I have the IP address and the ISP host numbers, how do I find who it is, and
to whom do I report them?
--
Dave - The Medway Handyman
www.medwayhandyman.co.uk
> Some scumbag has tried to change my E Bay account details.
>
> I have the IP address and the ISP host numbers, how do I find who it is,
> and to whom do I report them?
>
>
whois IPADDRESS
(that's a unix/linux command - may or may not exist on Windows)
or
Stick it in the IP box down the bottom right. It may not do any good - you
might just get a large block range owned by AOL or somesuch. But if you get
a University, chances of administering a bollocking is much better.
--
Tim Watts
This space intentionally left blank...
Erm ... eBay ?
TBH they don't seem to give a sh*t.
BTDT - diddn't get a tee shirt.
Strange .. they've always been really helpful when I've needed to contact
them ... have you tried contacting them via
http://pages.ebay.co.uk/help/account/securing-account.html ?
Frankly, if they didn't give a shit, no one else will either.
Don't waste your time any further.
--
Andrew Gabriel
[email address is not usable -- followup in the newsgroup]
Have you tried the Directgov website for help, advice and reporting Identity
Theft?
http://www.direct.gov.uk/en/MoneyTaxAndBenefits/ManagingMoney/KeepingYourMoneySecure/DG_10035798
Are you sure of your information on the IP address and do you have the
time of the attempt from some verifiable source?
--
fred
BBC3, ITV2/3/4, channels going to the DOGs
http://www.geektools.com/whois.php
If address in China stop.
Andy
as others have said, if it's a spotty teenager at his mummys house having a
go at hacking whilst reloading for another wanking session over laura croft,
not much can be done really, if he's serious about hacking he'll have munged
his ip addy, be on someone elses wifi connection, or an isp that dosent give
a feck about complaints.
if he's a student doing it from uni, or work, then you can get him,
i had a problem years ago when an exGF decided to spam a forum i had on my
personal website, she added a few death threats for good measure, a quick
search from the logs showed the ip addy to be from the university she worked
at, it even resolved it to the department she worked in so i knew it was
her, i managed to get the phone numbers for the it tutor and everything from
the whois data.,
i posted that info on my forum, and apparantly a few of my friends decided
to phone the uni up and complain, a few sent letters of complaint about how
she was abusing and wasting the uni's resources and so on.
week later i got a message from her begging me to remove the info, as she
was going to loose her job if one more complaint came in about her, she left
me alone after that thank feck.
Tried that & http://www.geektools.com/whois.php
Trouble is, too much information, most of which I don't understand.
Would it be wise/acceptable to post the numbers here?
> The Medway Handyman<davi...@nospamblueyonder.co.uk>
> wibbled on Monday 23 November 2009 20:08
>
>> I have the IP address and the ISP host numbers, how do I find who it is,
>> and to whom do I report them?
>
> whois IPADDRESS
>
> (that's a unix/linux command - may or may not exist on Windows)
It doesn't ... so instead feed the IP address into <http://who.is/>
but (directed to TMH) don't necessarily expect to trace a person from an
IP address.
That was very big of you. Getting all your friends to write letters to your
ex-girl friend's employer in an effort to get her sacked. Just because she
said some nasty things about you on some web-forum or another.
If it wasn't for the fact that it's all a great big lie.
For your information sunshine, people in the real world such as employers don't
take a blind bit of notice of letters, or emails, or phone calls from what are
quite obviously, internet loonies trying to get even. They all go straight in the
bin.
While the fact that you seriously expect to be belived is even more laughable.
Robin
Presumably eBay will already know as it was they who will have
supplied the OP with the IP and ISP info. By way of checking
whether the change of details actually came from him, or not.
Robin
>
>
> "Andy Champ" <no....@nospam.invalid> wrote in message
> news:8dWdnQgwnPc_npbW...@eclipse.net.uk...
>> The Medway Handyman wrote:
>>> Some scumbag has tried to change my E Bay account details.
>>>
>>> I have the IP address and the ISP host numbers, how do I find who it is,
>>> and to whom do I report them?
>
> as others have said, if it's a spotty teenager at his mummys house having a
> go at hacking whilst reloading for another wanking session over laura croft,
> not much can be done really
One would hope she gets a bath once in a while, poor girl.
> or an isp that dosent give a feck about complaints.
My money's on that one. OP might be able to get the name of the ISP which
owns the IP, but they'll probably do feck-all about it, if only because
they're probably drowning in complaints.
OK. I recieved a message from E Bay about a password change confirmation:-
"The password change request was made from:
a.. IP address: 77.96.243.253
b.. ISP host: 10.11.64.246 "
I subsequently discovered various address's, (inc Pay Pal) had been changed
to Dorset, Dublin, New York & Nigeria!
Yes, or email me at t...@doc.ic.ac.uk (home email in tatters this week,
rebuilding firewalls and routers and stuff since the move)
Dave,
Can I ask have you at anytime clicked on a link in an email seeing to
have come from ebay or paypal and the page it has loaded has seemed to
look like the ebay login page?
In other words what is known as a phishing email?
--
Regards,
Harry (M1BYT) (L)
http://www.ukradioamateur.co.uk
> "The password change request was made from:
>
> a.. IP address: 77.96.243.253
This is the bit from whois that matters:
role: Telewest Broadband IP Network Services
address: Genesis Business Park
address: Albert Drive
address: Woking
address: Surrey UK
address: GU21 5RW
e-mail: ri...@telewest.net
remarks: To report abuse:
remarks: file an online case @
http://netreport.virginmedia.com/netreport
Summary - it's a TeleWest broadband customer and you can post an abuse
report at http://netreport.virginmedia.com/netreport
Though, I'd be surprised if they did anything.
