Hi. This is a typical entry in my Spyblocker log : ---- "Logged Entry Saturday, Dec 7 2002 at 07:17:16 PM Remote Port: 1604 Local Port: 80 Host: 24.170.170.36 [WORM] [BLOCKED] Worm: Code Red/II/Nimda Variant NOTE: The actual worm contents have been suppressed to avoid Anti-Virus programs from alerting you with False Positives." Is there any way of telling where the Worm came from? I have had these entries when visiting sites which I felt sure wouldn't try to set Worms and I wondered if it is possible for them to be "smuggled" in by third parties when you are visiting a site ? Any enlightenment would be appreciated Cheers. Alpha.
Welcome alpha, Unpatched MSoft IIS webservers have been infected en masse - and there are still many of them. When infected with Nimda(s) or CodeRed, these compromised systems will go hunting for other unpatched servers. Seems that's all that's happening here. regards. paul
Thanks Paul for that interesting information. I guess that is what's happening. I'd still like to pursue the question of trying to identify where the Worms originate. With Bugs,for example,the log entry tells you where they came from :---- ogged Entry Monday, Dec 2 2002 at 12:42:36 PM Remote Port: 1085 Local Port: 80 Host: 127.0.0.1 (SpyBlocker) [BUG] [BLOCKED] GET /image-980455-5042815 HTTP/1.1 Accept: */* Referer: http://www.rampantscotland.com/clans/blclanmorrison.htm Accept-Language: en-gb Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 9 Host: www.qksrv.net but the only "Host" mentioned in a Worm entry is a string of numbers (eg. 173.183.64.229.) Is it possible to identify a source from these numbers or is there any other way ? I'd be interested to hear from you (or any other viewer ) on this subject. Thanks again for your response. Alpha.
Hi alpha, By performing an "whois" one could possibly detect (using ARIn for example) a netblock range, and the owning ISP. It's not possible to track down the individual user. One could inform the ISP in question at the most. As for the IP number you mentioned: a whois comes up empty, and a traceroute drops dead. regards. paul
Hi Paul. Thanks for your further response. I'm afraid a lot of what you said is over my (still- struggling- up- that-learning-curve) head,but I get the message that I might as well give-up on this line of enquiry !! If it's not too much trouble (and I would quite understand if it is), could you get me a bit further up that curve by explaining how you perform a "Whois" ? I hope it's not too strenuous, as I've been feeling the weight of my years lately !!! Cheers. ALpha.
Here's a site where you can do that: http://www.ripe.net/perl/whois is probably the easiest one to use. It's just an example, there are many more. IMO one of the best: http://www.samspade.org Regards, Pieter
If this is not what you're looking for let me know to delete this. Host name: user-0calah4.cable.mindspring.com IP address: 24.170.170.36 Alias(es): None user-0calah4.cable.mindspring.com [24.170.170.36] EARTHLINK, INC. ERLK-TWCENTRALFL4 (NET-24-170-160-0-1) 24.170.160.0 - 24.170.175.255 CustName: EARTHLINK, INC. Address: 1375 PEACHTREE ST, LEVEL A Atlanta GA 30309 Country: US RegDate: 2002-09-25 Updated: 2002-09-25 NetRange: 24.170.160.0 - 24.170.175.255 CIDR: 24.170.160.0/20 NetName: ERLK-TWCENTRALFL4 NetHandle: NET-24-170-160-0-1 Parent: NET-24-170-128-0-1 NetType: Reassigned Comment: RegDate: 2002-09-25 Updated: 2002-09-25 # ARIN Whois database, last updated 2002-12-08 20:00 # Enter ? for additional hints on searching ARIN's Whois database. OK, so i'll add more about earthlink: btw: www.samspade.org has problems with arin, so you might like to go immediately to the arin databases via www.arin.net/whois and type the IP in the little search window. Resulting in the stuff above and clicking on the parent came this: Search results for: N NET-24-170-128-0-1 OrgName: Earthlink, Inc. OrgID: ERTS NetRange: 24.170.128.0 - 24.170.191.255 CIDR: 24.170.128.0/18 NetName: ERLK-CBL-TW-SOEASTERN NetHandle: NET-24-170-128-0-1 Parent: NET-24-0-0-0-0 NetType: Direct Allocation NameServer: ITCHY.MINDSPRING.NET NameServer: SCRATCHY.MINDSPRING.