[Dshield] Lots 'n' Lots of attacks...

David Dyer-Bennet dd-b at dd-b.net
Tue Oct 2 16:27:32 GMT 2001


"pop.ntlworld.com" <lazerfx at ntlworld.com> writes:

> I have been recently going through my ZoneAlarm logs, trying to work out why
> it is suddenly 400KB+.  I have found thousands of entries from
> 208.179.251.103.  I have done a whois on this server, but found no relevant
> information (Though I could be wrong, I'm not 100% sure what relevent
> information would look like :P).
> 
> What should I do know?  I have submitted to DShield, has that covered it?
> Or is there something I can do myself?  Is there a way of finding out who
> 208.179.251.103 actually is?

Here's the basic series of checks to me.  You get lucky on this one
since there's actually reverse DNS in place for it; if there isn't you
start querying on ownership of the IP block instead. 

    gw:watchlogs> host 208.179.251.103
    103.251.179.208.IN-ADDR.ARPA domain name pointer 103-251-179-208.pajo.com

We've learned that IP is something in pajo.com.  The form of that name
strongly suggests to my eye tht it's part of a dynamic IP pool like
for a modem bank or something.

    gw:watchlogs> whois pajo.com
    [whois.crsnic.net]

    Whois Server Version 1.3

    Domain names in the .com, .net, and .org domains can now be registered
    with many different competing registrars. Go to http://www.internic.net
    for detailed information.

       Domain Name: PAJO.COM
       Registrar: NETWORK SOLUTIONS, INC.
       Whois Server: whois.networksolutions.com
       Referral URL: http://www.networksolutions.com
       Name Server: NS1.PAJO.COM
       Name Server: NS2.PAJO.COM
       Updated Date: 20-aug-2001


    >>> Last update of whois database: Tue, 2 Oct 2001 05:47:11 EDT <<<

    The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
    Registrars.

This tells us that pajo.com os registered through networksolutions, so
we need to query their specific whois server to find more.

    gw:watchlogs> whois pajo.com at whois.networksolutions.com
    [whois.networksolutions.com]
    The Data in Network Solutions' WHOIS database is provided by Network
    Solutions for information purposes, and to assist persons in obtaining
    information about or related to a domain name registration record.
    Network Solutions does not guarantee its accuracy.  By submitting a
    WHOIS query, you agree that you will use this Data only for lawful
    purposes and that, under no circumstances will you use this Data to:
    (1) allow, enable, or otherwise support the transmission of mass
    unsolicited, commercial advertising or solicitations via e-mail
    (spam); or  (2) enable high volume, automated, electronic processes
    that apply to Network Solutions (or its systems).  Network Solutions
    reserves the right to modify these terms at any time.  By submitting
    this query, you agree to abide by this policy.


    Registrant:
    Netcomplete, INC. (PAJO-DOM)
       200 Oceangate, 8th floor
       Long Beach, CA 90802
       US

       Domain Name: PAJO.COM

       Administrative Contact, Technical Contact:
          Administration Department  (AD10265-OR)  admin at PAJO.COM
          The Pajo Group
          200 Oceangate, 8th floor
          Long Beach , CA 90802
          US
          562-435-0760
          Fax- 562-435-9701
       Billing Contact:
          Billing Department  (BD2708-ORG)  billing at PAJO.COM
          The Pajo Group
          200 Oceangate, 8th floor
          Long Beach , CA 90802
          US
          562-435-1760
          Fax- 562-435-9701

       Record last updated on 21-Aug-2001.
       Record expires on 21-Nov-2003.
       Record created on 20-Nov-1997.
       Database last updated on 2-Oct-2001 01:59:00 EDT.

       Domain servers in listed order:

       NS1.PAJO.COM			216.116.96.2
       NS2.PAJO.COM			216.116.96.3

So there are some contacts.  Also, going to www.pajo.com shows you
some stuff about them -- they seem to be a web hosting company.  

So think about contacting them somehow to complain about the attacks;
abuse at pajo.com is an obvious email to guess, or use what they say on
the web page. Or call them up, that usually surprises them. Note that
the system actually probing you is very probably a compromised server
in their farm; it might even be a co-located customer server.  

Being polite always works better than not.
-- 
David Dyer-Bennet, dd-b at dd-b.net
Photos: http://dd-b.lighthunters.net/  
Book log: http://www.dd-b.net/dd-b/Ouroboros/booknotes/




More information about the list mailing list