[CLUE-Tech] who attacked me?

David Willson DLWillson at TheGeek.NU
Tue Mar 20 17:07:06 MST 2001 

Perhaps this is an AHA!  I don't know.  Try an anonymous FTP to that
address.  It seems to work.  This should give many, many leads...
ftp://211.36.203.30/
***********************************************************
*                                                         *
*         Welcome to KyungWon Tech Co., Ltd !!!           *
*                                                         *
*                        CFDRC                            *
*                         CEI                             *
*                         PDC                             *
*                                                         *
*              Anonymous FTP Site for CFD Users           *
*                  ( cfdgate.kw-tech.co.kr )              *
*                                                         *
*               Directories for File Transfer             *
*                   /pub/incoming/CFD-ACE/                *
*                   /pub/incoming/EnSight/                *
*                   /pub/incoming/GridPro/                *
*                                                         *
*                        managed by                       *
*                 jkpark at mail.kw-tech.co.kr               *
*                                                         *
***********************************************************


-----Original Message-----
From: clue-tech-admin at clue.denver.co.us
[mailto:clue-tech-admin at clue.denver.co.us]On Behalf Of David Willson
Sent: Tuesday, March 20, 2001 4:34 PM
To: clue-tech at clue.denver.co.us
Subject: RE: [CLUE-Tech] who attacked me?


This is about as far as I can get:
http://www.apnic.net/apnic-bin/whois2.pl?results=all&search=211.36.203.30
The machine name comes up as CFDGATE.  TRACERT adds almost no information,
which usually means that nslookup won't do any good either...

I say nuke 'em, and then listen carefully.  If you don't hear swearing,
they're not in your building.

-----Original Message-----
From: clue-tech-admin at clue.denver.co.us
[mailto:clue-tech-admin at clue.denver.co.us]On Behalf Of Tim Russell
Sent: Tuesday, March 20, 2001 4:20 PM
To: clue-tech at clue.denver.co.us
Subject: RE: [CLUE-Tech] who attacked me?


First thing to try is an "nslookup ip" and see if it has a reverse lookup
name.  It doesn't seem to, in this case.

Next, you can do a "whois 211.36.203.0 at whois.arin.net | more" and see who
owns the netblock and who the contact is.  That'll usually get you something
useful.

Tim

> -----Original Message-----
> From: Roger Frank [mailto:rfrank at rfrank.net]
> Sent: Tuesday, March 20, 2001 15:59
> To: clue-tech at clue.denver.co.us
> Subject: [CLUE-Tech] who attacked me?
>
>
> While I was at school, the system apparently was attacked.  The
> logs indicate an "attack alert" on port 111 from 211.36.203.30
>
> Now how do I find out who has that address.  I don't want to
> try to go there with a browser since that will indicate that I
> am here and right now the machine has switched to cloaked
> mode from that IP address.  I don't even want to traceroute to it,
> or do I?  How do you lookup a name from an IP address?
> I'm just curious who this was.
>
> As far as I can tell, the firewall worked fine.  Then again, how
> can I be sure?
>
> Roger Frank
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
>
_______________________________________________
CLUE-Tech mailing list
CLUE-Tech at clue.denver.co.us
http://clue.denver.co.us/mailman/listinfo/clue-tech

_______________________________________________
CLUE-Tech mailing list
CLUE-Tech at clue.denver.co.us
http://clue.denver.co.us/mailman/listinfo/clue-tech

More information about the clue-tech mailing list