Trends from the trenches of Internet traffic. Hackers, spammers and Internet abuse. IP address database. DNS sightings. Views and opinions expressed are my own. ~ Teri Radichel @teriradichel
Wednesday, February 28, 2007
253-719-0012
I figured out what this number is. I got an electronically placed and recorded call from Comcast.
When you put this number in Google however you get a ton of nasty hacker information.
Interesting.
Tuesday, February 20, 2007
Defender Technologies, DefenderHost.com - Hacker Source
OrgName: Defender Technologies Group, LLC
OrgID: DTGL
Address: 44470 Chilum Place, Building 1
Address: Suite 1197
City: Ashburn
StateProv: VA
PostalCode: 20147
Country: US
NetRange: 69.65.96.0 - 69.65.127.255
Inhoster - bad bot source
This is the latest blatant abusing network:
inetnum: 85.255.112.0 - 85.255.127.255
netname: inhoster
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
country: UA
Saturday, February 17, 2007
Related Hacker IPs
Time of hack attempt: 2/17/07 21:42:33
65.184.191.13
211.213.118.32
75.34.23.14
212.119.45.138
71.83.46.82
12.206.187.108
59.95.212.177
In addition this IP was in the middle of this looking at another site:
89.150.197.192
Friday, February 16, 2007
Message Guard - Network Solutions
This is the typical message I get from other people when I try to use Network Solutions Message Guard to send them emails:
_______________
I do not have time to go do all of these steps to read the email. It takes over 5 minutes to complete this. I am the only one here in my department and this is very time consuming. Can you please just send me a regular email.
_______________
Until this is fixed, this is not a viable solution for every day use between two parties that are not both using the same service. I thought the idea was that the person only has to go through the steps one time...
I also asked Voltage Security how they guarantee that someone at their location is not able to decrypt and read the email - what policies and auditing do they have in place - and as of yet no response.
Monday, February 12, 2007
Catepillar, Inc. really Interested in Australia?
12.2.142.7
Arrival Communications - Hacker
There appears to be a hacker at arrival communications on this IP 69.84.207.35 targeting one of our real estate web sites.
They hit our contact request form about 70 times in one day.
Shortly thereafter the publishing of the site was altered, but we were able to easily republish.
OrgName: Arrival Communication, Inc
OrgID: ARRV
Address: 5100 California Ave Suite 104
City: Bakersfield
StateProv: CA
PostalCode: 93309
Country: US
NetRange: 69.84.192.0 - 69.84.207.255
Identity Based Encryption - Update
The latest is that I just had to re-authenticate to send a message and I'm not sure why. Is this an on-going thing where you have to re-authenticate on a weekly basis?
The other thing to note is that I bought the service from Network Solutions and it is authenticating on the Voltage Security system.
Wednesday, February 07, 2007
Reverse Load Testing
http://www.networkworld.com/news/2007/020707-hackers-slow-internet-root-servers.html?nlhtsec=0205securityalert3&company=
The engineers are "scratching their heads" wondering why the attack was performed.
I can think of a few reasons.
1. Reverse load testing. Hackers are trying to calculate what it will take to bring down the Internet. Bringing down the Internet could cause a myriad of disruptions that might be beneficial to a myriad of sneaky, slimy people.
2. Bringing down the Internet at a particular time when a certain crime is being committed may prevent certain communications which may then alert the authorities or warning systems to the crime underway.
3. Someone wants attention.
4. Some really flawed programming.
5. Mischief.
Tuesday, February 06, 2007
Identity Based Encryption (IBE) - Trial
As supsected a few people were skeptical of the email and didn't want to open it until I called them since it doesn't look like your typical email.
I also had a few people have problems with it including:
#1 my boss couldn't open it on his cell phone - didn't work at all. Also he didn't want to "sign up for an account" even though I explained that's not what it is.
#2 Someone on AOL couldn't open it at all.
#3 One of my customers using Electric Mail and also I think another provider could not open the message. She tried a few different times today...going to have to call tomorrow and see if we can figure this out.
#4 Couldn't respond to tickets to my data center which is a pretty big hosting company. They have an automated system and the message came as an attachment which was then not included in their automated messaging system.
#5 I was told after asking if I could use it on a web server to send messages that it only works in Outlook - after I told them I was using Outlook already so obviously I know that. So you can't sign up for this and then send secure messages in an automated fashion to potential clients, for instance, or email receipts from an e-commerce web site or links to file downloads, etc.
A few things to resolve here...it's not quite as simple as normal email and obviously doesn't work for all scenarios.
Monday, February 05, 2007
PHP: Most Requested URLs by Hackers
Per our records, PHP is far and away the most attacked language - and we don't even host it.
These are the URLS various hackers have been scanning our boxes for in the past few months:
/phpAdsNew/adxmlrpc.php
/index.php
/profile.php
/cmd.php
/Ads/adxmlrpc.php
/register.php
/thisdoesnotexistahaha.php
/stats/cmd.php
/portal/cmd.php
/adserver/adxmlrpc.php
/adxmlrpc.php
/a1b2c3d4e5f6g7h8i9/nonexistentfile.php
/phpads/adxmlrpc.php
/web/e-commerce/database/index.php/administration/module/module/index.php
/portal/cacti/cmd.php
/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlsrv/xmlrpc.php
/blog/xmlrpc.php
/cacti/cmd.php
/drupal/xmlrpc.php
/web/phpMyAdmin/main.php
/web/phpMyAdmin/main.phpmain.php
/w3c/p3p.xml
/_vti_bin/_vti_aut/author.dll
/admin/login/index.php
/admin/pages/index.php
/admin/pages/settings.php
/admin/start/index.php
/public.php
/web/.../work/index.php
/web//work/index.php
And here are the IPs that have been up to this mischeif along with number of hits:
39 213.186.50.160
25 62.39.119.241
24 208.72.168.27
16 64.208.172.181
12 216.218.196.210
7 206.169.110.66
4 203.121.69.154
3 212.145.93.63
3 81.196.150.45
2 89.110.131.89
2 74.6.74.225
2 72.10.45.38
2 212.8.197.79
2 212.138.64.171
2 125.248.244.131
1 195.175.37.6
1 195.175.37.71
1 200.88.125.9
1 200.88.223.98
1 212.138.64.172
1 212.138.64.175
1 212.138.64.179
1 125.244.164.69
1 62.150.130.26
1 216.129.105.149
1 72.3.139.176
1 72.30.252.98
1 74.6.71.59
1 74.6.72.189
1 74.6.72.225
1 80.95.160.188
1 64.28.23.49
1 82.114.68.194
1 85.214.45.212
1 86.145.147.223
Friday, February 02, 2007
Identity Based Encryption - mail forwarding
I have one account set up to forward to the other.
I sent from account A to account B.
Then account B forwarded the IBE message to create a key back to account A.
I was able to create the private key on my computer by creating a login - using a different email address than the one the email was sent to. (I was in account A - the one that sent the message).
When I went back to the email in my webmail based email account B I had the key on my machine and was able to read it even though the email address I entered when I created the key for was not the email address the mail was sent to...
Also about 5 minutes later I was forwarded the test message from account B back to account A and was able to read it without doing anything else.
Seems a bit odd. Not sure the implications of this on secure email. I will have to think this one through a bit more.