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 2001-08-23 Updated: 2002-06-20 TechHandle: DAE4-ARIN TechName: Domain Administrator, Administrator TechPhone: +1-404-815-0770 TechEmail: arinpoc@corp.earthlink.net OrgAbuseHandle: ABUSE60-ARIN OrgAbuseName: ABUSE TEAM OrgAbusePhone: +1-404-815-0770 OrgAbuseEmail: ABUSE@corp.earthlink.net OrgTechHandle: ELNK-ORG-ARIN OrgTechName: EarthLink, Inc. OrgTechPhone: +1-404-815-0770 OrgTechEmail: arin_tech@lists.corp.earthlink.net # ARIN Whois database, last updated 2002-12-08 20:00 # Enter ? for additional hints on searching ARIN's Whois database. So this is where you might like to send your complaint: ABUSE@corp.earthlink.net
Hi Alpha, Have a look at the "whois" as performed by Jooske. You'll notice under "Custname" the query performed on the IP address 24.170.170.36 points to an ISP: EARTHLINK. This ISP uses all IP numbers (NetRange) from 24.170.160.0 up to 24.170.174.255. This way, it is determined the IP number examined belongs to that specific ISP. Thus, in case of problems/complaints, one needs to send an (abuse) email to the ISP found, coming with the relevant extract from your for example firewall log file. This way, the ISP can determine which of its clients used that specific IP number on the time specified, examine their logs and if necessary contact their client or take appropriate actions in regard to their client. Hope this helps Taken care of by or most valued mods! Be assured - it isnt . regards. paul
Hi Pieter,Jooske and Paul (in the order of appearence !) I must first say that I am quite overwhelmed with all the trouble you guys have taken with my queries, especially as I am obviously well out of your league ! I feel rather like a first-year medical student who finds himself at a senior consultants convention !!! I have only had a quick look at all the material you have provided (including those links)and I guess it will take some time for me work through it in detail. However. at this stage, I can confirm to Jooske that I do want his example, thank you. I'll keep you posted on how I get on and don't be too surprised (or have an "Not him again" reaction) if I need further guidance !! Many Thanks to you all. Cheers. Alpha.
Hi Alpha, Glad to be of assistance The only time I get that reaction, is when I look in the mirror in the morning So keep them coming. Regards, Pieter
Tell you a little secret? One can learn by visiting the right forums like this, reading and ask burning questions. Got some education this way in this and the DCS private forum and with those guys amazing support (hundreds of emails, quite some support library by now) and of course some nice tools at hand. In the DCS forums, Port Explorer, even the eval version of that has a Whois in it enabled which is quite advanced. With that i reproduced the same results from above in just a few clicks. Be it that i have the full version of course. And i can see all those connections and ports and what is trying to do something nasty, sniff in the packets, etc. You might like to try it out as an addition on what you have already. Looking forward to your further finds and results, Alpha!
Hi Pieter,Jooske and Paul. Well, despite all your combined efforts, I have to admit defeat. I have spent a long time, over several sessions, trying to get my head round the two "Whois" links you gave me, but the truth is my current knowledge is just not up to it. There is so much of the terminology that is foreign to me that I might as well have been reading a Chinese bible !! I'm really sorry I've taken-up a lot of your valuable time without any positive result -- other than revealing my limitations in this field. I have, however, found a site (PCFlank) which offers what seems to be a somewhat similar program called "WhoEasy"which appears to be within my restricted range. If you know of this, I would be pleased to have your opinions, please -- assuming, of course. that we are still on posting terms !!!! Regards and Regrets. Alpha.
