Trends from the trenches of Internet traffic. Hackers, spammers and Internet abuse. IP address database. DNS sightings. Views and opinions expressed are my own. ~ Teri Radichel @teriradichel
Thursday, April 26, 2007
Keyloggers in Keyboards
http://www.networkworld.com/news/2006/080806-keyboard.html?nwwpkg=alphadoggs
For Starbucks and Tmobile - Hotspot Hacks
Anyway when will the day come that someone gets hacked at Starbucks and turns around and sues them. I don't know how that would work out. I don't know if there is anything Starbucks or Tmobile can do about this (just naming the big guys here) but they certainly should try.
http://www.networkworld.com/news/2007/042507-infosec-evil-twin-wi-fi-access.html?nlhtsec=0423securityalert4&company=HP
DNS Server Hacks
http://www.networkworld.com/news/2007/041307-dns-vulnerability.html?nlhtsec=0416securityalert1&company=Mu%20Security
The question is, what's the fastest way to pinpoint if your DNS server is hosed?
Tuesday, April 24, 2007
Related PHP hacker IPs
"inetnum: 59.88.0.0 - 59.99.255.255
netname: BSNLNET
descr: NIB (National Internet Backbone)
descr: Bharat Sanchar Nigam Limited
descr: Sanchar Bhawan,20, Ashoka Road, New Delhi-110001
country: IN
" 299391 BLOCKED 9jdq30c0otrp Tue Apr 24 04:59:02 PDT 2007 59.94.208.172 /index.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /index.php act=Reg&CODE=00 83 7 1 4/24/2007 4:59:03 AM 24 4 4/24/2007 4:59:03 AM
"inetnum: 59.88.0.0 - 59.99.255.255
netname: BSNLNET
descr: NIB (National Internet Backbone)
descr: Bharat Sanchar Nigam Limited
descr: Sanchar Bhawan,20, Ashoka Road, New Delhi-110001
country: IN
" 299391 BLOCKED 9jdq30c0otrp Tue Apr 24 04:59:02 PDT 2007 59.94.208.172 /index.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /index.php act=Reg&CODE=00 83 7 1 4/24/2007 4:59:03 AM 24 4 4/24/2007 4:59:03 AM
"Comcast Cable Communications, Inc. ATT-COMCAST (NET-71-192-0-0-1)
71.192.0.0 - 71.207.255.255
Comcast Cable Communications, IP Services WASHINGTON-16 (NET-71-197-128-0-1)
71.197.128.0 - 71.197.255.255
" 299389 BLOCKED 3bghs2pqv3ms4 Tue Apr 24 04:58:56 PDT 2007 71.200.172.74 /index.php /index.php act=Reg&CODE=00 83 7 1 4/24/2007 4:58:56 AM 24 4 4/24/2007 4:58:56 AM
299388 BLOCKED 1cabokzq2eon9 Tue Apr 24 04:58:55 PDT 2007 200.140.12.1 /register.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /register.php action=signup&who=adult 83 7 1 4/24/2007 4:58:56 AM 24 4 4/24/2007 4:58:56 AM
299387 BLOCKED 5bntk8b5n6k1t Tue Apr 24 04:58:52 PDT 2007 58.142.79.54 /register.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /register.php action=signup&who=adult 83 7 1 4/24/2007 4:58:52 AM 24 4 4/24/2007 4:58:52 AM
299386 BLOCKED b2idleeknprcn Tue Apr 24 04:58:51 PDT 2007 201.12.150.239 /profile.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /profile.php mode=register 83 7 1 4/24/2007 4:58:51 AM 24 4 4/24/2007 4:58:51 AM
299385 BLOCKED 5k5ov71rsp1qd Tue Apr 24 04:58:47 PDT 2007 203.223.150.95 /profile.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /profile.php mode=register 83 7 1 4/24/2007 4:58:48 AM 24 4 4/24/2007 4:58:48 AM
University of Minnesota bot
134.29.227.130
OrgName: Minnesota State University System OrgID: MSUSAddress: Wells Fargo PlaceAddress: 30 7th Street East, Suite 350City: St. PaulStateProv: MNPostalCode: 55101-7804Country: USNetRange: 134.29.0.0 - 134.29.255.255
This was in the user agent - not sure if related: knst2007
I can find no references to this on Google except that it's showing up on web stats reports - specifically for a lot of Univerisities.
