WORMS

Hi. This is a typical entry in my Spyblocker log : ----

"Logged Entry Saturday, Dec 7 2002 at 07:17:16 PM
Remote Port: 1604
Local Port: 80
Host: 24.170.170.36
[WORM]
[BLOCKED]

Worm: Code Red/II/Nimda Variant
NOTE: The actual worm contents have been suppressed to avoid Anti-Virus programs from alerting you with False Positives."
Is there any way of telling where the Worm came from? I have had these entries when visiting sites which I felt sure wouldn't try to set Worms and I wondered if it is possible for them to be "smuggled" in by third parties when you are visiting a site ? Any enlightenment would be appreciated Cheers. Alpha.

 

Thanks Paul for that interesting information. I guess that is what's happening. I'd still like to pursue the question of trying to identify where the Worms originate. With Bugs,for example,the log entry tells you where they came from :----
ogged Entry Monday, Dec 2 2002 at 12:42:36 PM
Remote Port: 1085
Local Port: 80
Host: 127.0.0.1 (SpyBlocker)
[BUG]
[BLOCKED]

GET /image-980455-5042815 HTTP/1.1
Accept: */*
Referer: http://www.rampantscotland.com/clans/blclanmorrison.htm
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 9
Host: www.qksrv.net

but the only "Host" mentioned in a Worm entry is a string of numbers (eg. 173.183.64.229.) Is it possible to identify a source from these numbers or is there any other way ? I'd be interested to hear from you (or any other viewer ) on this subject. Thanks again for your response. Alpha.

 

Hi Paul. Thanks for your further response. I'm afraid a lot of what you said is over my (still- struggling- up- that-learning-curve) head,but I get the message that I might as well give-up on this line of enquiry !!

If it's not too much trouble (and I would quite understand if it is), could you get me a bit further up that curve by explaining how you perform a "Whois" ? I hope it's not too strenuous, as I've been feeling the weight of my years lately !!!

Cheers. ALpha.

 

Here's a site where you can do that: http://www.ripe.net/perl/whois is probably the easiest one to use.
It's just an example, there are many more.
IMO one of the best: http://www.samspade.org

Regards,

Pieter

 

If this is not what you're looking for let me know to delete this.

Host name: user-0calah4.cable.mindspring.com
IP address: 24.170.170.36
Alias(es): None

user-0calah4.cable.mindspring.com [24.170.170.36]
EARTHLINK, INC. ERLK-TWCENTRALFL4 (NET-24-170-160-0-1)
24.170.160.0 - 24.170.175.255
CustName: EARTHLINK, INC.
Address: 1375 PEACHTREE ST, LEVEL A Atlanta GA 30309
Country: US
RegDate: 2002-09-25
Updated: 2002-09-25

NetRange: 24.170.160.0 - 24.170.175.255
CIDR: 24.170.160.0/20
NetName: ERLK-TWCENTRALFL4
NetHandle: NET-24-170-160-0-1
Parent: NET-24-170-128-0-1
NetType: Reassigned
Comment:
RegDate: 2002-09-25
Updated: 2002-09-25

# ARIN Whois database, last updated 2002-12-08 20:00
# Enter ? for additional hints on searching ARIN's Whois database.

OK, so i'll add more about earthlink:
btw: www.samspade.org has problems with arin, so you might like to go immediately to the arin databases via
www.arin.net/whois and type the IP in the little search window.
Resulting in the stuff above and clicking on the parent came this:
Search results for: N NET-24-170-128-0-1


OrgName: Earthlink, Inc.
OrgID: ERTS

NetRange: 24.170.128.0 - 24.170.191.255
CIDR: 24.170.128.0/18
NetName: ERLK-CBL-TW-SOEASTERN
NetHandle: NET-24-170-128-0-1
Parent: NET-24-0-0-0-0
NetType: Direct Allocation
NameServer: ITCHY.MINDSPRING.NET
NameServer: SCRATCHY.MINDSPRING.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-08-23
Updated: 2002-06-20

TechHandle: DAE4-ARIN
TechName: Domain Administrator, Administrator
TechPhone: +1-404-815-0770
TechEmail: arinpoc@corp.earthlink.net