alpha24, the 'Whois' protocol is relatively complex in that there are a lot of extensions to it that different servers support and it can be tricky knowing which server(s) to use and what queries to send, but there are some programs that make it very easy to use - ie. just a couple of mouseclicks, plus typing in the domain to lookup. You may want to try the free demo of Port Explorer ( http://www.diamondcs.com.au/portexplorer/ ) - to do a Whois lookup on 'x.com' with Port Explorer, simply click on the Utilities menu, then click on Whois, then type in x.com and press Enter - that's all! Port Explorer will handle everything else, assuming you've left the server on 'Automatic' - it intelligently figures out which is the best Whois server to get results from so you don't have to worry about anything, it takes care of it all for you. Best regards, Wayne
Don´t let that bring you down alpha24 From what I can read on PCFlanks page, and I quote: you will have to install Outpost before you can use this utility and it will give you the exact same results. They are only displayed more clearly. Try the one Wayne recommended and let us know. Always welcome. Regards, Pieter
I liked especially to mention i could resolve and "whois" them where most other sites left us in the dark; in my trying the traceroute and pinging were dropped too, but you had what you needed, the abuse department of the infected person/intruder so with the logfile part you had already you could email them your complaint and the user might get help to get rid of his infection. When i send in complaints most of times i ask them just to help their user out of infections and tell them there might be a third party abusing their system, things like that, just to avoid ISPs to just closing accounts where is no reason. Think you should really have a look at Port Explorer because it is as clear as Wayne is telling, nothing difficult to configure, just try and see the results, it's a free demo and there is a whole forum here available to answer your questions and guide you another time step by step through this. It is really frustrating to have nice tools and not knowing what to do with them or not understanding alerts, while there might be nothing serious the matter. For instance: if a portscan comes on 27374, PE lookup tells us it's default port for RAT: BadBlood, SubSeven 2.1+, Diems Mutter, so the attacker MIGHT use one of those, but it's not necessarily an attack with one of those on you and most probably you're not infected with neither of them. But there are firewalls telling you had a subseven attack because it is one of the default ports for S7. To know what is really attacking you should be able to sniff the packets sent and that is possible with PE and TDS. But back to your automated whois, if you could install the other programs, so you can PE and two menu options like Wayne says, you're there.
Howdy I took liberty to quote Steve Gibson here, if someone is upset for it, I apologize. "Not all web servers are equally secure. 2001 was a rough year for Microsoft's IIS web server. The FBI informed consumers and e-commerce sites that a Russian organized crime ring was methodically breaking into IIS-based e-commerce web sites that had not applied some of a continuous stream of IIS patches. Confidential customer data was stolen from those servers, held for ransom, and reportedly released on the Internet -- even if the IIS-based web sites paid the ransom. Then the world endured multiple rounds of IIS-based CodeRed and Nimda worms spreading like wild fire across the Internet. The CodeRed II and Nimda worms installed semi-permanent hacker backdoors into several hundred thousand IIS web servers." <Steve Gibson> ID- Serve freeware http://grc.com/id/idserve.htm regards -Ari
Hi. Sorry to be rather late in acknowledging your postings Wayne, Pieter and Jooske. I wasn't really expecting further responses to my queries after all the time and trouble which had already been taken to help me. I really do appreciate it. The delay is partly due to the bother I have had with downloading Outpost but I hope the problems will be sorted-out over the next few days and I then intend to install the WhoEasy plug-in as suggested. I would like to try-out Port Explorer In the meantime but I'll have to find out if it is also a plug-in like WhoEasy. Nothing further to report at this stage but I'll be in touch as soon as I have. With All Best Wishes to all you guys for Christmas and the New Year. Alpha.
