# Re: Unwanted web activity

#### Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

•  Subject
• Author
• Posted on

wrote:

############################
It's possible that someone used that machine as a zombie. File sharing
is enabled. I didn't check all the shares but some passwd protection
exists. At the same time it's vulnerable to a brute force attack.
That is not to say that it's not the original source of attack. Below
is the NetBIOS table and a null session log.

E:\>nbtstat -A  65.69.127.117

Local Area Connection:
Node IpAddress: [192.168.1.100] Scope Id: []

NetBIOS Remote Machine Name Table

Name               Type         Status
---------------------------------------------
CUBE           <00>  UNIQUE      Registered
CUBE           <03>  UNIQUE      Registered
CUBE           <20>  UNIQUE      Registered
..__MSBROWSE__.<01>  GROUP       Registered
WORKGROUP      <00>  GROUP       Registered
WORKGROUP      <1D>  UNIQUE      Registered
WORKGROUP      <1E>  GROUP       Registered

Null Session to 65.69.127.117 successful.

[Logged on Users]
NetWkstaUserEnum Error:  The procedure number is out of range.

Logged on users not available.

[Workstation Transports]
NetWkstaTransportEnum Error:  The procedure number is out of range.

No Workstation Transports available.

[Server Transports]
NetServerTransportEnum Error:  The procedure number is out of range.

No Server Transports available.

[Shares]
home
guest-share
restore
netlogon
profiles
IPC$ADMIN$

[Sessions]

No sessions.

[Domain SID]
SID:

[User Modals]
GetUserModalsGet Error:  The parameter is incorrect.

No modals.

[Global Users]
NetGroupGetUsers Error:  The group name could not be found.

NetGroupGetUsers Error:  The group name could not be found.

Did not retrieve global users.

[Local Users]
NetLocalGroupEnum error:  The parameter is incorrect.

Did not retrieve local users.

Disconnected from 65.69.127.117.

## Re: Unwanted web activity

I did think that, however checking  the IP shortly after
(allowing for sleeping occasionally) it was not responding
SWB's ADSL resources may be in a pool so one cannot
assume  that there is any continuity.

If it is a zombie, the owner probably has a method of location.

So far the postings have come from Comcast, SWB and a Russian
ISP so its perhaps its a clever comrade.

I was also intrigued by Mozilla 4.1 and Win XP.

It will be interesting to see if the attempted postings continue
now the damage is effectivly limited.
--
Jim Watt
http://www.gibnet.com

## Re: Unwanted web activity

wrote:

########################
Post some of the other IPs. If they follow the same pattern, the
pattern being Windows boxes w/ shares, then I would say they are
zombies.  These days, it's getting harder to locate such boxes but
someone maybe more resourceful than expected.  Five years ago, there
might have been 40 or 50 such boxes on any given class C subnet.
Today, now that the words "firewall" and "security" have crept into
the average user's vocabulary, that range has been lowered to 0 to 4.
donnie.

## Re: Unwanted web activity

2005-04-17 03:22:11  65.69.127.117
2005-04-15 05:43:12  69.240.241.218
pcp09259728pcs.olathe01.ks.comcast.net
2005-04-14 07:36:10 195.225.176.35
ip176-35.netcathost.com
2005-04-11 01:31:08  68.38.31.145
pcp04243494pcs.eatntn01.nj.comcast.net

The entries are easy enough to spot as the user
goes directly to the /cgi-bin without first looking at
the html page, although its shown as the referrer.

--
Jim Watt
http://www.gibnet.com

## Re: Unwanted web activity

wrote:

##################################
I couldn't obtain any of the info that I obtained on the first
address.  However, the domain netcathost.com stands out.  I'm sure
you're familiar w/ the program netcat which is a network/hacking tool.
I went to www.netcathost.com and the page is either in Greek or
Russian, I'm not sure which.  A whois shows the registration in
Austrailia.  It's inconclusive to me at this point, as to whether or
not those machines are zombies but that netcat thing makes me lean
towards a yes.
donnie

## Re: Unwanted web activity

Been there, done that - I took it to be a small Russian webhosting
company from its website, innocuous enough.

No suspicious activity since the countermeasures were deployed.
It now returns some mildly malicious javascript if provoked.

--
Jim Watt
http://www.gibnet.com

## Re: Unwanted web activity

That's quite a stretch - netcat was a tool developed in 1995 by the
Hobbit of "Avian Research" (registered in Redding, Mass), while the
IP address 195.225.176.35 is supposedly in Kiev in the Ukraine, and was
only registered in 2002. The IP space was assigned by RIPE in March 2004.

Given the address "located" in the Ukraine, the language is more likely to be
Ukrainian which uses the same Cyrillic alphabet as Russian. However for
me, www.netcathost.com resolves to 66.250.107.51 which is a 'Cogent'
address (reverse resolves to ptr51.easyxhost.com - but that name does not
resolve to an IP). What's a heck of a lot more interesting is that
195.225.176.35 appears _physically_ located quite close to 66.250.107.51 -
in fact both are the next hop beyond as26627.demarc.cogentco.com
(38.112.22.10), and if I had to guess based on routing and round trip times,
I'd suspect the hosts are in the vicinity of New York City...  well, lookee
who I smell here!!!

[compton ~]$rwhois rwhois.cogentco.com 66.250.107.51 %rwhois V-1.5:0010b0:00 rwhois.cogentco.com network:ID:NET-42FA6B0018 network:Network-Name:NET-42FA6B0018 network:IP-Network:66.250.107.0/24 network:Org-Name:Pilosoft, Inc network:Street-Address:110 Wall St #15c network:City:New York network:State:NY network:Postal-Code:10005 network:Country-Code:US network:Tech-Contact:ZC108-ARIN network:Updated:2002-06-19 17:28:22 network:Updated-By:ddiller %ok [compton ~]$

If you want some giggles, go look them up on google, searching in the
news.admin.net-abuse.* newsgroups.  The ASN (AS26627) is also Pilosoft.

Yeah, but looking at the data on that registration (with joker.com - that
always gives me confidence), note the address and phone number:

phone:        +02 463 447755

and that 'easyxhost.com' is well mentioned. Then look up that domain, and
it's also from joker.com, and the address and phone number:

phone:        +02 463 443538

Nothing blatant there, but my phone book doesn't list '02' as a valid
country code.

Initially, I thought the same, but given that 195.225.176.35 (which has
port 80 open by the way) is located at what looks to be someone's colo
service, I'd be a little less sure. Given the connection to Pilosoft, I
would be a lot less sure.

Old guy

## Re: Unwanted web activity

On Tue, 19 Apr 2005 22:04:19 -0500, ibuprofin@painkiller.example.tld
(Moe Trin) wrote:

<snip - nice work !>

Last night there was a posting by 69.142.81.10
and the wording has been changed to omit mentions
of gay sex which were being trapped.

Time to revise the countermeasures.
--
Jim Watt
http://www.gibnet.com

## Re: Unwanted web activity

That must've taken some time for you to do. Testing most cable/dsl dynamic
addresses for open relays, so that you could prove this to be a fact and let
us all know. I'd hate to think you were just generalising, so it must be the
case that you've tested most of them. Oh, to have that much spare time.

M