WORMS

Discussion in 'malware problems & news' started by alpha24, Dec 8, 2002.

Thread Status:
Not open for further replies.
  1. alpha24

    alpha24 Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    18
    Hi. This is a typical entry in my Spyblocker log : ----

    "Logged Entry Saturday, Dec 7 2002 at 07:17:16 PM
    Remote Port: 1604
    Local Port: 80
    Host: 24.170.170.36
    [WORM]
    [BLOCKED]

    Worm: Code Red/II/Nimda Variant
    NOTE: The actual worm contents have been suppressed to avoid Anti-Virus programs from alerting you with False Positives."
    Is there any way of telling where the Worm came from? I have had these entries when visiting sites which I felt sure wouldn't try to set Worms and I wondered if it is possible for them to be "smuggled" in by third parties when you are visiting a site ? Any enlightenment would be appreciated Cheers. Alpha.
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Welcome alpha,

    Unpatched MSoft IIS webservers have been infected en masse - and there are still many of them. When infected with Nimda(s) or CodeRed, these compromised systems will go hunting for other unpatched servers. Seems that's all that's happening here.

    regards.

    paul
     
  3. alpha24

    alpha24 Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    18
    Thanks Paul for that interesting information. I guess that is what's happening. I'd still like to pursue the question of trying to identify where the Worms originate. With Bugs,for example,the log entry tells you where they came from :----
    ogged Entry Monday, Dec 2 2002 at 12:42:36 PM
    Remote Port: 1085
    Local Port: 80
    Host: 127.0.0.1 (SpyBlocker)
    [BUG]
    [BLOCKED]

    GET /image-980455-5042815 HTTP/1.1
    Accept: */*
    Referer: http://www.rampantscotland.com/clans/blclanmorrison.htm
    Accept-Language: en-gb
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 9:cool:
    Host: www.qksrv.net

    but the only "Host" mentioned in a Worm entry is a string of numbers (eg. 173.183.64.229.) Is it possible to identify a source from these numbers or is there any other way ? I'd be interested to hear from you (or any other viewer ) on this subject. Thanks again for your response. Alpha.
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi alpha,

    By performing an "whois" one could possibly detect (using ARIn for example) a netblock range, and the owning ISP. It's not possible to track down the individual user. One could inform the ISP in question at the most.

    As for the IP number you mentioned: a whois comes up empty, and a traceroute drops dead.

    regards.

    paul
     
  5. alpha24

    alpha24 Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    18
    Hi Paul. Thanks for your further response. I'm afraid a lot of what you said is over my (still- struggling- up- that-learning-curve) head,but I get the message that I might as well give-up on this line of enquiry !!

    If it's not too much trouble (and I would quite understand if it is), could you get me a bit further up that curve by explaining how you perform a "Whois" ? I hope it's not too strenuous, as I've been feeling the weight of my years lately !!! o_O

    Cheers. ALpha.
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Here's a site where you can do that: http://www.ripe.net/perl/whois is probably the easiest one to use.
    It's just an example, there are many more.
    IMO one of the best: http://www.samspade.org

    Regards,

    Pieter
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If this is not what you're looking for let me know to delete this.

    Host name: user-0calah4.cable.mindspring.com
    IP address: 24.170.170.36
    Alias(es): None

    user-0calah4.cable.mindspring.com [24.170.170.36]
    EARTHLINK, INC. ERLK-TWCENTRALFL4 (NET-24-170-160-0-1)
    24.170.160.0 - 24.170.175.255
    CustName: EARTHLINK, INC.
    Address: 1375 PEACHTREE ST, LEVEL A Atlanta GA 30309
    Country: US
    RegDate: 2002-09-25
    Updated: 2002-09-25

    NetRange: 24.170.160.0 - 24.170.175.255
    CIDR: 24.170.160.0/20
    NetName: ERLK-TWCENTRALFL4
    NetHandle: NET-24-170-160-0-1
    Parent: NET-24-170-128-0-1
    NetType: Reassigned
    Comment:
    RegDate: 2002-09-25
    Updated: 2002-09-25

    # ARIN Whois database, last updated 2002-12-08 20:00
    # Enter ? for additional hints on searching ARIN's Whois database.