Monday, April 23, 2007
nflplayers.com surfing the web
This web server is visiting our web sites:
66.208.26.98 resolves to"nflplayers.com"
Top Level Domain: "nflplayers.com"
iibee.com browsing web sites
216.194.68.120 resolves to"iibee.com"Top Level Domain: "iibee.com"
ap-art.com surging the web
Here's a web server that is being used to surf our web sites:
207.234.208.96 resolves to"ap-art.com"Top Level Domain: "ap-art.com"
liggins.plus.com - surfing the web?
Hmm, should this IP address be surging the web? Seems to have an interest in our web sites.
212.159.42.175 resolves to"liggins.plus.com"
Top Level Domain: "plus.com"
turbinegenerator.com surfing the web
209.34.233.62 resolves to"turbinegenerator.com"
Top Level Domain: "turbinegenerator.com"
proxyout.utah.gov
204.113.19.8 resolves to"proxyout.utah.gov"Top Level Domain: "utah.gov"
proxy2.xter.net
Proxy server surfing our web sites?
83.217.229.147 resolves to"proxy2.xter.net"
Top Level Domain: "xter.net"
knsk.de
212.1.49.129 resolves to"knsk.de"
Top Level Domain: "knsk.de"
F5 wants to secure your apps with their network hardware
http://www.f5.com/solutions/technology/securing_enterprise_wp.html?CMP=KNC-GoogSiteNtwk&gclid=CLuEguDO2IsCFQQRYwodll4haw
The only issue I see here is more complicated application testing and debugging. It will be harder to pinpoint errors.
I haven't thought it totally through and it's late but seems like this is a network device and should focus on network issues.
The concept of what they are doing should be done by every application however and perhaps and application framework is best suited for these things. Perhaps you could use a combination but I worry about the maintenance consequences of this.
A web server surfing the web
Top Level Domain: "hardeecounty.net"
Sunday, April 22, 2007
Inquent = hacked?
Working away here suddenly my printer started making noise for no apparent reason. I'm guessing someone got on my network or my machine here and they are snooping around and hit the device on that port / local IP.
I looked at IPs my machine is connected to and for no apparent reason it is connected to this IP:
205.178.145.1
InQuent Technologies Inc. INQUENT-2 (NET-205-178-128-0-1) 205.178.128.0 - 205.178.191.255Network Solutions, LLC NSLLC01 (NET-205-178-145-0-1) 205.178.145.0 - 205.178.145.255
Hmmm....hacked or?
Thursday, April 19, 2007
Microsoft DNS + RPC vulnerability
http://securitywatch.eweek.com/exploits_and_attacks/microsoft_urges_workaround_as_worm_hits_unpatched_dns_flaw.html?kc=EWEWEMNL041807EP38A
A flaw in or explotation of the implementation of the Microsoft DNS service plus RPC (remote procedure call) service is being abused.
JavaScript hacks
http://www.eweek.com/article2/0,1895,2115638,00.asp?kc=EWEWEMNL041907EP38A
Ebay site problem
There is a whole host of sensitive information you have to enter on that page to get your password.
The page is only accessible via http.
Oh but they probably submit it via https you say.
So what. Let's say their DNS gets hacked someone and people set up a fake page at that address on the servers that are being rerouted to when you think you're at ebay. The only way to know you are really at ebay is hitting the page via https because the certificate applies to a specific server. Without that you can be rerouted and when you hit submit on this bogus link you just gave a hacker your secret question/answer (which you probably used in multiple places, right?), your birth date, place of birth, etc. etc.
Scary.
Wednesday, April 18, 2007
Encoding vs. Encryption
http://www.di-mgt.com.au/encode_encrypt.html
Friday, April 13, 2007
195.10.45.155
Here's an interesting dns resolution. Hide? Hmm.
195.10.45.155 resolves to"hide-155.nhs.uk"
Top Level Domain: "nhs.uk"
Tuesday, April 10, 2007
A surfing hosting proxy server
This IP was surfing our web sites. Looks like something good to block.