OrgAbuseHandle: ABUSE60-ARIN
OrgAbuseName: ABUSE TEAM
OrgAbusePhone: +1-404-815-0770
OrgAbuseEmail: ABUSE@corp.earthlink.net

OrgTechHandle: ELNK-ORG-ARIN
OrgTechName: EarthLink, Inc.
OrgTechPhone: +1-404-815-0770
OrgTechEmail: arin_tech@lists.corp.earthlink.net

# ARIN Whois database, last updated 2002-12-08 20:00
# Enter ? for additional hints on searching ARIN's Whois database.

So this is where you might like to send your complaint:
ABUSE@corp.earthlink.net

 

Hi Pieter,Jooske and Paul (in the order of appearence !) I must first say that I am quite overwhelmed with all the trouble you guys have taken with my queries, especially as I am obviously well out of your league ! I feel rather like a first-year medical student who finds himself at a senior consultants convention !!! I have only had a quick look at all the material you have provided (including those links)and I guess it will take some time for me work through it in detail. However. at this stage, I can confirm to Jooske that I do want his example, thank you. I'll keep you posted on how I get on and don't be too surprised (or have an "Not him again" reaction) if I need further guidance !! Many Thanks to you all. Cheers. Alpha.

 

Hi Alpha,

Glad to be of assistance
The only time I get that reaction, is when I look in the mirror in the morning
So keep them coming.

Regards,

Pieter

 

Tell you a little secret?
One can learn by visiting the right forums like this, reading and ask burning questions.
Got some education this way in this and the DCS private forum and with those guys amazing support (hundreds of emails, quite some support library by now) and of course some nice tools at hand.
In the DCS forums, Port Explorer, even the eval version of that has a Whois in it enabled which is quite advanced. With that i reproduced the same results from above in just a few clicks. Be it that i have the full version of course.
And i can see all those connections and ports and what is trying to do something nasty, sniff in the packets, etc.
You might like to try it out as an addition on what you have already.
Looking forward to your further finds and results, Alpha!

 

Hi Pieter,Jooske and Paul. Well, despite all your combined efforts, I have to admit defeat. I have spent a long time, over several sessions, trying to get my head round the two "Whois" links you gave me, but the truth is my current knowledge is just not up to it. There is so much of the terminology that is foreign to me that I might as well have been reading a Chinese bible !! I'm really sorry I've taken-up a lot of your valuable time without any positive result -- other than revealing my limitations in this field. I have, however, found a site (PCFlank) which offers what seems to be a somewhat similar program called "WhoEasy"which appears to be within my restricted range. If you know of this, I would be pleased to have your opinions, please -- assuming, of course. that we are still on posting terms !!!! Regards and Regrets. Alpha.

 

alpha24, the 'Whois' protocol is relatively complex in that there are a lot of extensions to it that different servers support and it can be tricky knowing which server(s) to use and what queries to send, but there are some programs that make it very easy to use - ie. just a couple of mouseclicks, plus typing in the domain to lookup. You may want to try the free demo of Port Explorer ( http://www.diamondcs.com.au/portexplorer/ ) - to do a Whois lookup on 'x.com' with Port Explorer, simply click on the Utilities menu, then click on Whois, then type in x.com and press Enter - that's all! Port Explorer will handle everything else, assuming you've left the server on 'Automatic' - it intelligently figures out which is the best Whois server to get results from so you don't have to worry about anything, it takes care of it all for you.

Best regards,
Wayne

 

Don´t let that bring you down alpha24
From what I can read on PCFlanks page, and I quote:

you will have to install Outpost before you can use this utility and it will give you the exact same results. They are only displayed more clearly.
Try the one Wayne recommended and let us know. Always welcome.

Regards,

Pieter

 

I liked especially to mention i could resolve and "whois" them where most other sites left us in the dark; in my trying the traceroute and pinging were dropped too, but you had what you needed, the abuse department of the infected person/intruder so with the logfile part you had already you could email them your complaint and the user might get help to get rid of his infection.