    OK, so i'll add more about earthlink:
    btw: www.samspade.org has problems with arin, so you might like to go immediately to the arin databases via
    www.arin.net/whois and type the IP in the little search window.
    Resulting in the stuff above and clicking on the parent came this:
    Search results for: N NET-24-170-128-0-1


    OrgName: Earthlink, Inc.
    OrgID: ERTS

    NetRange: 24.170.128.0 - 24.170.191.255
    CIDR: 24.170.128.0/18
    NetName: ERLK-CBL-TW-SOEASTERN
    NetHandle: NET-24-170-128-0-1
    Parent: NET-24-0-0-0-0
    NetType: Direct Allocation
    NameServer: ITCHY.MINDSPRING.NET
    NameServer: SCRATCHY.MINDSPRING.NET
    Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
    RegDate: 2001-08-23
    Updated: 2002-06-20

    TechHandle: DAE4-ARIN
    TechName: Domain Administrator, Administrator
    TechPhone: +1-404-815-0770
    TechEmail: arinpoc@corp.earthlink.net

    OrgAbuseHandle: ABUSE60-ARIN
    OrgAbuseName: ABUSE TEAM
    OrgAbusePhone: +1-404-815-0770
    OrgAbuseEmail: ABUSE@corp.earthlink.net

    OrgTechHandle: ELNK-ORG-ARIN
    OrgTechName: EarthLink, Inc.
    OrgTechPhone: +1-404-815-0770
    OrgTechEmail: arin_tech@lists.corp.earthlink.net

    # ARIN Whois database, last updated 2002-12-08 20:00
    # Enter ? for additional hints on searching ARIN's Whois database.

    So this is where you might like to send your complaint:
    ABUSE@corp.earthlink.net
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Alpha,

    Have a look at the "whois" as performed by Jooske. You'll notice under "Custname" the query performed on the IP address 24.170.170.36 points to an ISP: EARTHLINK. This ISP uses all IP numbers (NetRange) from 24.170.160.0 up to 24.170.174.255. This way, it is determined the IP number examined belongs to that specific ISP.

    Thus, in case of problems/complaints, one needs to send an (abuse) email to the ISP found, coming with the relevant extract from your for example firewall log file. This way, the ISP can determine which of its clients used that specific IP number on the time specified, examine their logs and if necessary contact their client or take appropriate actions in regard to their client.

    Hope this helps ;)

    Taken care of by or most valued mods!

    Be assured - it isnt ;).

    regards.

    paul
     
  9. alpha24

    alpha24 Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    18
    Hi Pieter,Jooske and Paul (in the order of appearence !) I must first say that I am quite overwhelmed with all the trouble you guys have taken with my queries, especially as I am obviously well out of your league ! I feel rather like a first-year medical student who finds himself at a senior consultants convention !!! I have only had a quick look at all the material you have provided (including those links)and I guess it will take some time for me work through it in detail. However. at this stage, I can confirm to Jooske that I do want his example, thank you. I'll keep you posted on how I get on and don't be too surprised (or have an "Not him again" reaction) if I need further guidance !! Many Thanks to you all. Cheers. Alpha.
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Alpha,

    Glad to be of assistance :)
    The only time I get that reaction, is when I look in the mirror in the morning :D
    So keep them coming.

    Regards,

    Pieter
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Tell you a little secret?
    One can learn by visiting the right forums like this, reading and ask burning questions.
    Got some education this way in this and the DCS private forum and with those guys amazing support (hundreds of emails, quite some support library by now) and of course some nice tools at hand.
    In the DCS forums, Port Explorer, even the eval version of that has a Whois in it enabled which is quite advanced. With that i reproduced the same results from above in just a few clicks. Be it that i have the full version of course.
    And i can see all those connections and ports and what is trying to do something nasty, sniff in the packets, etc.
    You might like to try it out as an addition on what you have already.
    Looking forward to your further finds and results, Alpha!
     
