The point I am trying to make is that spam, hacker attacs and viruses may not be random and independent. The hacker attempts come from the worst spammers which I report almost daily. So do viruses. So spam is not merely a nuisance but seems to be followed up by other sort of attacks. Whether it is for retaliation purposes is simply a conjecture. I have no proof to link them other than a common origin, and perhaps it is sent by zombie machines and not real people. But it is real people that rip the benefits of spamming.
StevenUnderwood Posted December 6, 2004 Posted December 6, 2004 perhaps it is send by zombie machines and not real people This is the common belief. A machine is infected which allows it to be used to send spam (I have seen this myself with a friends computer). Of course, that also opens it up to more virus attacks as the anti-virus, if installed, is not effective.
Miss Betsy Posted December 6, 2004 Posted December 6, 2004 The point I am trying to make is that spam, hacker attacs and viruses may not be random and independent. The point that I am trying to make is that spam is totally random. Spammers collect addresses in all sorts of ways and then sell the lists to other spammers. The hacker attacks are spammers looking for zombie machines and are probably automatic - perhaps in response to reports, but not necessarily. The viruses come from irresponsible networks that don't notify customers and allow spammers. There may be patterns that relate to spam, reports, and viruses, but it is probably the same for every reporter. (just as I seem to receive a 419 spam after I have been plagued with viruses). No reporter is singled out - unless it is to listwash. Just like the spoofed domains in the return paths. The first time someone sees their domain, it seems like a personal attack, but it happens to a lot of people /randomly/ as the spammer starts a new list. When there were fewer reporters, sometimes spammers did try to intimidate them, but there are too many now. The spammers have resorted to zombies and domain hopping, etc. rather than trying to stop reports. The spammers DON"T CARE what people think of them or how much trouble and pain they cause people. They are looking for the clueless mark and can afford to send out a million spam to find hir. They may use viruses and trojans to further their ends, but more likely the viruses that come are because they are using an infected computer to send their spew and it also sends viruses. They are very unlikely to 'attack' on purpose users who have firewalls and anti-virus programs. Miss Betsy
dra007 Posted December 7, 2004 Author Posted December 7, 2004 They are very unlikely to 'attack' on purpose users who have firewalls and anti-virus programs. I couldn't agree more, they only stopped sending them when I started sending proof that their attacks get stopped on the server, and before they reach my computer.
dra007 Posted December 29, 2004 Author Posted December 29, 2004 After spamming me daily for over a year guess who is trying to hack my computer? IP=218.151.22.18 nodename=- network=KORNET location=(Korea) maploc=(Korea) mapll=37.30n, 127.00e whois= inetnum: 218.144.0.0 - 218.159.255.255 netname: KORNET descr: KOREA TELECOM descr: Network Management Center country: KR admin-c: DL248-AP tech-c: GK40-AP That's right. Kornet! Details: Rule "Default Block NetBus Trojan horse" blocked (218.151.22.18,NetBus(12345)) Inbound TCP connection
Jeff G. Posted December 29, 2004 Posted December 29, 2004 Please see the following: http://njabl.org/cgi-bin/lookup.cgi?query=218.151.22.18 http://openrbl.org/lookup?i=218.151.22.18 (seems to be down at present) http://moensted.dk/spam/?addr=218.151.22.18&Submit=Submit http://www.dnsstuff.com/tools/tracert.ch?ip=218.151.22.18 I don't remember ever getting a positive response from Kornet or Korea Telecom about my reports of their and/or their customers' relay attempts and spamming. You are, of course, free to use korea.blackholes.us to filter or block them outright, but beware that bigfoot.com's mailserver lives there.
Merlyn Posted December 29, 2004 Posted December 29, 2004 Bigfoot deserves to be blocked due to their move to offshore servers.......
