«

Approx hourly 204.16.208.135 scans me.

Uses UDP with 20 or 30 probes on my ports 139, 1027 to 1033 with a fake
message that says System Alert, corrupt registry, use www.msreg.com,
etc. The remote port varies and it also uses many faked IP addresses.

It seems 204.16.208.135 belongs to Fast Colocation who have an automated
abuse reporting page: http://www.fastcolocation.net/abuse/index.php

Can anyone get this page to actually accept an abuse report? It won't
work for me!

On Tue, 17 Oct 2006, in the Usenet newsgroup comp.security.misc, in article
<Xns985FBC32BAA1F64A18E@127.0.0.1>, Zak wrote:

>Approx hourly 204.16.208.135 scans me.
>
>Uses UDP with 20 or 30 probes on my ports 139, 1027 to 1033 with a fake
>message that says System Alert, corrupt registry, use www.msreg.com,
>etc. The remote port varies and it also uses many faked IP addresses.

UDP source addresses, especially messenger spam is often faked.

"www.msreg.com" is a spammers domain - if you look up the registration,
it's obviously full of false data

Registration Service Provided By: Very Cheap Domains
Contact:

Domain name: msreg.com

Registrant Contact:
MS Fix Software
John Daily ()
+1.6955593487
Fax: +1.5952336955
5849 W. Warchester Dr
San Fransico, AR 98539
US

and you could complain to ICANN about the blatantly false data - neither
area code 595 or 695 are valid, there is no San Francisco in Arkansas,
the 98539 zip code belongs to post office boxes in the city of Doty,
Washington (Nowheresville, about half way between Seattle and Portland).
The data is simply one lie after another. You could bitch at Hurricane
Electric who is hosting the domain.

>It seems 204.16.208.135 belongs to Fast Colocation who have an automated
>abuse reporting page: http://www.fastcolocation.net/abuse/index.php

While fastcolocation.net has their own problems, if this is single packet
messenger spam, you don't have any proof that they are behind the problem.

>Can anyone get this page to actually accept an abuse report? It won't
>work for me!

Most abuse functions using a web page interface are totally worthless. If
the domain doesn't accept mail to "abuse@domain_name.dom" then report the
domain to rfc-ignorant.org.

Old guy

This same address is scanning me every hour too. Have you managed to
contact anybody about this?

Fast CoLo looks like a fake company to me. Their phone numbers don't
work and they have a couple diffrent websites all of which dont work.

Let me know if you find anything out.

Jason

Zak wrote:
> Approx hourly 204.16.208.135 scans me.
>
> Uses UDP with 20 or 30 probes on my ports 139, 1027 to 1033 with a fake
> message that says System Alert, corrupt registry, use www.msreg.com,
> etc. The remote port varies and it also uses many faked IP addresses.
>
> It seems 204.16.208.135 belongs to Fast Colocation who have an automated
> abuse reporting page: http://www.fastcolocation.net/abuse/index.php
>
> Can anyone get this page to actually accept an abuse report? It won't
> work for me!
he seems to be hiding his trial real well the abuse line is not real so
don;t try that address
i used it but no response in over two weeks agao
he has tried to hack my computer at least 20 times in two weeks

wrote:
> Zak wrote:
> > Approx hourly 204.16.208.135 scans me.
> >
> > Uses UDP with 20 or 30 probes on my ports 139, 1027 to 1033 with a fake
> > message that says System Alert, corrupt registry, use www.msreg.com,
> > etc. The remote port varies and it also uses many faked IP addresses.
> >
> > It seems 204.16.208.135 belongs to Fast Colocation who have an automated
> > abuse reporting page: http://www.fastcolocation.net/abuse/index.php
> >
> > Can anyone get this page to actually accept an abuse report? It won't
> > work for me!
> he seems to be hiding his trial real well the abuse line is not real so
> don;t try that address
> i used it but no response in over two weeks agao
> he has tried to hack my computer at least 20 times in two weeks

Same here for about a week now, this is what I've found out:

PORTSCAN

www.fastcolocation.com is the home web site. It's a web hosting
service.

Email/Contact info at verycheapdomains(dot)net Phone Number +1 703 286
2487, Fax: +1 510 279 5802 Street 3791 N. Edgewater Dr City Wasilla
State ak (Alaska) Postalcode 99654 Country United States

I called their customer service last week.
http://fastcolocation.com./support.html

-"All customers of Fast Colocation can reach the Data Center 24 hours
a day. If you require emergency assistance, you can call the data
center direct: 510-580-4100"

-I made it clear that I was not a customer and the representative was
still concerned and interested in getting the IP address that was
portscanning me.

-I asked him about the abuse notification page and he assured me that
the IP addy was all that was important on the form. It didn't work
for me either though.

