Auto scan reporter not working

Discussion in 'Computer Security' started by Zak, Oct 17, 2006.

  1. Zak

    Zak Guest

    Approx hourly 204.16.208.135 scans me.

    Uses UDP with 20 or 30 probes on my ports 139, 1027 to 1033 with a fake
    message that says System Alert, corrupt registry, use www.msreg.com,
    etc. The remote port varies and it also uses many faked IP addresses.

    It seems 204.16.208.135 belongs to Fast Colocation who have an automated
    abuse reporting page: http://www.fastcolocation.net/abuse/index.php

    Can anyone get this page to actually accept an abuse report? It won't
    work for me!
     
    Zak, Oct 17, 2006
    #1
    1. Advertising

  2. Zak

    Moe Trin Guest

    On Tue, 17 Oct 2006, in the Usenet newsgroup comp.security.misc, in article
    <Xns985FBC32BAA1F64A18E@127.0.0.1>, Zak wrote:

    >Approx hourly 204.16.208.135 scans me.
    >
    >Uses UDP with 20 or 30 probes on my ports 139, 1027 to 1033 with a fake
    >message that says System Alert, corrupt registry, use www.msreg.com,
    >etc. The remote port varies and it also uses many faked IP addresses.


    UDP source addresses, especially messenger spam is often faked.

    "www.msreg.com" is a spammers domain - if you look up the registration,
    it's obviously full of false data

    Registration Service Provided By: Very Cheap Domains
    Contact:

    Domain name: msreg.com

    Registrant Contact:
    MS Fix Software
    John Daily ()
    +1.6955593487
    Fax: +1.5952336955
    5849 W. Warchester Dr
    San Fransico, AR 98539
    US

    and you could complain to ICANN about the blatantly false data - neither
    area code 595 or 695 are valid, there is no San Francisco in Arkansas,
    the 98539 zip code belongs to post office boxes in the city of Doty,
    Washington (Nowheresville, about half way between Seattle and Portland).
    The data is simply one lie after another. You could bitch at Hurricane
    Electric who is hosting the domain.

    >It seems 204.16.208.135 belongs to Fast Colocation who have an automated
    >abuse reporting page: http://www.fastcolocation.net/abuse/index.php


    While fastcolocation.net has their own problems, if this is single packet
    messenger spam, you don't have any proof that they are behind the problem.

    >Can anyone get this page to actually accept an abuse report? It won't
    >work for me!


    Most abuse functions using a web page interface are totally worthless. If
    the domain doesn't accept mail to "abuse@domain_name.dom" then report the
    domain to rfc-ignorant.org.

    Old guy
     
    Moe Trin, Oct 18, 2006
    #2
    1. Advertising

  3. Zak

    Guest

    This same address is scanning me every hour too. Have you managed to
    contact anybody about this?

    Fast CoLo looks like a fake company to me. Their phone numbers don't
    work and they have a couple diffrent websites all of which dont work.

    Let me know if you find anything out.

    Jason
     
    , Oct 21, 2006
    #3
  4. Zak

    Guest

    Zak wrote:
    > Approx hourly 204.16.208.135 scans me.
    >
    > Uses UDP with 20 or 30 probes on my ports 139, 1027 to 1033 with a fake
    > message that says System Alert, corrupt registry, use www.msreg.com,
    > etc. The remote port varies and it also uses many faked IP addresses.
    >
    > It seems 204.16.208.135 belongs to Fast Colocation who have an automated
    > abuse reporting page: http://www.fastcolocation.net/abuse/index.php
    >
    > Can anyone get this page to actually accept an abuse report? It won't
    > work for me!

    he seems to be hiding his trial real well the abuse line is not real so
    don;t try that address
    i used it but no response in over two weeks agao
    he has tried to hack my computer at least 20 times in two weeks
     
    , Oct 22, 2006
    #4
  5. Zak

    Emproph Guest

    wrote:
    > Zak wrote:
    > > Approx hourly 204.16.208.135 scans me.
    > >
    > > Uses UDP with 20 or 30 probes on my ports 139, 1027 to 1033 with a fake
    > > message that says System Alert, corrupt registry, use www.msreg.com,
    > > etc. The remote port varies and it also uses many faked IP addresses.
    > >
    > > It seems 204.16.208.135 belongs to Fast Colocation who have an automated
    > > abuse reporting page: http://www.fastcolocation.net/abuse/index.php
    > >
    > > Can anyone get this page to actually accept an abuse report? It won't
    > > work for me!