  12. alpha24

    alpha24 Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    18
    Hi Pieter,Jooske and Paul. Well, despite all your combined efforts, I have to admit defeat. o_O I have spent a long time, over several sessions, trying to get my head round the two "Whois" links you gave me, but the truth is my current knowledge is just not up to it. There is so much of the terminology that is foreign to me that I might as well have been reading a Chinese bible !! I'm really sorry I've taken-up a lot of your valuable time without any positive result -- other than revealing my limitations in this field. I have, however, found a site (PCFlank) which offers what seems to be a somewhat similar program called "WhoEasy"which appears to be within my restricted range. If you know of this, I would be pleased to have your opinions, please -- assuming, of course. that we are still on posting terms !!!! Regards and Regrets. Alpha.
     
  13. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    alpha24, the 'Whois' protocol is relatively complex in that there are a lot of extensions to it that different servers support and it can be tricky knowing which server(s) to use and what queries to send, but there are some programs that make it very easy to use - ie. just a couple of mouseclicks, plus typing in the domain to lookup. You may want to try the free demo of Port Explorer ( http://www.diamondcs.com.au/portexplorer/ ) - to do a Whois lookup on 'x.com' with Port Explorer, simply click on the Utilities menu, then click on Whois, then type in x.com and press Enter - that's all! Port Explorer will handle everything else, assuming you've left the server on 'Automatic' - it intelligently figures out which is the best Whois server to get results from so you don't have to worry about anything, it takes care of it all for you.

    Best regards,
    Wayne
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Don´t let that bring you down alpha24 ;)
    From what I can read on PCFlanks page, and I quote:

    you will have to install Outpost before you can use this utility and it will give you the exact same results. They are only displayed more clearly.
    Try the one Wayne recommended and let us know. Always welcome.

    Regards,

    Pieter
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I liked especially to mention i could resolve and "whois" them where most other sites left us in the dark; in my trying the traceroute and pinging were dropped too, but you had what you needed, the abuse department of the infected person/intruder so with the logfile part you had already you could email them your complaint and the user might get help to get rid of his infection.

    When i send in complaints most of times i ask them just to help their user out of infections and tell them there might be a third party abusing their system, things like that, just to avoid ISPs to just closing accounts where is no reason.

    Think you should really have a look at Port Explorer because it is as clear as Wayne is telling, nothing difficult to configure, just try and see the results, it's a free demo and there is a whole forum here available to answer your questions and guide you another time step by step through this.
    It is really frustrating to have nice tools and not knowing what to do with them or not understanding alerts, while there might be nothing serious the matter.
    For instance:
    if a portscan comes on 27374, PE lookup tells us it's default port for RAT: BadBlood, SubSeven 2.1+, Diems Mutter, so the attacker MIGHT use one of those, but it's not necessarily an attack with one of those on you and most probably you're not infected with neither of them.
    But there are firewalls telling you had a subseven attack because it is one of the default ports for S7.
    To know what is really attacking you should be able to sniff the packets sent and that is possible with PE and TDS.

    But back to your automated whois, if you could install the other programs, so you can PE and two menu options like Wayne says, you're there.
     
  16. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Howdy

    I took liberty to quote Steve Gibson here, if someone is upset for it, I apologize.


    "Not all web servers are equally secure.

    2001 was a rough year for Microsoft's IIS web server. The FBI informed consumers and e-commerce sites that a Russian organized crime ring was methodically breaking into IIS-based e-commerce web sites that had not applied some of a continuous stream of IIS patches. Confidential customer data was stolen from those servers, held for ransom, and reportedly released on the Internet -- even if the IIS-based web sites paid the ransom. Then the world endured multiple rounds of IIS-based CodeRed and Nimda worms spreading like wild fire across the Internet. The CodeRed II and Nimda worms installed semi-permanent hacker backdoors into several hundred thousand IIS web servers." <Steve Gibson> ID- Serve freeware


    http://grc.com/id/idserve.htm

    regards -Ari
     
  17. alpha24

    alpha24 Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    18
    Hi. Sorry to be rather late in acknowledging your postings Wayne, Pieter and Jooske. I wasn't really expecting further responses to my queries after all the time and trouble which had already been taken to help me. I really do appreciate it. The delay is partly due to the bother I have had with downloading Outpost but I hope the problems will be sorted-out over the next few days and I then intend to install the WhoEasy plug-in as suggested. I would like to try-out Port Explorer In the meantime but I'll have to find out if it is also a plug-in like WhoEasy. Nothing further to report at this stage but I'll be in touch as soon as I have.