When i send in complaints most of times i ask them just to help their user out of infections and tell them there might be a third party abusing their system, things like that, just to avoid ISPs to just closing accounts where is no reason.

Think you should really have a look at Port Explorer because it is as clear as Wayne is telling, nothing difficult to configure, just try and see the results, it's a free demo and there is a whole forum here available to answer your questions and guide you another time step by step through this.
It is really frustrating to have nice tools and not knowing what to do with them or not understanding alerts, while there might be nothing serious the matter.
For instance:
if a portscan comes on 27374, PE lookup tells us it's default port for RAT: BadBlood, SubSeven 2.1+, Diems Mutter, so the attacker MIGHT use one of those, but it's not necessarily an attack with one of those on you and most probably you're not infected with neither of them.
But there are firewalls telling you had a subseven attack because it is one of the default ports for S7.
To know what is really attacking you should be able to sniff the packets sent and that is possible with PE and TDS.

But back to your automated whois, if you could install the other programs, so you can PE and two menu options like Wayne says, you're there.

 

Howdy

I took liberty to quote Steve Gibson here, if someone is upset for it, I apologize.


"Not all web servers are equally secure.

2001 was a rough year for Microsoft's IIS web server. The FBI informed consumers and e-commerce sites that a Russian organized crime ring was methodically breaking into IIS-based e-commerce web sites that had not applied some of a continuous stream of IIS patches. Confidential customer data was stolen from those servers, held for ransom, and reportedly released on the Internet -- even if the IIS-based web sites paid the ransom. Then the world endured multiple rounds of IIS-based CodeRed and Nimda worms spreading like wild fire across the Internet. The CodeRed II and Nimda worms installed semi-permanent hacker backdoors into several hundred thousand IIS web servers." <Steve Gibson> ID- Serve freeware


http://grc.com/id/idserve.htm

regards -Ari

 

Hi. Sorry to be rather late in acknowledging your postings Wayne, Pieter and Jooske. I wasn't really expecting further responses to my queries after all the time and trouble which had already been taken to help me. I really do appreciate it. The delay is partly due to the bother I have had with downloading Outpost but I hope the problems will be sorted-out over the next few days and I then intend to install the WhoEasy plug-in as suggested. I would like to try-out Port Explorer In the meantime but I'll have to find out if it is also a plug-in like WhoEasy. Nothing further to report at this stage but I'll be in touch as soon as I have.

With All Best Wishes to all you guys for Christmas and the New Year. Alpha.

 

Hi, Jooske, Pieter,Paul and all other contributers to my learning process. I have now sorted myself out and have Outpost in full flow, plus the plug-in WhoEasy and I am quite pleased with the set-up. I gave Port Explorer a trial run but, although it is obviously a great program, I decided it was rather too complex for my current stage. WhoEasy is very simple to operate and seems to provide all I really need at present. I would now be pleased to have some guidance with my next step, which is to make good use of the data provided by WhoEasy. !!
This is a recent entry in my WhoIs (WhoEasy) log, relating to a Worm - blocked entry in my Spyblocker log : --------

" 2002/12/29 16:18:20 REQUEST: address: 210.22.168.10
2002/12/29 16:18:25 REQUEST: using server whois.apnic.net
2002/12/29 16:18:26 SEND:210.22.168.10
2002/12/29 16:18:26 ANSWER:
% [whois.apnic.net node-1]
% How to use this server http://www.apnic.net/db/
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 210.22.64.0 - 210.22.191.255
netname: SH-CHINA-NETCOM
descr: shanghai branch, china netcom
country: CN
admin-c: YH276-AP
tech-c: YH276-AP
mnt-by: MAINT-CN-ZM28
mnt-lower: MAINT-CN-HY28
changed: daihy@china-netcom.com 20020607
status: ALLOCATED PORTABLE
source: APNIC

person: yu hu
address: china netcom
address: shanghai
country: CN
phone: +86-021-64953694
e-mail: huyu@china-netcom.com
nic-hdl: YH276-AP
mnt-by: MAINT-CN-ZM28
changed: daihy@china-netcom.com 20020530
source: APNIC