    > he seems to be hiding his trial real well the abuse line is not real so
    > don;t try that address
    > i used it but no response in over two weeks agao
    > he has tried to hack my computer at least 20 times in two weeks


    Same here for about a week now, this is what I've found out:

    PORTSCAN

    www.fastcolocation.com is the home web site. It's a web hosting
    service.

    Email/Contact info at verycheapdomains(dot)net Phone Number +1 703 286
    2487, Fax: +1 510 279 5802 Street 3791 N. Edgewater Dr City Wasilla
    State ak (Alaska) Postalcode 99654 Country United States

    I called their customer service last week.
    http://fastcolocation.com./support.html

    -"All customers of Fast Colocation can reach the Data Center 24 hours
    a day. If you require emergency assistance, you can call the data
    center direct: 510-580-4100"

    -I made it clear that I was not a customer and the representative was
    still concerned and interested in getting the IP address that was
    portscanning me.

    -I asked him about the abuse notification page and he assured me that
    the IP addy was all that was important on the form. It didn't work
    for me either though.

    -Fortunately I pressed him for an e-mail address for follow through,
    and was told to contact , this was the exchange that
    took place:
    ____
    Hello,
    I have gotten several firewall alerts of Portscan intrusion from this
    IP address, four times in the past two days.
    204.16.208.135 (13364)

    -You customer service rep told me to email this addy to report this
    abuse - after taking down the IP addy as well.

    -I have googled this IP addy, your company and other details of this
    and it seems to be a problem all over the globe.
    Thank You,
    __
    (I got an auto reply for each one which I am NOT including)

    Reply:

    Your's is actually the second complaint we've seen regarding the IP
    address 204.16.208.135. Unfortunately, the IP address does not belong
    to us, as shown by ARIN WHOIS records [1]. We have no authorative
    control over the IP addresses within that block, nor the servers
    operated therein. The best way to go about resolving this issue is for
    you to contact Fast Colocation [2] with your complaint, as the IP
    address is owned by them. Only after a reasonable amount of time has
    past and the issue remains unresolved can we, the bandwidth provider,
    take action per our Acceptable Use Policy (AUP).
    [1] - http://ws.arin.net/whois?queryinput=204.16.208.135 (<you can look
    up IP addy's here)
    [2] - http://www.fastcolocation.net/abuse/

    Jeff Walter
    Network Engineer
    Hurricane Electric

    My reply back:
    Actually, it was fastcolocation customer service that told me to e-mail

    you -- as opposed to giving me their e-mail.
    510-580-4100

    His reply back:
    They do list our phone number as being for "their" data center. This is
    not the same as their actual phone numbers (those shown in the ARIN
    WHOIS), nor is it the same as their email addresses. Sadly, nothing but
    confusion results from them listing our phone number on their site.

    Jeff Walter
    Hurricane Electric
    ____

    As far as I can practically tell, these people/companies are legit so
    we need to spread this info around -perhaps link to this page if
    nothing else, because everyone's getting hit.

    My suggestions,
    --Call fastcolocation, (the web hosting service for IP 204.16.208.135)
    and report it: 510-580-4100

    --Email Hurricane electric (the bandwidth provider) and report it:


    I'm getting ready to call them again (and email H.E.) -Thank God for
    free nights and weekends eh?

    -Good luck

    P.S. To look up other domain names try:
    http://www.arin.net/whois/ (listed above)
     
    Emproph, Oct 22, 2006
    #5
  6. Zak

    bz Guest

    wrote in news:1161475532.521422.323800
    @m7g2000cwm.googlegroups.com:

    >
    > Zak wrote:
    >> Approx hourly 204.16.208.135 scans me.
    >>
    >> Uses UDP with 20 or 30 probes on my ports 139, 1027 to 1033 with a fake
    >> message that says System Alert, corrupt registry, use www.msreg.com,
    >> etc. The remote port varies and it also uses many faked IP addresses.
    >>
    >> It seems 204.16.208.135 belongs to Fast Colocation who have an automated
    >> abuse reporting page: http://www.fastcolocation.net/abuse/index.php
    >>
    >> Can anyone get this page to actually accept an abuse report? It won't
    >> work for me!