203.97.46.29 resolves to"proxy.hosting.co.nz"
Top Level Domain: "co.nz"
Websherpas.com hacked?
Hmm, websherpas.com needs to consult a higher power to prevent their server from surfing the web. This server was sniffing around our web sites:
209.102.67.2 resolves to"www.websherpas.com"
Top Level Domain: "websherpas.com"
Romania, China, Russia...
212.20.253.212 resolves to"euro-hostels.co.uk"
This is another web server surfing our web site. Probably hackers or hacked.
212.20.253.212 resolves to"euro-hostels.co.uk"
Top Level Domain: "co.uk"
wmanet.org surfing our web site
216.195.194.210 resolves to"wmanet.org"
Top Level Domain: "wmanet.org"
Saturday, April 07, 2007
209.51.147.66 - Monitoring will not stop
IPs used by same hacker(s)
221.147.153.67
203.162.3.15674.52.245.146
220.123.254.200
Friday, April 06, 2007
209.51.147.66 - HACKER
Check your logs for this one...especially those in the travel industry.
Korean Hackers Are Stepping Up
Here are a few of the IP ranges:
inetnum: 125.176.0.0 - 125.191.255.255netname: XPEEDcountry: KR
inetnum: 211.104.0.0 - 211.119.255.255netname: KRNIC-KRdescr: KRNICdescr: Korea Network Information Centercountry: KR
inetnum: 211.104.0.0 - 211.119.255.255netname: KRNIC-KRdescr: KRNICdescr: Korea Network Information Centercountry: KR
inetnum: 220.88.0.0 - 220.95.255.255netname: KORNETdescr: KOREA TELECOMdescr: Network Management Centercountry: KR
inetnum: 211.104.0.0 - 211.119.255.255netname: KRNIC-KRdescr: KRNICdescr: Korea Network Information Centercountry: KR
inetnum: 211.104.0.0 - 211.119.255.255netname: KRNIC-KRdescr: KRNICdescr: Korea Network Information Centercountry: KR
inetnum: 218.144.0.0 - 218.159.255.255netname: KORNETdescr: KOREA TELECOM
inetnum: 218.234.0.0 - 218.239.255.255netname: HANANETdescr: Hanaro Telecom Co.descr: Kukje Electornics Cneter Bldg. 1445-3 Seocho-Dong Seocho-Kucountry: KR
inetnum: 222.96.0.0 - 222.122.255.255netname: KORNETdescr: KOREA TELECOMdescr: Network Management Centercountry: KR
inetnum: 58.224.0.0 - 58.239.255.255netname: HANANETcountry: KR
A string of related PHP hacker IPs
"inetnum: 220.0.0.0 - 220.63.255.255
netname: BBTECH
descr: Japan nation-wide Network of SOFTBANK BB CORP
descr: Tokyo, Japan
country: JP
" 269236 BLOCKED 7i1768n6s9ky Thu Apr 05 07:10:31 PDT 2007 220.125.98.46 /index.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /index.php act=Reg&CODE=00 83 7 1 4/5/2007 7:10:31 AM 5 4 4/5/2007 7:10:31 AM
"inetnum: 218.144.0.0 - 218.159.255.255
netname: KORNET
descr: KOREA TELECOM
" 269235 BLOCKED 1n2q7vj1sj66u Thu Apr 05 07:10:28 PDT 2007 218.144.144.230 /index.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /index.php act=Reg&CODE=00 83 7 1 4/5/2007 7:10:29 AM 5 4 4/5/2007 7:10:29 AM
269234 BLOCKED 17fot0jc7s1g6 Thu Apr 05 07:10:26 PDT 2007 218.239.91.102 /register.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /register.php action=signup&who=adult 83 7 1 4/5/2007 7:10:27 AM 5 4 4/5/2007 7:10:27 AM
269233 BLOCKED 884p8rgc0r4b Thu Apr 05 07:10:24 PDT 2007 222.99.104.139 /register.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /register.php action=signup&who=adult 83 7 1 4/5/2007 7:10:25 AM 5 4 4/5/2007 7:10:25 AM