2002/12/29 16:18:27 SEND:YH276-AP
2002/12/29 16:18:27 ANSWER:
% [whois.apnic.net node-2]
% How to use this server http://www.apnic.net/db/
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

person: yu hu
address: china netcom
address: shanghai
country: CN
phone: +86-021-64953694
e-mail: huyu@china-netcom.com
nic-hdl: YH276-AP
mnt-by: MAINT-CN-ZM28
changed: daihy@china-netcom.com 20020530
source: APNIC "

Could you tell me how I can best use this in the "anti-nasty" context,or does it lack the sort of information needed to take up the "Abuse" issue ?
Cheers. Alpha.

 

Hi,Paul. Further to my posting of 29/12 and refering back to your and Jooske's postings of 09/12, I have now had some more WhoEasy experience and would like to ask a couple of particular questions, please. If the search results do not include an Abuse email address, am I right to assume that that is a "dead end" or is there any other route for submitting a complaint? Also, could you advise me on the format of an Abuse email. including what information it should include,please? Lastly, which "intruders"justify a complaint ? I presume Worms do so, but what about Bugs,Spyware,Scanners etc. ? With Best Wishes for this New Year. Alpha.

 

Hi alpha24,

Here´s a good read on the subject: http://thorweb.anta.net/abuse/abuse-report-clues.shtml

Regards,

Pieter

 

Hi, Pieter. Thanks for the link and what a "good read" it is !! However, although it gives a great deal of information about what reports should include, (which I found rather confusing, I'm afraid), I would still appreciate answers to the questions in my posting,if possible,please. As a result of my reading the link, I would also like to know the Forum's opinion on the use of reporting Services, such as DShield, myNetWatchman and ARIS. My initial reaction was that DShield might be very useful for the inexperienced but wiser heads may take a different view !!! Cheers. Alpha.

 

Hi alpha24,

First I would like to emphasize, that the following is my personal point of view, since I did not check if there is an official point of view.
In case of the result you got, I would send an e-mail explaining what happened to this address: huyu@china-netcom.com and await their answer before reporting to the organisations you mentioned.

Regards,

Pieter

 

Thanks for your's of 4 Jan: Pieter. I have done what you suggested and await a response, although I expect most of these Abuse reports are never acknowledged !! I also reported a Port Scan and this is what I received in return:---

Subj: Re: Port Scanning [#737521]
Date: 07/01/03 11:38:05 GMT Standard Time
From: abuse.cc@chartercom.com
To: alfredmorrison@aol.com



Greetings,
You have reached the Charter Abuse Team. We have received your abuse complaint. There is no need to reply to this message.

We cannot reply personally to all complaints, but we will send you a message if we need more information in order to process your complaint.

Charter Communications Abuse Team
abuse.cc@chartercom.com


----- alfredmorrison@aol.com Wrote -----
Web Form ID: 014

Billing System No. NORTHEAST

Region: NORTHEAST

Name: Abuse, Unknown
Address: 12405 Powerscourt Drive
St. Louis, MO 63131
Contact: Phone
Phone: XXX-XXX-XXXX
E-mail: Alfredmorrison@aol.com