Hi, Jooske, Pieter,Paul and all other contributers to my learning process. I have now sorted myself out and have Outpost in full flow, plus the plug-in WhoEasy and I am quite pleased with the set-up. I gave Port Explorer a trial run but, although it is obviously a great program, I decided it was rather too complex for my current stage. WhoEasy is very simple to operate and seems to provide all I really need at present. I would now be pleased to have some guidance with my next step, which is to make good use of the data provided by WhoEasy. !! This is a recent entry in my WhoIs (WhoEasy) log, relating to a Worm - blocked entry in my Spyblocker log : -------- " 2002/12/29 16:18:20 REQUEST: address: 210.22.168.10 2002/12/29 16:18:25 REQUEST: using server whois.apnic.net 2002/12/29 16:18:26 SEND:210.22.168.10 2002/12/29 16:18:26 ANSWER: % [whois.apnic.net node-1] % How to use this server http://www.apnic.net/db/ % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 210.22.64.0 - 210.22.191.255 netname: SH-CHINA-NETCOM descr: shanghai branch, china netcom country: CN admin-c: YH276-AP tech-c: YH276-AP mnt-by: MAINT-CN-ZM28 mnt-lower: MAINT-CN-HY28 changed: daihy@china-netcom.com 20020607 status: ALLOCATED PORTABLE source: APNIC person: yu hu address: china netcom address: shanghai country: CN phone: +86-021-64953694 e-mail: huyu@china-netcom.com nic-hdl: YH276-AP mnt-by: MAINT-CN-ZM28 changed: daihy@china-netcom.com 20020530 source: APNIC 2002/12/29 16:18:27 SEND:YH276-AP 2002/12/29 16:18:27 ANSWER: % [whois.apnic.net node-2] % How to use this server http://www.apnic.net/db/ % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html person: yu hu address: china netcom address: shanghai country: CN phone: +86-021-64953694 e-mail: huyu@china-netcom.com nic-hdl: YH276-AP mnt-by: MAINT-CN-ZM28 changed: daihy@china-netcom.com 20020530 source: APNIC " Could you tell me how I can best use this in the "anti-nasty" context,or does it lack the sort of information needed to take up the "Abuse" issue ? Cheers. Alpha.
Hi,Paul. Further to my posting of 29/12 and refering back to your and Jooske's postings of 09/12, I have now had some more WhoEasy experience and would like to ask a couple of particular questions, please. If the search results do not include an Abuse email address, am I right to assume that that is a "dead end" or is there any other route for submitting a complaint? Also, could you advise me on the format of an Abuse email. including what information it should include,please? Lastly, which "intruders"justify a complaint ? I presume Worms do so, but what about Bugs,Spyware,Scanners etc. ? With Best Wishes for this New Year. Alpha.
Hi alpha24, Here´s a good read on the subject: http://thorweb.anta.net/abuse/abuse-report-clues.shtml Regards, Pieter
Hi, Pieter. Thanks for the link and what a "good read" it is !! However, although it gives a great deal of information about what reports should include, (which I found rather confusing, I'm afraid), I would still appreciate answers to the questions in my posting,if possible,please. As a result of my reading the link, I would also like to know the Forum's opinion on the use of reporting Services, such as DShield, myNetWatchman and ARIS. My initial reaction was that DShield might be very useful for the inexperienced but wiser heads may take a different view !!! Cheers. Alpha.
Hi alpha24, First I would like to emphasize, that the following is my personal point of view, since I did not check if there is an official point of view. In case of the result you got, I would send an e-mail explaining what happened to this address: huyu@china-netcom.com and await their answer before reporting to the organisations you mentioned. Regards, Pieter