    With All Best Wishes to all you guys for Christmas and the New Year. Alpha.
     
  18. alpha24

    alpha24 Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    18
    Hi, Jooske, Pieter,Paul and all other contributers to my learning process. I have now sorted myself out and have Outpost in full flow, plus the plug-in WhoEasy and I am quite pleased with the set-up. I gave Port Explorer a trial run but, although it is obviously a great program, I decided it was rather too complex for my current stage. WhoEasy is very simple to operate and seems to provide all I really need at present. I would now be pleased to have some guidance with my next step, which is to make good use of the data provided by WhoEasy. !!
    This is a recent entry in my WhoIs (WhoEasy) log, relating to a Worm - blocked entry in my Spyblocker log : --------

    " 2002/12/29 16:18:20 REQUEST: address: 210.22.168.10
    2002/12/29 16:18:25 REQUEST: using server whois.apnic.net
    2002/12/29 16:18:26 SEND:210.22.168.10
    2002/12/29 16:18:26 ANSWER:
    % [whois.apnic.net node-1]
    % How to use this server http://www.apnic.net/db/
    % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

    inetnum: 210.22.64.0 - 210.22.191.255
    netname: SH-CHINA-NETCOM
    descr: shanghai branch, china netcom
    country: CN
    admin-c: YH276-AP
    tech-c: YH276-AP
    mnt-by: MAINT-CN-ZM28
    mnt-lower: MAINT-CN-HY28
    changed: daihy@china-netcom.com 20020607
    status: ALLOCATED PORTABLE
    source: APNIC

    person: yu hu
    address: china netcom
    address: shanghai
    country: CN
    phone: +86-021-64953694
    e-mail: huyu@china-netcom.com
    nic-hdl: YH276-AP
    mnt-by: MAINT-CN-ZM28
    changed: daihy@china-netcom.com 20020530
    source: APNIC


    2002/12/29 16:18:27 SEND:YH276-AP
    2002/12/29 16:18:27 ANSWER:
    % [whois.apnic.net node-2]
    % How to use this server http://www.apnic.net/db/
    % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

    person: yu hu
    address: china netcom
    address: shanghai
    country: CN
    phone: +86-021-64953694
    e-mail: huyu@china-netcom.com
    nic-hdl: YH276-AP
    mnt-by: MAINT-CN-ZM28
    changed: daihy@china-netcom.com 20020530
    source: APNIC "

    Could you tell me how I can best use this in the "anti-nasty" context,or does it lack the sort of information needed to take up the "Abuse" issue ?
    Cheers. Alpha. :doubt:
     
  19. alpha24

    alpha24 Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    18
    Hi,Paul. Further to my posting of 29/12 and refering back to your and Jooske's postings of 09/12, I have now had some more WhoEasy experience and would like to ask a couple of particular questions, please. If the search results do not include an Abuse email address, am I right to assume that that is a "dead end" or is there any other route for submitting a complaint? Also, could you advise me on the format of an Abuse email. including what information it should include,please? Lastly, which "intruders"justify a complaint ? I presume Worms do so, but what about Bugs,Spyware,Scanners etc. ? With Best Wishes for this New Year. Alpha. :)
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi alpha24,

    Here´s a good read on the subject: http://thorweb.anta.net/abuse/abuse-report-clues.shtml