Subject: Port Scanning

YOURNAME=VIA EMAIL
REPLY-TO=Alfredmorrison@aol.com
REPORTDATE=01/07/2003
REPORTTIME=11:40:47 GMT
BROWSERIP=NOTAPPLICABLE
INCIDENTTYPE=Port Scanning
DMCATITLE=UNKNOWN
CASEREFERENCE=
CASEREFERENCESTRING=
INCIDENTDATE=2003/01/07
INCIDENTTIME=11:40:47
INCIDENTAMPM=
INCIDENTTIMEZONE=GMT
OFFENDERIP=66.189.87.120
REGION=NORTHEAST
REGIONSTATE=MA
MARKET=Oxford
SUBNET=66.189.80.0/20
CONTACTNAME=Tom Newton
CONTACTEMAIL=tnewton@chartercom.com 508 853 1515 x2872
ADDITIONALINFO=
From Alfredmorrison@aol.com Tue Jan 7 05:40:47 2003
Received: from dc-mxdb10.cluster1.charter.net (209-225-8-74.charter.net
[209.225.8.74] (may be forged))
by dstools.charter.net (8.11.6/8.11.6/SuSE Linux 0.5) with ESMTP
id h07BelF11278
for <abuse@dstools.charter.net>; Tue, 7 Jan 2003 05:40:47 -0600
Received: from <abuse@charter.net>
by dc-mxdb10.cluster1.charter.net (CommuniGate Pro RULES 3.5.9b)
with RULES id 2049252; Tue, 07 Jan 2003 06:36:12 -0500
X-Autogenerated: Mirror
X-Mirrored-by: <abuse@charter.net> (charter.net abuse account)
Received: from imo-r03.mx.aol.com ([152.163.225.99] verified)
by dc-mx10.cluster1.charter.net (CommuniGate Pro SMTP 3.5.9)
with ESMTP id 50431183 for abuse@charter.net; Tue, 07 Jan 2003
06:36:12 -0500
Received: from Alfredmorrison@aol.com
by imo-r03.mx.aol.com (mail_out_v34.13.) id 3.6a.2ba7a966 (446
for <abuse@charter.net>; Tue, 7 Jan 2003 06:36:07 -0500 (EST)
From: Alfredmorrison@aol.com
Message-ID: <6a.2ba7a966.2b4c15a7@aol.com>
Date: Tue, 7 Jan 2003 06:36:07 EST
Subject: Port Scan.
To: abuse@charter.net
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="part1_6a.2ba7a966.2b4c15a7_boundary"
X-Mailer: AOL 6.0 for Windows UK sub 10512


--part1_6a.2ba7a966.2b4c15a7_boundary
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

Hi. I wish to report that a Port Scan of my computer was blocked
recently
and the following data was logged:----------



1) Logged Entry Wednesday, Jan 1 2003 at 03:16:01 PM
Remote Port: 3007
Local Port: 80
Host: 66.189.87.120
[PORT SCAN]
[BLOCKED]

GET / HTTP/1.1

2) 2003/01/07 11:20:29 REQUEST: address: 66.189.87.210
2003/01/07 11:20:30 REQUEST: host: cpe-66-189-87-210.ma.charter.com
2003/01/07 11:20:30 REQUEST: using server whois.arin.net
2003/01/07 11:20:30 SEND:66.189.87.210
2003/01/07 11:20:31 ANSWER:
Charter Communications CHARTER-NET-5BLK (NET-66-188-0-0-1)
66.188.0.0 - 66.191.255.255
Charter Communications PPRL-MA-66-189-084 (NET-66-189-84-0-1)
66.189.84.0 - 66.189.91.255

# ARIN Whois database, last updated 2003-01-06 20:00
# Enter ? for additional hints on searching ARIN's Whois database.
#
# WHOIS format will be changing on February 6, 2003
# For specifics visit: http://www.arin.net/mailing_lists/dbwg/0393.html
2003/01/07 11:20:31 SEND:NET-66-188-0-0-1
2003/01/07 11:20:31 ANSWER:

OrgName: Charter Communications
OrgID: CC04

NetRange: 66.188.0.0 - 66.191.255.255
CIDR: 66.188.0.0/14
NetName: CHARTER-NET-5BLK
NetHandle: NET-66-188-0-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: ns1.charter.com
NameServer: ns2.charter.com
NameServer: ns4.charter.com
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
"For NETWORK ABUSE issues, please email abuse@charter.net"
RegDate: 2001-10-24
Updated: 2002-10-25

TechHandle: SJT1-ARIN
TechName: Smith, Tim
TechPhone: +1-314-288-3886
TechEmail: IPaddressing@chartercom.com

OrgTechHandle: SJT1-ARIN
OrgTechName: Smith, Tim
OrgTechPhone: +1-314-288-3886
OrgTechEmail: IPaddressing@chartercom.com

OrgAbuseHandle: ABUSE19-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-314-543-0200
OrgAbuseEmail: abuse@charter.net