Thanks for your's of 4 Jan: Pieter. I have done what you suggested and await a response, although I expect most of these Abuse reports are never acknowledged !! I also reported a Port Scan and this is what I received in return:--- Subj: Re: Port Scanning [#737521] Date: 07/01/03 11:38:05 GMT Standard Time From: abuse.cc@chartercom.com To: alfredmorrison@aol.com Greetings, You have reached the Charter Abuse Team. We have received your abuse complaint. There is no need to reply to this message. We cannot reply personally to all complaints, but we will send you a message if we need more information in order to process your complaint. Charter Communications Abuse Team abuse.cc@chartercom.com ----- alfredmorrison@aol.com Wrote ----- Web Form ID: 014 Billing System No. NORTHEAST Region: NORTHEAST Name: Abuse, Unknown Address: 12405 Powerscourt Drive St. Louis, MO 63131 Contact: Phone Phone: XXX-XXX-XXXX E-mail: Alfredmorrison@aol.com Subject: Port Scanning YOURNAME=VIA EMAIL REPLY-TO=Alfredmorrison@aol.com REPORTDATE=01/07/2003 REPORTTIME=11:40:47 GMT BROWSERIP=NOTAPPLICABLE INCIDENTTYPE=Port Scanning DMCATITLE=UNKNOWN CASEREFERENCE= CASEREFERENCESTRING= INCIDENTDATE=2003/01/07 INCIDENTTIME=11:40:47 INCIDENTAMPM= INCIDENTTIMEZONE=GMT OFFENDERIP=66.189.87.120 REGION=NORTHEAST REGIONSTATE=MA MARKET=Oxford SUBNET=66.189.80.0/20 CONTACTNAME=Tom Newton CONTACTEMAIL=tnewton@chartercom.com 508 853 1515 x2872 ADDITIONALINFO= From Alfredmorrison@aol.com Tue Jan 7 05:40:47 2003 Received: from dc-mxdb10.cluster1.charter.net (209-225-8-74.charter.net [209.225.8.74] (may be forged)) by dstools.charter.net (8.11.6/8.11.6/SuSE Linux 0.5) with ESMTP id h07BelF11278 for <abuse@dstools.charter.net>; Tue, 7 Jan 2003 05:40:47 -0600 Received: from <abuse@charter.net> by dc-mxdb10.cluster1.charter.net (CommuniGate Pro RULES 3.5.9b) with RULES id 2049252; Tue, 07 Jan 2003 06:36:12 -0500 X-Autogenerated: Mirror X-Mirrored-by: <abuse@charter.net> (charter.net abuse account) Received: from imo-r03.mx.aol.com ([152.163.225.99] verified) by dc-mx10.cluster1.charter.net (CommuniGate Pro SMTP 3.5.9) with ESMTP id 50431183 for abuse@charter.net; Tue, 07 Jan 2003 06:36:12 -0500 Received: from Alfredmorrison@aol.com by imo-r03.mx.aol.com (mail_out_v34.13.) id 3.6a.2ba7a966 (446 for <abuse@charter.net>; Tue, 7 Jan 2003 06:36:07 -0500 (EST) From: Alfredmorrison@aol.com Message-ID: <6a.2ba7a966.2b4c15a7@aol.com> Date: Tue, 7 Jan 2003 06:36:07 EST Subject: Port Scan. To: abuse@charter.net MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="part1_6a.2ba7a966.2b4c15a7_boundary" X-Mailer: AOL 6.0 for Windows UK sub 10512 --part1_6a.2ba7a966.2b4c15a7_boundary Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Hi. I wish to report that a Port Scan of my computer was blocked recently and the following data was logged:---------- 1) Logged Entry Wednesday, Jan 1 2003 at 03:16:01 PM Remote Port: 3007 Local Port: 80 Host: 66.189.87.120 [PORT SCAN] [BLOCKED] GET / HTTP/1.1 2) 2003/01/07 11:20:29 REQUEST: address: 66.189.87.210 2003/01/07 11:20:30 REQUEST: host: cpe-66-189-87-210.ma.charter.com 2003/01/07 11:20:30 REQUEST: using server whois.arin.net 2003/01/07 11:20:30 SEND:66.189.87.210 2003/01/07 11:20:31 ANSWER: Charter Communications CHARTER-NET-5BLK (NET-66-188-0-0-1) 66.188.0.0 - 66.191.255.255 Charter Communications PPRL-MA-66-189-084 (NET-66-189-84-0-1) 66.189.84.0 - 66.189.91.255 # ARIN Whois database, last updated 2003-01-06 