    Regards,

    Pieter
     
  21. alpha24

    alpha24 Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    18
    Hi, Pieter. Thanks for the link and what a "good read" it is !! However, although it gives a great deal of information about what reports should include, (which I found rather confusing, I'm afraid), I would still appreciate answers to the questions in my posting,if possible,please. As a result of my reading the link, I would also like to know the Forum's opinion on the use of reporting Services, such as DShield, myNetWatchman and ARIS. My initial reaction was that DShield might be very useful for the inexperienced but wiser heads may take a different view !!! Cheers. Alpha. ;)
     
  22. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi alpha24,

    First I would like to emphasize, that the following is my personal point of view, since I did not check if there is an official point of view.
    In case of the result you got, I would send an e-mail explaining what happened to this address: huyu@china-netcom.com and await their answer before reporting to the organisations you mentioned.

    Regards,

    Pieter
     
  23. alpha24

    alpha24 Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    18
    Thanks for your's of 4 Jan: Pieter. I have done what you suggested and await a response, although I expect most of these Abuse reports are never acknowledged !! I also reported a Port Scan and this is what I received in return:---

    Subj: Re: Port Scanning [#737521]
    Date: 07/01/03 11:38:05 GMT Standard Time
    From: abuse.cc@chartercom.com
    To: alfredmorrison@aol.com



    Greetings,
    You have reached the Charter Abuse Team. We have received your abuse complaint. There is no need to reply to this message.

    We cannot reply personally to all complaints, but we will send you a message if we need more information in order to process your complaint.

    Charter Communications Abuse Team
    abuse.cc@chartercom.com


    ----- alfredmorrison@aol.com Wrote -----
    Web Form ID: 014

    Billing System No. NORTHEAST

    Region: NORTHEAST

    Name: Abuse, Unknown
    Address: 12405 Powerscourt Drive
    St. Louis, MO 63131
    Contact: Phone
    Phone: XXX-XXX-XXXX
    E-mail: Alfredmorrison@aol.com

    Subject: Port Scanning

    YOURNAME=VIA EMAIL
    REPLY-TO=Alfredmorrison@aol.com
    REPORTDATE=01/07/2003
    REPORTTIME=11:40:47 GMT
    BROWSERIP=NOTAPPLICABLE
    INCIDENTTYPE=Port Scanning
    DMCATITLE=UNKNOWN
    CASEREFERENCE=
    CASEREFERENCESTRING=
    INCIDENTDATE=2003/01/07
    INCIDENTTIME=11:40:47
    INCIDENTAMPM=
    INCIDENTTIMEZONE=GMT
    OFFENDERIP=66.189.87.120
    REGION=NORTHEAST
    REGIONSTATE=MA
    MARKET=Oxford
    SUBNET=66.189.80.0/20
    CONTACTNAME=Tom Newton
    CONTACTEMAIL=tnewton@chartercom.com 508 853 1515 x2872
    ADDITIONALINFO=
    From Alfredmorrison@aol.com Tue Jan 7 05:40:47 2003
    Received: from dc-mxdb10.cluster1.charter.net (209-225-8-74.charter.net
    [209.225.8.74] (may be forged))
    by dstools.charter.net (8.11.6/8.11.6/SuSE Linux 0.5) with ESMTP
    id h07BelF11278
    for <abuse@dstools.charter.net>; Tue, 7 Jan 2003 05:40:47 -0600
    Received: from <abuse@charter.net>
    by dc-mxdb10.cluster1.charter.net (CommuniGate Pro RULES 3.5.9b)
    with RULES id 2049252; Tue, 07 Jan 2003 06:36:12 -0500
    X-Autogenerated: Mirror
    X-Mirrored-by: <abuse@charter.net> (charter.net abuse account)
    Received: from imo-r03.mx.aol.com ([152.163.225.99] verified)
    by dc-mx10.cluster1.charter.net (CommuniGate Pro SMTP 3.5.9)
    with ESMTP id 50431183 for abuse@charter.net; Tue, 07 Jan 2003
    06:36:12 -0500
    Received: from Alfredmorrison@aol.com
    by imo-r03.mx.aol.com (mail_out_v34.13.) id 3.6a.2ba7a966 (446:cool:
    for <abuse@charter.net>; Tue, 7 Jan 2003 06:36:07 -0500 (EST)
    From: Alfredmorrison@aol.com
    Message-ID: <6a.2ba7a966.2b4c15a7@aol.com>
    Date: Tue, 7 Jan 2003 06:36:07 EST
    Subject: Port Scan.
    To: abuse@charter.net
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="part1_6a.2ba7a966.2b4c15a7_boundary"
    X-Mailer: AOL 6.0 for Windows UK sub 10512