269232 BLOCKED g6t4qf5acgdc9 Thu Apr 05 07:10:22 PDT 2007 58.226.121.105 /profile.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /profile.php mode=register 83 7 1 4/5/2007 7:10:23 AM 5 4 4/5/2007 7:10:23 AM
"inetnum: 59.88.0.0 - 59.99.255.255
netname: BSNLNET
descr: NIB (National Internet Backbone)
descr: Bharat Sanchar Nigam Limited
descr: Sanchar Bhawan,20, Ashoka Road, New Delhi-110001
country: IN
" 269231 BLOCKED 1q0g62wvk2a4 Thu Apr 05 07:10:18 PDT 2007 59.93.209.25 /profile.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /profile.php mode=register 83 7 1 4/5/2007 7:10:18 AM 5 4 4/5/2007 7:10:18 AM
"inetnum: 59.88.0.0 - 59.99.255.255
netname: BSNLNET
descr: NIB (National Internet Backbone)
descr: Bharat Sanchar Nigam Limited
descr: Sanchar Bhawan,20, Ashoka Road, New Delhi-110001
country: IN
" 269231 BLOCKED 1q0g62wvk2a4 Thu Apr 05 07:10:18 PDT 2007 59.93.209.25 /profile.php Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) /profile.php mode=register 83 7 1 4/5/2007 7:10:18 AM 5 4 4/5/2007 7:10:18 AM
Another php attack - XMLRPC.PHP etc.
Surprise, surprise - Taiwan.
inetnum: 61.62.0.0 - 61.62.255.255netname: SONET-NETcountry: TW
Taiwan is a big hacker source. If you're not doing business there you may want to consider blocking out IPs from this country. If you're not getting any money from Taiwan the only thing you will get is a bunch of problems.
269083 BLOCKED 5dmervkrad0bs Thu Apr 05 00:29:54 PDT 2007 61.62.83.165 /phpgroupware/xmlrpc.php /phpgroupware/xmlrpc.php 83 7 1 4/5/2007 12:29:54 AM 5 4 4/5/2007 12:29:54 AM
269082 BLOCKED 1gpe1xqetqxi1 Thu Apr 05 00:29:54 PDT 2007 61.62.83.165 /phpgroupware/xmlrpc.php /phpgroupware/xmlrpc.php 83 7 1 4/5/2007 12:29:54 AM 5 4 4/5/2007 12:29:54 AM
269081 BLOCKED 4famei5pnqlkj Thu Apr 05 00:29:53 PDT 2007 61.62.83.165 /wordpress/xmlrpc.php /wordpress/xmlrpc.php 83 7 1 4/5/2007 12:29:54 AM 5 4 4/5/2007 12:29:54 AM
269080 BLOCKED 48978s37c7mpo Thu Apr 05 00:29:53 PDT 2007 61.62.83.165 /wordpress/xmlrpc.php /wordpress/xmlrpc.php 83 7 1 4/5/2007 12:29:54 AM 5 4 4/5/2007 12:29:54 AM
269079 BLOCKED 9ur4s0tv5oqc Thu Apr 05 00:29:53 PDT 2007 61.62.83.165 /b2evo/xmlsrv/xmlrpc.php /b2evo/xmlsrv/xmlrpc.php 83 7 1 4/5/2007 12:29:53 AM 5 4 4/5/2007 12:29:53 AM
269078 BLOCKED 2rkqne24ojvle Thu Apr 05 00:29:53 PDT 2007 61.62.83.165 /b2evo/xmlsrv/xmlrpc.php /b2evo/xmlsrv/xmlrpc.php 83 7 1 4/5/2007 12:29:53 AM 5 4 4/5/2007 12:29:53 AM
269077 BLOCKED vt6xth4n6s0r Thu Apr 05 00:29:52 PDT 2007 61.62.83.165 /b2/xmlsrv/xmlrpc.php /b2/xmlsrv/xmlrpc.php 83 7 1 4/5/2007 12:29:53 AM 5 4 4/5/2007 12:29:53 AM
269076 BLOCKED qiox5oyth034 Thu Apr 05 00:29:52 PDT 2007 61.62.83.165 /b2/xmlsrv/xmlrpc.php /b2/xmlsrv/xmlrpc.php 83 7 1 4/5/2007 12:29:53 AM 5 4 4/5/2007 12:29:53 AM
269075 BLOCKED e7ecb4966qpr7 Thu Apr 05 00:29:52 PDT 2007 61.62.83.165 /blogtest/xmlsrv/xmlrpc.php /blogtest/xmlsrv/xmlrpc.php 83 7 1 4/5/2007 12:29:52 AM 5 4 4/5/2007 12:29:52 AM
269074 BLOCKED 12ncmocu7lv5a Thu Apr 05 00:29:52 PDT 2007 61.62.83.165 /blogtest/xmlsrv/xmlrpc.php
Wednesday, April 04, 2007