20:00 # Enter ? for additional hints on searching ARIN's Whois database. # # WHOIS format will be changing on February 6, 2003 # For specifics visit: http://www.arin.net/mailing_lists/dbwg/0393.html 2003/01/07 11:20:31 SEND:NET-66-188-0-0-1 2003/01/07 11:20:31 ANSWER: OrgName: Charter Communications OrgID: CC04 NetRange: 66.188.0.0 - 66.191.255.255 CIDR: 66.188.0.0/14 NetName: CHARTER-NET-5BLK NetHandle: NET-66-188-0-0-1 Parent: NET-66-0-0-0-0 NetType: Direct Allocation NameServer: ns1.charter.com NameServer: ns2.charter.com NameServer: ns4.charter.com Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE "For NETWORK ABUSE issues, please email abuse@charter.net" RegDate: 2001-10-24 Updated: 2002-10-25 TechHandle: SJT1-ARIN TechName: Smith, Tim TechPhone: +1-314-288-3886 TechEmail: IPaddressing@chartercom.com OrgTechHandle: SJT1-ARIN OrgTechName: Smith, Tim OrgTechPhone: +1-314-288-3886 OrgTechEmail: IPaddressing@chartercom.com OrgAbuseHandle: ABUSE19-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-314-543-0200 OrgAbuseEmail: abuse@charter.net # ARIN Whois database, last updated 2003-01-06 20:00 # Enter ? for additional hints on searching ARIN's Whois database. # # WHOIS format will be changing on February 6, 2003 # For specifics visit: http://www.arin.net/mailing_lists/dbwg/0393.html 2003/01/07 11:20:35 SEND:SJT1-ARIN 2003/01/07 11:20:36 ANSWER: Name: Smith, Tim J Handle: SJT1-ARIN Company: Charter Communications Address: 12405 Powerscourt Dr. St. Louis MO 63131 Country: US Comment: RegDate: 2002-08-30 Updated: 2002-08-30 Phone: +1-314-288-3886 (Office) Email: IPaddressing@chartercom.com # ARIN Whois database, last updated 2003-01-06 20:00 # Enter ? for additional hints on searching ARIN's Whois database. # # WHOIS format will be changing on February 6, 2003 # For specifics visit: http://www.arin.net/mailing_lists/dbwg/0393.html 2003/01/07 11:20:36 SEND:ABUSE19-ARIN 2003/01/07 11:20:36 ANSWER: Name: Abuse Handle: ABUSE19-ARIN Company: Charter Communications Address: 12405 Powerscourt Dr. St. Louis MO 63131 St. Louis MO 63122 Country: US Comment: RegDate: 2002-08-30 Updated: 2002-12-04 Phone: +1-314-543-0200 (Office) Email: abuse@charter.net # ARIN Whois database, last updated 2003-01-06 20:00 # Enter ? for additional hints on searching ARIN's Whois database. # # WHOIS format will be changing on February 6, 2003 # For specifics visit: http://www.arin.net/mailing_lists/dbwg/0393.html ---------------- I would be grateful for your ackowledgement and comments,please. Kind Regards. ALFRED MORRISON. --part1_6a.2ba7a966.2b4c15a7_boundary Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: 7bit FACE="Arial" LANG="0">Hi. I wish to report that a Port Scan of my computer was blocked recently and the following data was logged:---------- 1) Logged Entry Wednesday, Jan 1 2003 at 03:16:01 PM Remote Port: 3007 Local Port: 80 Host: 66.189.87.120 [PORT SCAN] [BLOCKED] GET / HTTP/1.1 2) 2003/01/07 11:20:29 REQUEST: address: 66.189.87.210 2003/01/07 11:20:30 REQUEST: host: cpe-66-189-87-210.ma.charter.com 2003/01/07 11:20:30 REQUEST: using server whois.arin.net 2003/01/07 11:20:30 SEND:66.189.87.210 2003/01/07 11:20:31 ANSWER: Charter Communications CHARTER-NET-5BLK (NET-66-188-0-0-1) 66.188.0.0 - 66.191.255.255 Charter Communications PPRL-MA-66-189-084 (NET-66-189-84-0-1) 66.189.84.0 - 66.189.91.255 # ARIN Whois database, last updated 2003-01-06 20:00 # Enter ? for additional hints on searching ARIN's Whois database. # # WHOIS format will be changing on February 6, 2003 # For specifics visit: http://www.arin.net/mailing_lists/dbwg/0393.html 