-Fortunately I pressed him for an e-mail address for follow through,
and was told to contact , this was the exchange that
took place:
____
Hello,
I have gotten several firewall alerts of Portscan intrusion from this
IP address, four times in the past two days.
204.16.208.135 (13364)

-You customer service rep told me to email this addy to report this
abuse - after taking down the IP addy as well.

-I have googled this IP addy, your company and other details of this
and it seems to be a problem all over the globe.
Thank You,
__
(I got an auto reply for each one which I am NOT including)

Reply:

Your's is actually the second complaint we've seen regarding the IP
address 204.16.208.135. Unfortunately, the IP address does not belong
to us, as shown by ARIN WHOIS records [1]. We have no authorative
control over the IP addresses within that block, nor the servers
operated therein. The best way to go about resolving this issue is for
you to contact Fast Colocation [2] with your complaint, as the IP
address is owned by them. Only after a reasonable amount of time has
past and the issue remains unresolved can we, the bandwidth provider,
take action per our Acceptable Use Policy (AUP).
[1] - http://ws.arin.net/whois?queryinput=204.16.208.135 (<you can look
up IP addy's here)
[2] - http://www.fastcolocation.net/abuse/

Jeff Walter
Network Engineer
Hurricane Electric

My reply back:
Actually, it was fastcolocation customer service that told me to e-mail

you -- as opposed to giving me their e-mail.
510-580-4100

His reply back:
They do list our phone number as being for "their" data center. This is
not the same as their actual phone numbers (those shown in the ARIN
WHOIS), nor is it the same as their email addresses. Sadly, nothing but
confusion results from them listing our phone number on their site.

Jeff Walter
Hurricane Electric
____

As far as I can practically tell, these people/companies are legit so
we need to spread this info around -perhaps link to this page if
nothing else, because everyone's getting hit.

My suggestions,
--Call fastcolocation, (the web hosting service for IP 204.16.208.135)
and report it: 510-580-4100

--Email Hurricane electric (the bandwidth provider) and report it:


I'm getting ready to call them again (and email H.E.) -Thank God for
free nights and weekends eh?

-Good luck

P.S. To look up other domain names try:
http://www.arin.net/whois/ (listed above)

wrote in news:1161475532.521422.323800
@m7g2000cwm.googlegroups.com:

>
> Zak wrote:
>> Approx hourly 204.16.208.135 scans me.
>>
>> Uses UDP with 20 or 30 probes on my ports 139, 1027 to 1033 with a fake
>> message that says System Alert, corrupt registry, use www.msreg.com,
>> etc. The remote port varies and it also uses many faked IP addresses.
>>
>> It seems 204.16.208.135 belongs to Fast Colocation who have an automated
>> abuse reporting page: http://www.fastcolocation.net/abuse/index.php
>>
>> Can anyone get this page to actually accept an abuse report? It won't
>> work for me!
> he seems to be hiding his trial real well the abuse line is not real so
> don;t try that address
> i used it but no response in over two weeks agao
> he has tried to hack my computer at least 20 times in two weeks
>


Traceroute shows his packets are routing through ASSERTIVENET and Hurrican
Electric.

There is NO useful information that I can find on ASSERTIVENET.

Perhaps you can get Hurrican Electric to either drop peering with
ASSERTIVENET or get ASSERTIVENET to post rDNS and an abuse@ address and
contact information.

The fastcolocations.net machine is probably compromised and should be
removed from the network until cleaned.

10/22/06 07:38:47 Fast traceroute 204.16.208.135
Trace 204.16.208.135 ...
.....
8 206.223.118.37 21ms 18ms 21ms TTL: 0 (dal-ix.he.net bogus rDNS:
host not found [authoritative])
9 66.160.184.5 56ms 55ms 60ms TTL: 0 (pos5-
0.gsr12012.lax.he.net ok)
10 65.19.129.1 * * 75ms TTL: 0 (pos3-
2.gsr12416.pao.he.net ok)
11 216.218.214.246 * 76ms 74ms TTL: 0 (pos2-
0.gsr12012.sjc.he.net ok)
12 64.62.249.122 * 89ms 86ms TTL: 0 (No rDNS)
13 66.154.100.90 * 88ms 86ms TTL: 0 (No rDNS)
14 204.16.208.135 95ms 91ms 87ms TTL: 47 (No rDNS)



10/22/06 07:40:46 whois

whois -h whois.geektools.com 64.62.249.122 ...
GeekTools Whois Proxy v5.0.4 Ready.

Checking access for 72.207.246.182... ok.

Final results obtained from whois.arin.net.