    > he seems to be hiding his trial real well the abuse line is not real so
    > don;t try that address
    > i used it but no response in over two weeks agao
    > he has tried to hack my computer at least 20 times in two weeks
    >



    Traceroute shows his packets are routing through ASSERTIVENET and Hurrican
    Electric.

    There is NO useful information that I can find on ASSERTIVENET.

    Perhaps you can get Hurrican Electric to either drop peering with
    ASSERTIVENET or get ASSERTIVENET to post rDNS and an abuse@ address and
    contact information.

    The fastcolocations.net machine is probably compromised and should be
    removed from the network until cleaned.

    10/22/06 07:38:47 Fast traceroute 204.16.208.135
    Trace 204.16.208.135 ...
    .....
    8 206.223.118.37 21ms 18ms 21ms TTL: 0 (dal-ix.he.net bogus rDNS:
    host not found [authoritative])
    9 66.160.184.5 56ms 55ms 60ms TTL: 0 (pos5-
    0.gsr12012.lax.he.net ok)
    10 65.19.129.1 * * 75ms TTL: 0 (pos3-
    2.gsr12416.pao.he.net ok)
    11 216.218.214.246 * 76ms 74ms TTL: 0 (pos2-
    0.gsr12012.sjc.he.net ok)
    12 64.62.249.122 * 89ms 86ms TTL: 0 (No rDNS)
    13 66.154.100.90 * 88ms 86ms TTL: 0 (No rDNS)
    14 204.16.208.135 95ms 91ms 87ms TTL: 47 (No rDNS)



    10/22/06 07:40:46 whois

    whois -h whois.geektools.com 64.62.249.122 ...
    GeekTools Whois Proxy v5.0.4 Ready.

    Checking access for 72.207.246.182... ok.

    Final results obtained from whois.arin.net.

    Results:

    OrgName: Hurricane Electric
    OrgID: HURC
    Address: 760 Mission Court
    City: Fremont
    StateProv: CA
    PostalCode: 94539
    Country: US

    NetRange: 64.62.128.0 - 64.62.255.255
    CIDR: 64.62.128.0/17
    NetName: HURRICANE-4
    NetHandle: NET-64-62-128-0-1
    Parent: NET-64-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.HE.NET
    NameServer: NS2.HE.NET
    NameServer: NS3.HE.NET
    Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
    RegDate: 2002-08-27
    Updated: 2003-09-15

    RTechHandle: ZH17-ARIN
    RTechName: Hurricane Electric
    RTechPhone: +1-510-580-4100
    RTechEmail:

    OrgAbuseHandle: ABUSE1036-ARIN
    OrgAbuseName: Abuse Department
    OrgAbusePhone: +1-510-580-4100
    OrgAbuseEmail:

    OrgTechHandle: ZH17-ARIN
    OrgTechName: Hurricane Electric
    OrgTechPhone: +1-510-580-4100
    OrgTechEmail:

    # ARIN WHOIS database, last updated 2006-10-21 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.

    Results brought to you by the GeekTools WHOIS Proxy
    Server results may be copyrighted and are used with permission.
    Your host (72.207.246.182) has visited 3 times today.


    10/22/06 07:39:31 whois

    whois -h whois.geektools.com 66.154.100.90 ...
    GeekTools Whois Proxy v5.0.4 Ready.

    Checking access for 72.207.246.182... ok.

    Final results obtained from whois.arin.net.

    Results:
    InfoRelay Online Systems, Inc. ASSERTIVE-66-154-100-0-22 (NET-66-154-100-0-
    1)
    66.154.100.0 - 66.154.103.255
    ASSERTIVENET ASSERTIVENETWORKS (NET-66-154-96-0-1)
    66.154.96.0 - 66.154.127.255

    # ARIN WHOIS database, last updated 2006-10-21 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.

    ------------
    10/22/06 07:39:50 whois

    whois -h whois.geektools.com 204.16.208.135 ...
    GeekTools Whois Proxy v5.0.4 Ready.

    Checking access for 72.207.246.182... ok.

    Final results obtained from whois.arin.net.