Jeff G. Posted December 29, 2004 Posted December 29, 2004 Also, you need to dig deeper when searching for IP blocks in Korea. 12/29/04 11:33:11 whois 218.151.22.18[at]whois.apnic.net whois -h whois.apnic.net 218.151.22.18 ... % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 218.144.0.0 - 218.159.255.255 netname: KORNET descr: KOREA TELECOM descr: Network Management Center country: KR admin-c: DL248-AP tech-c: GK40-AP remarks: *********************************************** remarks: KRNIC of NIDA is the National Internet Registry remarks: in Korea under APNIC. If you would like to remarks: find assignment information in detail remarks: please refer to the NIDA Whois DB remarks: http://whois.nida.or.kr/english/index.html remarks: *********************************************** mnt-by: MNT-KRNIC-AP mnt-lower: MNT-KRNIC-AP changed: hostmaster[at]apnic.net 20010924 status: ALLOCATED PORTABLE changed: hm-changed[at]apnic.net 20041007 source: APNIC person: Dong-Joo Lee address: 128-9 Yeong-Dong Jongro-Ku Seoul address: Network Management Center country: KR phone: +82-2-766-1407 fax-no: +82-2-766-6008 e-mail: ip[at]ns.kornet.net nic-hdl: DL248-AP mnt-by: MAINT-NEW changed: hostmaster[at]nic.or.kr 20010425 source: APNIC person: Gyung-Jun Kim address: KORNET address: 128-9, Yeong-Dong, Jongro-Ku address: SEOUL address: 110-763 country: KR phone: +82-2-747-9213 fax-no: +82-2-3673-5452 e-mail: ip[at]ns.kornet.net nic-hdl: GK40-AP mnt-by: MNT-KRNIC-AP changed: hostmaster[at]nic.or.kr 20010906 source: APNIC inetnum: 218.151.22.0 - 218.151.22.255 netname: KORNET-INFRA000001-KR descr: Korea Telecom descr: 206 Jungja-dong, Bundang-gu, Sungnam city, Gyunggi-do, Korea, 463-711 descr: GYUNGGI descr: 463-711 country: KR admin-c: IA44984-KR tech-c: IM53173-KR remarks: This IP address space has been allocated to KRNIC. remarks: For more information, using KRNIC Whois Database remarks: whois -h whois.nic.or.kr mnt-by: MNT-KRNIC-AP remarks: This information has been partially mirrored by APNIC from remarks: KRNIC. To obtain more specific information, please use the remarks: KRNIC whois server at whois.krnic.net. changed: hostmaster[at]nic.or.kr 20041228 source: KRNIC person: IP Administrator descr: Korea Telecom descr: 206 Jungja-dong, Bundang-gu, Sungnam city, Gyunggi-do, Korea, 463-711 descr: GYUNGGI descr: 463-711 country: KR phone: +82-2-3674-5708 fax-no: +82-2-747-8701 e-mail: ip[at]ns.kornet.net nic-hdl: IA44984-KR mnt-by: MNT-KRNIC-AP remarks: This information has been partially mirrored by APNIC from remarks: KRNIC. To obtain more specific information, please use the remarks: KRNIC whois server at whois.krnic.net. changed: hostmaster[at]nic.or.kr 20041228 source: KRNIC person: IP Manager descr: Korea Telecom descr: 206 Jungja-dong, Bundang-gu, Sungnam city, Gyunggi-do, Korea, 463-711 descr: GYUNGGI descr: 463-711 country: KR phone: +82-2-3674-5708 fax-no: +82-2-747-8701 e-mail: ip[at]ns.kornet.net nic-hdl: IM53173-KR mnt-by: MNT-KRNIC-AP remarks: This information