Charter bot is back
Charter - bot/1.0 (bot; http://; bot@bot.bot) 267331 BLOCKED 2t10omfv05mc Wed Apr 04 07:58:34 PDT 2007 71.13.115.117 bot/1.0 (bot; http://www.bot.bot; bot@bot.bot) 83 7 1 4/4/2007 7:58:35 AM 4 4 4/4/2007 7:58:35 AM
IPs that need to be updated
Here are some interesting results looking up the information about this IP range:
inetnum: 156.54.0.0 - 156.54.255.255
remarks: This inetnum has been transfered as part of the ERX. It was present in both the ARIN and RIPE databases, so the information from both databases has been merged. If you are the mntner of this object, please update it to reflect the correct information.
Tuesday, April 03, 2007
Comcast needs to fix this domain name
24.18.46.154 resolves to"c-24-18-46-154.hsd1.mn.comcast.net"
Top Level Domain: "comcast.net"
An exchange sever perhaps?
If this is an Exchange server what is it doing surfing our web sites?
Perhaps this stands for something else however:
64.65.150.210 resolves to"exch.seattlearch.org"
Top Level Domain: "seattlearch.org"
Bank Server surfing?
Here's a bank server in Sweden surfing the web....is this right? That's a little scary...but perhaps since I don't speak the language this is referring to a modem bank..so I'll let it slide for now =)
195.242.56.2 resolves to"clients.kaupthing.se"
Top Level Domain: "kaupthing.se
Funny looking domain resolution for a web surfer...
This one looks a little funny ...is this really the IP of an end user surfing or a server?
128.250.172.175 resolves to"guyd.psych.unimelb.edu.au"
Top Level Domain: "edu.au"
Another surfing web server? william.aeoncyberclub.com
Here's an IP with an interesting resolution:
202.7.145.118 resolves to"william.aeoncyberclub.com"
Top Level Domain: "aeoncyberclub.com"
www.adressendeutschland.de web server surfing our web sites
This server appears to be surfing the web and appears to be a web server, though by the looks of the "site" it may be an amateur at home hosting his or her own site.
88.198.38.230 resolves to"www.adressendeutschland.de"
Top Level Domain: "adressendeutschland.de"
ozemail.com.au surfing the web
Is this really an email domain or a dsl domain? It says ozemail but then it has dsl in the URL as well. Hopefully someone in Australia can alert this email / dsl provider to find out if this server is hacked.
203.102.242.189 resolves to"189.fip-4.dsl.ozemail.com.au"
Top Level Domain: "com.au"
km6.favo.tv -- a computer user?
87.118.100.27 resolves to"km6.favo.tv"
Top Level Domain: "favo.tv"
A proxy server in the Phillipines
Here's a proxy server in the Philippines surfing around our web sites...
202.44.136.50 resolves to"proxy.thapra.su.ac.th"
Top Level Domain: "ac.th"
Speak Easy "scan alert" server surfing our sites?
A SpeakEasy IP with some scanalert.com application is surfing our web sites...
66.92.26.98 resolves to"scan0.scanalert.com"
Top Level Domain: "scanalert.com"
EntireWeb surfing our webs
62.13.25.221 resolves to"www.entireweb.com"
Top Level Domain: "entireweb.com"
Monday, April 02, 2007
A web server surfing our web sites
209.180.210.90 resolves to"sightlife.org"Top Level Domain: "sightlife.org"