    --part1_6a.2ba7a966.2b4c15a7_boundary
    Content-Type: text/plain; charset="US-ASCII"
    Content-Transfer-Encoding: 7bit

    Hi. I wish to report that a Port Scan of my computer was blocked
    recently
    and the following data was logged:----------



    1) Logged Entry Wednesday, Jan 1 2003 at 03:16:01 PM
    Remote Port: 3007
    Local Port: 80
    Host: 66.189.87.120
    [PORT SCAN]
    [BLOCKED]

    GET / HTTP/1.1

    2) 2003/01/07 11:20:29 REQUEST: address: 66.189.87.210
    2003/01/07 11:20:30 REQUEST: host: cpe-66-189-87-210.ma.charter.com
    2003/01/07 11:20:30 REQUEST: using server whois.arin.net
    2003/01/07 11:20:30 SEND:66.189.87.210
    2003/01/07 11:20:31 ANSWER:
    Charter Communications CHARTER-NET-5BLK (NET-66-188-0-0-1)
    66.188.0.0 - 66.191.255.255
    Charter Communications PPRL-MA-66-189-084 (NET-66-189-84-0-1)
    66.189.84.0 - 66.189.91.255

    # ARIN Whois database, last updated 2003-01-06 20:00
    # Enter ? for additional hints on searching ARIN's Whois database.
    #
    # WHOIS format will be changing on February 6, 2003
    # For specifics visit: http://www.arin.net/mailing_lists/dbwg/0393.html
    2003/01/07 11:20:31 SEND:NET-66-188-0-0-1
    2003/01/07 11:20:31 ANSWER:

    OrgName: Charter Communications
    OrgID: CC04

    NetRange: 66.188.0.0 - 66.191.255.255
    CIDR: 66.188.0.0/14
    NetName: CHARTER-NET-5BLK
    NetHandle: NET-66-188-0-0-1
    Parent: NET-66-0-0-0-0
    NetType: Direct Allocation
    NameServer: ns1.charter.com
    NameServer: ns2.charter.com
    NameServer: ns4.charter.com
    Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
    "For NETWORK ABUSE issues, please email abuse@charter.net"
    RegDate: 2001-10-24
    Updated: 2002-10-25

    TechHandle: SJT1-ARIN
    TechName: Smith, Tim
    TechPhone: +1-314-288-3886
    TechEmail: IPaddressing@chartercom.com

    OrgTechHandle: SJT1-ARIN
    OrgTechName: Smith, Tim
    OrgTechPhone: +1-314-288-3886
    OrgTechEmail: IPaddressing@chartercom.com

    OrgAbuseHandle: ABUSE19-ARIN
    OrgAbuseName: Abuse
    OrgAbusePhone: +1-314-543-0200
    OrgAbuseEmail: abuse@charter.net

    # ARIN Whois database, last updated 2003-01-06 20:00
    # Enter ? for additional hints on searching ARIN's Whois database.
    #
    # WHOIS format will be changing on February 6, 2003
    # For specifics visit: http://www.arin.net/mailing_lists/dbwg/0393.html
    2003/01/07 11:20:35 SEND:SJT1-ARIN
    2003/01/07 11:20:36 ANSWER:

    Name: Smith, Tim J
    Handle: SJT1-ARIN
    Company: Charter Communications
    Address: 12405 Powerscourt Dr. St. Louis MO 63131
    Country: US
    Comment:
    RegDate: 2002-08-30
    Updated: 2002-08-30
    Phone: +1-314-288-3886 (Office)
    Email: IPaddressing@chartercom.com