has been partially mirrored by APNIC from remarks: KRNIC. To obtain more specific information, please use the remarks: KRNIC whois server at whois.krnic.net. changed: hostmaster[at]nic.or.kr 20041228 source: KRNIC 12/29/04 11:33:30 whois 218.151.22.18[at]whois.nida.or.kr whois -h whois.nida.or.kr 218.151.22.18 ... Çѱ¹ÀÎÅͳÝÁ¤º¸¼¾ÅÍ(www.nic.or.kr)¿¡¼ Á¦°øÇÏ´Â Whois ¼ºñ½º ÀÔ´Ï´Ù. query: 218.151.22.18 # ENGLISH KRNIC is not a ISP but a National Internet Registry similar to APNIC. The followings are information of the organization that is using the IPv4 address. IPv4 Address : 218.151.22.0-218.151.22.255 Network Name : KORNET-INFRA000001 Connect ISP Name : KORNET Connect Date : 20031130 Registration Date : 20031209 [ Organization Information ] Organization ID : ORG1600 Org Name : Korea Telecom State : GYUNGGI Address : 206 Jungja-dong, Bundang-gu, Sungnam city, Gyunggi-do, Korea, 463-711 Zip Code : 463-711 [ Admin Contact Information] Name : IP Administrator Org Name : Korea Telecom State : GYUNGGI Address : 206 Jungja-dong, Bundang-gu, Sungnam city, Gyunggi-do, Korea, 463-711 Zip Code : 463-711 Phone : +82-2-3674-5708 Fax : +82-2-747-8701 E-Mail : ip[at]ns.kornet.net [ Technical Contact Information ] Name : IP Manager Org Name : Korea Telecom State : GYUNGGI Address : 206 Jungja-dong, Bundang-gu, Sungnam city, Gyunggi-do, Korea, 463-711 Zip Code : 463-711 Phone : +82-2-3674-5708 Fax : +82-2-747-8701 E-Mail : ip[at]ns.kornet.net -------------------------------------------------------------------------------- If the above contacts are not reachable, please see the following ISP contacts for further information or network abuse. [ ISP IPv4 Admin Contact Information ] Name : IP Administrator Phone : +82-2-3674-5708 Fax : +82-2-747-8701 E-Mail : ip[at]ns.kornet.net [ ISP IPv4 Tech Contact Information ] Name : IP Manager Phone : +82-2-3674-5708 Fax : +82-2-747-8701 E-Mail : ip[at]ns.kornet.net [ ISP Network Abuse Contact Information ] Name : Network Abuse Phone : +82-2-3675-1499 Fax : +82-2-747-8701 E-Mail : abuse[at]kornet.net # KOREAN KRNICÀº ±¹³» ÀÎÅͳÝÁÖ¼ÒÀÚ¿øÀ» °ü¸®ÇÏ´Â °÷ÀÔ´Ï´Ù. Á¶È¸ÇϽŠIPv4ÁÖ¼ÒÀÇ »ç¿ë±â°ü Á¤º¸´Â ¾Æ·¡¿Í °°½À´Ï´Ù. IPv4 ÁÖ¼Ò : 218.151.22.0-218.151.22.255 ³×Æ®¿öÅ© À̸§ : KORNET-INFRA000001 ¿¬°á ISP¸í : KORNET ISP ¿¬°á³¯Â¥ : 20031130 ÇÒ´ç³»¿ª µî·ÏÀÏ : 20031209 [ IPv4 »ç¿ë ±â°ü Á¤º¸ ] ±â°ü°íÀ¯¹øÈ£ : ORG1600 ±â°ü¸í : Çѱ¹Åë½Å ½Ãµµ¸í : °æ±â ÁÖ¼Ò : ¼º³²½Ã ºÐ´ç±¸ Á¤ÀÚµ¿ 206 Çѱ¹Åë½Å e-Bizº»ºÎ ±âȹÆÀ [ ³×Æ®¿öÅ© Ã¥ÀÓÀÚ Àι° Á¤º¸ ] À̸§ : IPÁÖ¼Ò°ü¸®ÀÚ ±â°ü¸í : KORNET ½Ãµµ¸í : °æ±â ÁÖ¼Ò : ¼º³²½Ã ºÐ´ç±¸ Á¤ÀÚµ¿ 206 Çѱ¹Åë½Å e-Bizº»ºÎ ±âȹÆÀ ÀüÈ ¹øÈ£ : +82-2-3674-5708 Fax : +82-2-747-8701 ÀüÀÚ ¿ìÆí : ip[at]ns.kornet.net [ ³×Æ®¿öÅ© ´ã´çÀÚ Àι° Á¤º¸ ] À̸§ : IPÁÖ¼Ò´ã´çÀÚ ±â°ü¸í : KORNET ½Ãµµ¸í : °æ±â ÁÖ¼Ò : ¼º³²½Ã ºÐ´ç±¸ Á¤ÀÚµ¿ 206 Çѱ¹Åë½Å e-Bizº»ºÎ ±âȹÆÀ ¿ìÆí ¹øÈ£ : 463-711 ÀüÈ ¹øÈ£ : +82-2-3674-5708 Fax : +82-2-747-8701 ÀüÀÚ ¿ìÆí : ip[at]ns.kornet.net -------------------------------------------------------------------------------- ¸¸¾à À§ÀÇ IPv4ÁÖ¼Ò »ç¿ë±â°ü Á¤º¸°¡ ¿Ã¹Ù¸£Áö ¾ÊÀ» °æ¿ì¿¡´Â ¾Æ·¡ÀÇ ÇØ´ç ¿¬°á ISP ´ç´çÀÚ¿¡°Ô ¹®ÀÇÇϽñ⠹ٶø´Ï´Ù. [ ¿¬°áISPÀÇ IPv4ÁÖ¼Ò Ã¥ÀÓÀÚ Á¤º¸ ] À̸§ : IPÁÖ¼Ò°ü¸®ÀÚ ÀüÈ ¹øÈ£ : +82-2-3674-5708 Fax : +82-2-747-8701 ÀüÀÚ ¿ìÆí : ip[at]ns.kornet.net [ ¿¬°áISPÀÇ IPv4ÁÖ¼Ò °ü¸®ÀÚ Á¤º¸ ] À̸§ : IPÁÖ¼Ò´ã´çÀÚ ÀüÈ ¹øÈ£ : +82-2-3674-5708 Fax : +82-2-747-8701 ÀüÀÚ ¿ìÆí : ip[at]ns.kornet.net [ ¿¬°áISPÀÇ Network Abuse ´ã´çÀÚ Á¤º¸ ] À̸§ : ½ºÆÔ/ÇØÅ·´ã´ç ÀüÈ ¹øÈ£ : +82-2-3675-1499 Fax : +82-2-747-8701 ÀüÀÚ ¿ìÆí : abuse[at]kornet.net - KRNIC Whois Service - whois.krnic.net and whois.nida.or.kr are other names for server whois.nic.or.kr [202.30.50.120].
Jeff G. Posted December 29, 2004 Posted December 29, 2004 Bigfoot deserves to be blocked due to their move to offshore servers.......21990[/snapback] What, they're not allowed to save a few bucks like anybody else?
Merlyn Posted December 29, 2004 Posted December 29, 2004 If you take a look at how many services have moved offshore to save money you will notice what an effect it has had on our economy. Sure everone can save dollars going offshore and after everyone does it I guess we will have to move our families offshore so we can get a job
dra007 Posted December 29, 2004 Author Posted December 29, 2004 Thank you both for the input...I simply posted the firewall log's analysis, I don't expect to get a response from Kornet. Seems odd that they would attempt sending me a trojan. They must surely know I report them. As for Telecom, I get viruses from telecoms from all around the world, which makes me think there may be a connection.
Wazoo Posted December 29, 2004 Posted December 29, 2004 Firewall logs, especially when couched as in your sample, aren't always the most accurate things. For example, your firewall may offer up the same entry for 'any' traffic on that port. As much as I miss analyzing my firewall logs (?) ... the current hardware firewall doesn't capture/report that kind of data, just listing the all-important status of the attempted traffic; 202.96.147.241 UDP: 1029 Blocked 70.247.93.169 UDP: 1026 Blocked 70.240.6.66 UDP: 1027 Blocked 70.247.152.127 UDP: 1026 Blocked 64.244.8.243 UDP: 1026 Blocked 64.22.142.238 UDP: 1027 Blocked 200.120.85.0 UDP: 1026 Blocked 200.70.165.54 UDP: 1027 Blocked 202.102.170.138 UDP: 1434 Blocked 70.240.224.236 UDP: 1027 Blocked 70.247.106.80 UDP: 1026 Blocked 221.215.100.97 UDP: 1434 Blocked 212.24.19.46 UDP: 1027 Blocked 218.28.79.46 TCP: 17901Blocked 222.88.173.5 UDP: 1026 Blocked 220.117.16.68 TCP: 25 Blocked Software firewalls on the end systems handle other issues, but look at all the time I have left over not worrying so much about "blocked" traffic <g>
dra007 Posted December 30, 2004 Author Posted December 30, 2004 Those were the logs from Norton Internet Security, I was on line during the alert and went to see the IP identified, an option in NIS. I have a DSL modem with internal IP which works as physical firewall, no logs provided..
Recommended Posts
Archived
This topic is now archived and is closed to further replies.