    Results:

    OrgName: FAST COLOCATION SERVICES
    OrgID: FCS-73
    Address: 3791 N. Edgewater Dr
    City: Wasilla
    StateProv: AK
    PostalCode: 99654
    Country: US

    NetRange: 204.16.208.0 - 204.16.211.255
    CIDR: 204.16.208.0/22
    NetName: FC-BLK-1
    NetHandle: NET-204-16-208-0-1
    Parent: NET-204-0-0-0-0
    NetType: Direct Allocation
    NameServer: SANDY.THEHIDEOUT.NET
    NameServer: SANDY2.THEHIDEOUT.NET
    Comment: For Abuse Notices please visit
    http://www.fastcolocation.net/abuse/
    RegDate: 2005-11-07
    Updated: 2006-07-31

    RAbuseHandle: NAD41-ARIN
    RAbuseName: NOC Abuse Department
    RAbusePhone: +1-703-637-6336
    RAbuseEmail:

    RNOCHandle: NOC1938-ARIN
    RNOCName: Network Operations Center
    RNOCPhone: +1-703-286-2487
    RNOCEmail:

    RTechHandle: NOC1938-ARIN
    RTechName: Network Operations Center
    RTechPhone: +1-703-286-2487
    RTechEmail:

    OrgAbuseHandle: NAD41-ARIN
    OrgAbuseName: NOC Abuse Department
    OrgAbusePhone: +1-703-637-6336
    OrgAbuseEmail:

    OrgTechHandle: NOC1938-ARIN
    OrgTechName: Network Operations Center
    OrgTechPhone: +1-703-286-2487
    OrgTechEmail:

    # ARIN WHOIS database, last updated 2006-10-21 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.

    Results brought to you by the GeekTools WHOIS Proxy
    Server results may be copyrighted and are used with permission.
    Your host (72.207.246.182) has visited 2 times today.
    -----------------

    --
    bz

    please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
    infinite set.

    remove ch100-5 to avoid spam trap
     
    bz, Oct 22, 2006
    #6
  7. Zak

    Jared Blood Guest

    Was hapening to me, too. Captured the packets of one of the "attacks".
    It's just a windows messenger spam ad.

    Message: Microsoft Windows has encounted an Internal Error\nYour
    windows registry is corrupted.\nMicrosoft recommends a complete system
    scan.\n\nMicrosoft recommends\n\nhttp://www.(taken out).com\n\nTo
    repair now for a free download\n\n

    turn off your messenger service and you probably won't receive it
    anymore.
    The source IP is probably spoofed. Dunno, though. report it to the ISP,
    and they may check into it.
     
    Jared Blood, Oct 27, 2006
    #7
  8. Zak

    Zak Guest

    > Zak wrote:
    >> Approx hourly 204.16.208.135 scans me.
    >>
    >> Uses UDP with 20 or 30 probes on my ports 139, 1027 to 1033 with a
    >> fake message that says System Alert, corrupt registry, use
    >> www.msreg.com, etc. The remote port varies and it also uses many
    >> faked IP addresses.
    >>
    >> It seems 204.16.208.135 belongs to Fast Colocation who have an
    >> automated abuse reporting page:
    >> http://www.fastcolocation.net/abuse/index.php
    >>
    >> Can anyone get this page to actually accept an abuse report? It
    >> won't work for me!


    On 22 Oct 2006, <> wrote:
    >
    > he seems to be hiding his trial real well the abuse line is not
    > real so don;t try that address
    >
    > i used it but no response in over two weeks agao
    > he has tried to hack my computer at least 20 times in two weeks
    >


    I get a hack attempt onece every single hour that my broadband is
    connected. That ould be 20 hack attempts in one or two DAYS !
     
    Zak, Nov 2, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Baron  Maximillian von Schtuldeworfshiseundurheimh

    Re: Reporter Asks Help with Story on Sick Vets

    Baron Maximillian von Schtuldeworfshiseundurheimh, Oct 19, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    466
    Baron Maximillian von Schtuldeworfshiseundurheimh
    Oct 19, 2003
  2. AtticusF

    Reporter seeking info...

    AtticusF, Nov 3, 2004, in forum: Digital Photography
    Replies:
    24
    Views:
    706
    Aldo Pignotti
    Nov 4, 2004
  3. paul

    Old 1950's Gitzo Reporter tripod

    paul, Feb 18, 2005, in forum: Digital Photography
    Replies:
    3
    Views:
    759
  4. ---*---
    Replies:
    8
    Views:
    364
    Bluuuue Rajah
    Sep 3, 2008
  5. §ñühw¤£f

    Brother of slain reporter reacts

    §ñühw¤£f, Apr 6, 2010, in forum: Computer Support
    Replies:
    0
    Views:
    354
    §ñühw¤£f
    Apr 6, 2010
Loading...

Share This Page