# ARIN Whois database, last updated 2003-01-06 20:00
# Enter ? for additional hints on searching ARIN's Whois database.
#
# WHOIS format will be changing on February 6, 2003
# For specifics visit: http://www.arin.net/mailing_lists/dbwg/0393.html
2003/01/07 11:20:35 SEND:SJT1-ARIN
2003/01/07 11:20:36 ANSWER:

Name: Smith, Tim J
Handle: SJT1-ARIN
Company: Charter Communications
Address: 12405 Powerscourt Dr. St. Louis MO 63131
Country: US
Comment:
RegDate: 2002-08-30
Updated: 2002-08-30
Phone: +1-314-288-3886 (Office)
Email: IPaddressing@chartercom.com

# ARIN Whois database, last updated 2003-01-06 20:00
# Enter ? for additional hints on searching ARIN's Whois database.
#
# WHOIS format will be changing on February 6, 2003
# For specifics visit: http://www.arin.net/mailing_lists/dbwg/0393.html
2003/01/07 11:20:36 SEND:ABUSE19-ARIN
2003/01/07 11:20:36 ANSWER:

Name: Abuse
Handle: ABUSE19-ARIN
Company: Charter Communications
Address: 12405 Powerscourt Dr. St. Louis MO 63131 St. Louis MO 63122
Country: US
Comment:
RegDate: 2002-08-30
Updated: 2002-12-04
Phone: +1-314-543-0200 (Office)
Email: abuse@charter.net

# ARIN Whois database, last updated 2003-01-06 20:00
# Enter ? for additional hints on searching ARIN's Whois database.
#
# WHOIS format will be changing on February 6, 2003
# For specifics visit: http://www.arin.net/mailing_lists/dbwg/0393.html
----------------



I would be grateful for your ackowledgement and comments,please.



Kind Regards. ALFRED MORRISON.



--part1_6a.2ba7a966.2b4c15a7_boundary
Content-Type: text/html; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

FACE="Arial" LANG="0">Hi.    I wish to report that a Port
Scan of my computer was blocked recently and the following data was
logged:----------
            
            
            
            
            
            
            
   




            
1) Logged Entry Wednesday, Jan 1 2003 at 03:16:01 PM

Remote Port: 3007

Local Port: 80

Host: 66.189.87.120

[PORT SCAN]

[BLOCKED]



GET / HTTP/1.1




           2)
2003/01/07 11:20:29   REQUEST: address: 66.189.87.210

2003/01/07 11:20:30   REQUEST: host:
cpe-66-189-87-210.ma.charter.com

2003/01/07 11:20:30   REQUEST: using server whois.arin.net

2003/01/07 11:20:30   SEND:66.189.87.210

2003/01/07 11:20:31   ANSWER:

Charter Communications CHARTER-NET-5BLK (NET-66-188-0-0-1)


            
            
         66.188.0.0 -
66.191.255.255

Charter Communications PPRL-MA-66-189-084 (NET-66-189-84-0-1)


            
            
         66.189.84.0 -
66.189.91.255



# ARIN Whois database, last updated 2003-01-06 20:00

# Enter ? for additional hints on searching ARIN's Whois database.

#

# WHOIS format will be changing on February 6, 2003

# For specifics visit:
http://www.arin.net/mailing_lists/dbwg/0393.html

2003/01/07 11:20:31   SEND:NET-66-188-0-0-1

2003/01/07 11:20:31   ANSWER:



OrgName:    Charter Communications

OrgID:      CC04



NetRange:   66.188.0.0 - 66.191.255.255

CIDR:       66.188.0.0/14

NetName:    CHARTER-NET-5BLK

NetHandle:  NET-66-188-0-0-1

Parent:     NET-66-0-0-0-0

NetType:    Direct Allocation

NameServer: ns1.charter.com

NameServer: ns2.charter.com

NameServer: ns4.charter.com

Comment:    ADDRESSES WITHIN THIS BLOCK ARE
NON-PORTABLE


           "For
NETWORK ABUSE issues, please email abuse@charter.net"