Results:

OrgName: Hurricane Electric
OrgID: HURC
Address: 760 Mission Court
City: Fremont
StateProv: CA
PostalCode: 94539
Country: US

NetRange: 64.62.128.0 - 64.62.255.255
CIDR: 64.62.128.0/17
NetName: HURRICANE-4
NetHandle: NET-64-62-128-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.HE.NET
NameServer: NS2.HE.NET
NameServer: NS3.HE.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-08-27
Updated: 2003-09-15

RTechHandle: ZH17-ARIN
RTechName: Hurricane Electric
RTechPhone: +1-510-580-4100
RTechEmail:

OrgAbuseHandle: ABUSE1036-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-510-580-4100
OrgAbuseEmail:

OrgTechHandle: ZH17-ARIN
OrgTechName: Hurricane Electric
OrgTechPhone: +1-510-580-4100
OrgTechEmail:

# ARIN WHOIS database, last updated 2006-10-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Your host (72.207.246.182) has visited 3 times today.


10/22/06 07:39:31 whois

whois -h whois.geektools.com 66.154.100.90 ...
GeekTools Whois Proxy v5.0.4 Ready.

Checking access for 72.207.246.182... ok.

Final results obtained from whois.arin.net.

Results:
InfoRelay Online Systems, Inc. ASSERTIVE-66-154-100-0-22 (NET-66-154-100-0-
1)
66.154.100.0 - 66.154.103.255
ASSERTIVENET ASSERTIVENETWORKS (NET-66-154-96-0-1)
66.154.96.0 - 66.154.127.255

# ARIN WHOIS database, last updated 2006-10-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

------------
10/22/06 07:39:50 whois

whois -h whois.geektools.com 204.16.208.135 ...
GeekTools Whois Proxy v5.0.4 Ready.

Checking access for 72.207.246.182... ok.

Final results obtained from whois.arin.net.

Results:

OrgName: FAST COLOCATION SERVICES
OrgID: FCS-73
Address: 3791 N. Edgewater Dr
City: Wasilla
StateProv: AK
PostalCode: 99654
Country: US

NetRange: 204.16.208.0 - 204.16.211.255
CIDR: 204.16.208.0/22
NetName: FC-BLK-1
NetHandle: NET-204-16-208-0-1
Parent: NET-204-0-0-0-0
NetType: Direct Allocation
NameServer: SANDY.THEHIDEOUT.NET
NameServer: SANDY2.THEHIDEOUT.NET
Comment: For Abuse Notices please visit
http://www.fastcolocation.net/abuse/
RegDate: 2005-11-07
Updated: 2006-07-31

RAbuseHandle: NAD41-ARIN
RAbuseName: NOC Abuse Department
RAbusePhone: +1-703-637-6336
RAbuseEmail:

RNOCHandle: NOC1938-ARIN
RNOCName: Network Operations Center
RNOCPhone: +1-703-286-2487
RNOCEmail:

RTechHandle: NOC1938-ARIN
RTechName: Network Operations Center
RTechPhone: +1-703-286-2487
RTechEmail:

OrgAbuseHandle: NAD41-ARIN
OrgAbuseName: NOC Abuse Department
OrgAbusePhone: +1-703-637-6336
OrgAbuseEmail:

OrgTechHandle: NOC1938-ARIN
OrgTechName: Network Operations Center
OrgTechPhone: +1-703-286-2487
OrgTechEmail:

# ARIN WHOIS database, last updated 2006-10-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Your host (72.207.246.182) has visited 2 times today.
-----------------

--
bz

please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
infinite set.

bz+ remove ch100-5 to avoid spam trap

Was hapening to me, too. Captured the packets of one of the "attacks".
It's just a windows messenger spam ad.

Message: Microsoft Windows has encounted an Internal Error\nYour
windows registry is corrupted.\nMicrosoft recommends a complete system
scan.\n\nMicrosoft recommends\n\nhttp://www.(taken out).com\n\nTo
repair now for a free download\n\n

turn off your messenger service and you probably won't receive it
anymore.
The source IP is probably spoofed. Dunno, though. report it to the ISP,
and they may check into it.

> Zak wrote:
>> Approx hourly 204.16.208.135 scans me.
>>
>> Uses UDP with 20 or 30 probes on my ports 139, 1027 to 1033 with a
>> fake message that says System Alert, corrupt registry, use
>> www.msreg.com, etc. The remote port varies and it also uses many
>> faked IP addresses.
>>
>> It seems 204.16.208.135 belongs to Fast Colocation who have an
>> automated abuse reporting page:
>> http://www.fastcolocation.net/abuse/index.php
>>
>> Can anyone get this page to actually accept an abuse report? It
>> won't work for me!

On 22 Oct 2006, <> wrote:
>
> he seems to be hiding his trial real well the abuse line is not
> real so don;t try that address
>
> i used it but no response in over two weeks agao
> he has tried to hack my computer at least 20 times in two weeks
>

I get a hack attempt onece every single hour that my broadband is
connected. That ould be 20 hack attempts in one or two DAYS !