    # ARIN Whois database, last updated 2003-01-06 20:00
    # Enter ? for additional hints on searching ARIN's Whois database.
    #
    # WHOIS format will be changing on February 6, 2003
    # For specifics visit: http://www.arin.net/mailing_lists/dbwg/0393.html
    2003/01/07 11:20:36 SEND:ABUSE19-ARIN
    2003/01/07 11:20:36 ANSWER:

    Name: Abuse
    Handle: ABUSE19-ARIN
    Company: Charter Communications
    Address: 12405 Powerscourt Dr. St. Louis MO 63131 St. Louis MO 63122
    Country: US
    Comment:
    RegDate: 2002-08-30
    Updated: 2002-12-04
    Phone: +1-314-543-0200 (Office)
    Email: abuse@charter.net

    # ARIN Whois database, last updated 2003-01-06 20:00
    # Enter ? for additional hints on searching ARIN's Whois database.
    #
    # WHOIS format will be changing on February 6, 2003
    # For specifics visit: http://www.arin.net/mailing_lists/dbwg/0393.html
    ----------------



    I would be grateful for your ackowledgement and comments,please.



    Kind Regards. ALFRED MORRISON.



    --part1_6a.2ba7a966.2b4c15a7_boundary
    Content-Type: text/html; charset="US-ASCII"
    Content-Transfer-Encoding: 7bit

    FACE="Arial" LANG="0">Hi.    I wish to report that a Port
    Scan of my computer was blocked recently and the following data was
    logged:----------
                
                
                
                
                
                
                
       




                
    1) Logged Entry Wednesday, Jan 1 2003 at 03:16:01 PM

    Remote Port: 3007

    Local Port: 80

    Host: 66.189.87.120

    [PORT SCAN]

    [BLOCKED]



    GET / HTTP/1.1




               2)
    2003/01/07 11:20:29   REQUEST: address: 66.189.87.210

    2003/01/07 11:20:30   REQUEST: host:
    cpe-66-189-87-210.ma.charter.com

    2003/01/07 11:20:30   REQUEST: using server whois.arin.net

    2003/01/07 11:20:30   SEND:66.189.87.210

    2003/01/07 11:20:31   ANSWER:

    Charter Communications CHARTER-NET-5BLK (NET-66-188-0-0-1)


                
                
             66.188.0.0 -
    66.191.255.255

    Charter Communications PPRL-MA-66-189-084 (NET-66-189-84-0-1)


                
                
             66.189.84.0 -
    66.189.91.255



    # ARIN Whois database, last updated 2003-01-06 20:00

    # Enter ? for additional hints on searching ARIN's Whois database.

    #

    # WHOIS format will be changing on February 6, 2003

    # For specifics visit:
    http://www.arin.net/mailing_lists/dbwg/0393.html

    2003/01/07 11:20:31   SEND:NET-66-188-0-0-1

    2003/01/07 11:20:31   ANSWER:



    OrgName:    Charter Communications

    OrgID:      CC04



    NetRange:   66.188.0.0 - 66.191.255.255

    CIDR:       66.188.0.0/14

    NetName:    CHARTER-NET-5BLK

    NetHandle:  NET-66-188-0-0-1

    Parent:     NET-66-0-0-0-0

    NetType:    Direct Allocation

    NameServer: ns1.charter.com

    NameServer: ns2.charter.com

    NameServer: ns4.charter.com

    Comment:    ADDRESSES WITHIN THIS BLOCK ARE
    NON-PORTABLE


               "For
    NETWORK ABUSE issues, please email abuse@charter.net"