2003/01/07 11:20:31 SEND:NET-66-188-0-0-1 2003/01/07 11:20:31 ANSWER: OrgName: Charter Communications OrgID: CC04 NetRange: 66.188.0.0 - 66.191.255.255 CIDR: 66.188.0.0/14 NetName: CHARTER-NET-5BLK NetHandle: NET-66-188-0-0-1 Parent: NET-66-0-0-0-0 NetType: Direct Allocation NameServer: ns1.charter.com NameServer: ns2.charter.com NameServer: ns4.charter.com Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE "For NETWORK ABUSE issues, please email abuse@charter.net" RegDate: 2001-10-24 Updated: 2002-10-25 TechHandle: SJT1-ARIN TechName: Smith, Tim TechPhone: +1-314-288-3886 TechEmail: IPaddressing@chartercom.com OrgTechHandle: SJT1-ARIN OrgTechName: Smith, Tim OrgTechPhone: +1-314-288-3886 OrgTechEmail: IPaddressing@chartercom.com OrgAbuseHandle: ABUSE19-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-314-543-0200 OrgAbuseEmail: abuse@charter.net # ARIN Whois database, last updated 2003-01-06 20:00 # Enter ? for additional hints on searching ARIN's Whois database. # # WHOIS format will be changing on February 6, 2003 # For specifics visit: http://www.arin.net/mailing_lists/dbwg/0393.html 2003/01/07 11:20:35 SEND:SJT1-ARIN 2003/01/07 11:20:36 ANSWER: Name: Smith, Tim J Handle: SJT1-ARIN Company: Charter Communications Address: 12405 Powerscourt Dr. St. Louis MO 63131 Country: US Comment: RegDate: 2002-08-30 Updated: 2002-08-30 Phone: +1-314-288-3886 (Office) Email: IPaddressing@chartercom.com # ARIN Whois database, last updated 2003-01-06 20:00 # Enter ? for additional hints on searching ARIN's Whois database. # # WHOIS format will be changing on February 6, 2003 # For specifics visit: http://www.arin.net/mailing_lists/dbwg/0393.html 2003/01/07 11:20:36 SEND:ABUSE19-ARIN 2003/01/07 11:20:36 ANSWER: Name: Abuse Handle: ABUSE19-ARIN Company: Charter Communications Address: 12405 Powerscourt Dr. St. Louis MO 63131 St. Louis MO 63122 Country: US Comment: RegDate: 2002-08-30 Updated: 2002-12-04 Phone: +1-314-543-0200 (Office) Email: abuse@charter.net # ARIN Whois database, last updated 2003-01-06 20:00 # Enter ? for additional hints on searching ARIN's Whois database. # # WHOIS format will be changing on February 6, 2003 # For specifics visit: http://www.arin.net/mailing_lists/dbwg/0393.html ---------------- I would be grateful for your ackowledgement and comments,please. Kind Regards. FACE="Aristocrat" LANG="0"> ALFRED MORRISON. FACE="Arial" LANG="0"> --part1_6a.2ba7a966.2b4c15a7_boundary-- ----------------------- Headers -------------------------------- Return-Path: <abuse.cc@chartercom.com> Received: from rly-xe02.mx.aol.com (rly-xe02.mail.aol.com [172.20.105.194]) by air-xe03.mail.aol.com (v90.10) with ESMTP id MAILINXE32-0107063805; Tue, 07 Jan 2003 06:38:05 -0500 Received: from kstluvir05.chartercom.com (host-24.217.29.1.charter-stl.com [24.217.29.1]) by rly-xe02.mx.aol.com (v90.10) with ESMTP id MAILRELAYINXE29-0107063757; Tue, 07 Jan 2003 06:37:57 1900 Received: from kstlmweb18 (localhost [127.0.0.1]) by kstluvir05.chartercom.com (8.11.6+Sun/8.11.6) with SMTP id h07BboU21074 for <alfredmorrison@aol.com>; Tue, 7 Jan 2003 05:37:50 -0600 (CST) Date: Tue, 07 Jan 2003 05:37:50 -0600 From: abuse.cc@chartercom.com Subject: Re: Port Scanning [#737521] To: alfredmorrison@aol.com Message-ID: <eGain@30038Tue07Jan200305.37.50> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit How about that for a reaction !!!!!! Goodness knows what it all means but it seems a bad case of overkill to me !! I'll be very interested to see what comes back from China (if anything ) --- it might be decorative enough to hang on a wall !!!!! Cheers. Alpha.