RegDate:    2001-10-24

Updated:    2002-10-25



TechHandle: SJT1-ARIN

TechName:   Smith, Tim

TechPhone:  +1-314-288-3886

TechEmail:  IPaddressing@chartercom.com



OrgTechHandle: SJT1-ARIN

OrgTechName:   Smith, Tim

OrgTechPhone:  +1-314-288-3886

OrgTechEmail:  IPaddressing@chartercom.com



OrgAbuseHandle: ABUSE19-ARIN

OrgAbuseName:   Abuse

OrgAbusePhone:  +1-314-543-0200

OrgAbuseEmail:  abuse@charter.net



# ARIN Whois database, last updated 2003-01-06 20:00

# Enter ? for additional hints on searching ARIN's Whois database.

#

# WHOIS format will be changing on February 6, 2003

# For specifics visit:
http://www.arin.net/mailing_lists/dbwg/0393.html

2003/01/07 11:20:35   SEND:SJT1-ARIN

2003/01/07 11:20:36   ANSWER:



Name:    Smith, Tim J

Handle:  SJT1-ARIN

Company: Charter Communications

Address: 12405 Powerscourt Dr. St. Louis MO 63131

Country: US

Comment:  

RegDate: 2002-08-30

Updated: 2002-08-30

Phone:   +1-314-288-3886  (Office)

Email:   IPaddressing@chartercom.com



# ARIN Whois database, last updated 2003-01-06 20:00

# Enter ? for additional hints on searching ARIN's Whois database.

#

# WHOIS format will be changing on February 6, 2003

# For specifics visit:
http://www.arin.net/mailing_lists/dbwg/0393.html

2003/01/07 11:20:36   SEND:ABUSE19-ARIN

2003/01/07 11:20:36   ANSWER:



Name:    Abuse

Handle:  ABUSE19-ARIN

Company: Charter Communications

Address: 12405 Powerscourt Dr. St. Louis MO 63131 St. Louis MO 63122

Country: US

Comment:  

RegDate: 2002-08-30

Updated: 2002-12-04

Phone:   +1-314-543-0200  (Office)

Email:   abuse@charter.net



# ARIN Whois database, last updated 2003-01-06 20:00

# Enter ? for additional hints on searching ARIN's Whois database.

#

# WHOIS format will be changing on February 6, 2003

# For specifics visit:
http://www.arin.net/mailing_lists/dbwg/0393.html


            
            
            
            
   ----------------
            
            
            
            
            
       



      I would be grateful for your
ackowledgement and comments,please.
            
            




            
         Kind Regards.
  FACE="Aristocrat" LANG="0">    ALFRED
MORRISON. FACE="Arial" LANG="0">





--part1_6a.2ba7a966.2b4c15a7_boundary--









----------------------- Headers --------------------------------
Return-Path: <abuse.cc@chartercom.com>
Received: from rly-xe02.mx.aol.com (rly-xe02.mail.aol.com [172.20.105.194]) by air-xe03.mail.aol.com (v90.10) with ESMTP id MAILINXE32-0107063805; Tue, 07 Jan 2003 06:38:05 -0500
Received: from kstluvir05.chartercom.com (host-24.217.29.1.charter-stl.com [24.217.29.1]) by rly-xe02.mx.aol.com (v90.10) with ESMTP id MAILRELAYINXE29-0107063757; Tue, 07 Jan 2003 06:37:57 1900
Received: from kstlmweb18 (localhost [127.0.0.1])
by kstluvir05.chartercom.com (8.11.6+Sun/8.11.6) with SMTP id h07BboU21074
for <alfredmorrison@aol.com>; Tue, 7 Jan 2003 05:37:50 -0600 (CST)
Date: Tue, 07 Jan 2003 05:37:50 -0600
From: abuse.cc@chartercom.com
Subject: Re: Port Scanning [#737521]
To: alfredmorrison@aol.com
Message-ID: <eGain@30038Tue07Jan200305.37.50>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

How about that for a reaction !!!!!! Goodness knows what it all means but it seems a bad case of overkill to me !! I'll be very interested to see what comes back from China (if anything ) --- it might be decorative enough to hang on a wall !!!!! Cheers. Alpha.