    RegDate:    2001-10-24

    Updated:    2002-10-25



    TechHandle: SJT1-ARIN

    TechName:   Smith, Tim

    TechPhone:  +1-314-288-3886

    TechEmail:  IPaddressing@chartercom.com



    OrgTechHandle: SJT1-ARIN

    OrgTechName:   Smith, Tim

    OrgTechPhone:  +1-314-288-3886

    OrgTechEmail:  IPaddressing@chartercom.com



    OrgAbuseHandle: ABUSE19-ARIN

    OrgAbuseName:   Abuse

    OrgAbusePhone:  +1-314-543-0200

    OrgAbuseEmail:  abuse@charter.net



    # ARIN Whois database, last updated 2003-01-06 20:00

    # Enter ? for additional hints on searching ARIN's Whois database.

    #

    # WHOIS format will be changing on February 6, 2003

    # For specifics visit:
    http://www.arin.net/mailing_lists/dbwg/0393.html

    2003/01/07 11:20:35   SEND:SJT1-ARIN

    2003/01/07 11:20:36   ANSWER:



    Name:    Smith, Tim J

    Handle:  SJT1-ARIN

    Company: Charter Communications

    Address: 12405 Powerscourt Dr. St. Louis MO 63131

    Country: US

    Comment:  

    RegDate: 2002-08-30

    Updated: 2002-08-30

    Phone:   +1-314-288-3886  (Office)

    Email:   IPaddressing@chartercom.com



    # ARIN Whois database, last updated 2003-01-06 20:00

    # Enter ? for additional hints on searching ARIN's Whois database.

    #

    # WHOIS format will be changing on February 6, 2003

    # For specifics visit:
    http://www.arin.net/mailing_lists/dbwg/0393.html

    2003/01/07 11:20:36   SEND:ABUSE19-ARIN

    2003/01/07 11:20:36   ANSWER:



    Name:    Abuse

    Handle:  ABUSE19-ARIN

    Company: Charter Communications

    Address: 12405 Powerscourt Dr. St. Louis MO 63131 St. Louis MO 63122

    Country: US

    Comment:  

    RegDate: 2002-08-30

    Updated: 2002-12-04

    Phone:   +1-314-543-0200  (Office)

    Email:   abuse@charter.net



    # ARIN Whois database, last updated 2003-01-06 20:00

    # Enter ? for additional hints on searching ARIN's Whois database.

    #

    # WHOIS format will be changing on February 6, 2003

    # For specifics visit:
    http://www.arin.net/mailing_lists/dbwg/0393.html


                
                
                
                
       ----------------
                
                
                
                
                
           



          I would be grateful for your
    ackowledgement and comments,please.
                
                




                
             Kind Regards.
      FACE="Aristocrat" LANG="0">    ALFRED
    MORRISON. FACE="Arial" LANG="0">





    --part1_6a.2ba7a966.2b4c15a7_boundary--









    ----------------------- Headers --------------------------------
    Return-Path: <abuse.cc@chartercom.com>
    Received: from rly-xe02.mx.aol.com (rly-xe02.mail.aol.com [172.20.105.194]) by air-xe03.mail.aol.com (v90.10) with ESMTP id MAILINXE32-0107063805; Tue, 07 Jan 2003 06:38:05 -0500
    Received: from kstluvir05.chartercom.com (host-24.217.29.1.charter-stl.com [24.217.29.1]) by rly-xe02.mx.aol.com (v90.10) with ESMTP id MAILRELAYINXE29-0107063757; Tue, 07 Jan 2003 06:37:57 1900
    Received: from kstlmweb18 (localhost [127.0.0.1])
    by kstluvir05.chartercom.com (8.11.6+Sun/8.11.6) with SMTP id h07BboU21074
    for <alfredmorrison@aol.com>; Tue, 7 Jan 2003 05:37:50 -0600 (CST)
    Date: Tue, 07 Jan 2003 05:37:50 -0600
    From: abuse.cc@chartercom.com
    Subject: Re: Port Scanning [#737521]
    To: alfredmorrison@aol.com
    Message-ID: <eGain@30038Tue07Jan200305.37.50>
    MIME-Version: 1.0
    Content-Type: text/plain; charset=iso-8859-1
    Content-Transfer-Encoding: 7bit

    How about that for a reaction !!!!!! Goodness knows what it all means but it seems a bad case of overkill to me !! I'll be very interested to see what comes back from China (if anything ) --- it might be decorative enough to hang on a wall !!!!! Cheers. Alpha. :D
     
Loading...
Thread Status:
Not open for further replies.