I suspect, unless the police get involved, they only deal with the same
customer generating a mountain of complaints.
> b.. ISP host: 10.11.64.246 "
>
That's no use here - IP's beginning with 10.x.x.x, 192.168.x.x and (losely
but not strictly accurate) 172.16.x.x are private ranges that can never
legitimately appear on the public internet, so I'm guessing it's an
internal IP in TeleWest or ebay.
> I subsequently discovered various address's, (inc Pay Pal) had been
> changed to Dorset, Dublin, New York & Nigeria!
>
No surprise on teh last entry. Have you lost any dosh? More imprtantly, do
you have control of your ebay and paypal accounts again and have you set
new, hard, passwords?
Cheers
Tim
> On 23/11/09 20:18, Tim W wrote:
>
>> The Medway Handyman<davi...@nospamblueyonder.co.uk>
>> wibbled on Monday 23 November 2009 20:08
>>
>>> I have the IP address and the ISP host numbers, how do I find who it is,
>>> and to whom do I report them?
>>
>> whois IPADDRESS
>>
>> (that's a unix/linux command - may or may not exist on Windows)
>
> It doesn't ... so instead feed the IP address into <http://who.is/>
You can tell how often I boot Windows these days!
> but (directed to TMH) don't necessarily expect to trace a person from an
> IP address.
Indeed. I do have my own IPv4 block so you could trace me, for example. But
most customers get random IPs from their ISP, and the random IP can change
over time. In practice, given an IP and an accurate date/time, the ISP can
determine who it might be (subject to whether their local end net allows IP
spoofing or not).
Hard to tell Harry, I might well have done even though I'm of a suspicious
nature.
I get so many e mails from E Bay & Pay Pal I simply don't know which to
trust. As a result I rarely use either.
Thanks Tim. No dosh lost, all re set with passwords & questions Derren
Brown couldn't crack.
Keep it short, keep it sweet, keep it factual and you'd be surprised how
positively abuse departments respond.
Report the IP address and report the date and time of the attempt as the
time of the notification of the change email.
> That's no use here - IP's beginning with 10.x.x.x, 192.168.x.x and
> (losely but not strictly accurate) 172.16.x.x are private ranges that
> can never legitimately appear on the public internet, so I'm guessing
> it's an internal IP in TeleWest or ebay.
Purely as a matter of interest...why the rider on the 172.16.x.x range?
--
Use the BIG mirror service in the UK:
http://www.mirrorservice.org
> On Mon, 23 Nov 2009 23:19:07 +0000, Tim W wrote:
>
>> That's no use here - IP's beginning with 10.x.x.x, 192.168.x.x and
>> (losely but not strictly accurate) 172.16.x.x are private ranges that
>> can never legitimately appear on the public internet, so I'm guessing
>> it's an internal IP in TeleWest or ebay.
>
> Purely as a matter of interest...why the rider on the 172.16.x.x range?
Only because it's a /12 so it should be 172.16-31.x.x. That's one range I
can never remember, other than I use 172.16.0.x as a local route between my
ADSL router and the firewall box. I had to Wikipedia it just to answer
you(!)
I like 10/8 - simple, short, large, easy to remember, so I tend to use that
for my internal net. I don't like 192.168.x.x because that tends to be the
default for all manner of widgets when they have their firmware/config
reset (despite DHCP).
I'm hopeless with memorising numbers - I'm going to have brainfailure when I
eventually configure my IPv6 block into everything... Due to Andrews and
Arnold being very helpful with my house move WRT to DSL, I seem to have a
merged collection of 3 IPv4 blocks, misc single addresses and two IPv6
blocks all routed to my line here.
Just sorting that out so I can relinquish the redundant ones...
OT: I like the new Shorewall firewall and it's ability to cross compile a
script. I used to run Shorewall on my OpenWRT router but it took >10minutes
to cope with a reload. The new one compiles happily on my laptop and the
resultant script needs no stuff other than iptables and friends and runs in
a few seconds :)
> fred wrote:
>> In article <IUDOm.8032$Ym4....@text.news.virginmedia.com>, The Medway
>> Handyman <davi...@nospamblueyonder.co.uk> writes
>>>
>>> Tried that & http://www.geektools.com/whois.php
>>>
>>> Trouble is, too much information, most of which I don't understand.
>>>
>>> Would it be wise/acceptable to post the numbers here?
>>>
>> Yes, post all you have and the source of the information, it's useless
>> without knowing where it came from and how reliable it is.
>
> OK. I recieved a message from E Bay about a password change
> confirmation:-
>
> "The password change request was made from:
>
> a.. IP address: 77.96.243.253
> b.. ISP host: 10.11.64.246 "
>
which resolves to a Virginmedia Gillingham UBR
so as a guess your Windows are compromised.�
Doing a tracert leads to
77-96-243-253.cable.ubr13.gill.blueyonder.co.uk
Not sure how helpful that is, gill.blueyonder appears to be more
internal Virginmedia domains.
Owain
Assuming that is the case - I have Norton 360 installed, how would it happen
& what can I do to stop it?
> Hard to tell Harry, I might well have done even though I'm of a
> suspicious nature.
> I get so many e mails from E Bay & Pay Pal I simply don't know which to
> trust. As a result I rarely use either.
Any idea how 'they' got your password?
--
*Stable Relationships Are For Horses. *
Dave Plowman da...@davenoise.co.uk London SW
To e-mail, change noise into sound.
> Bob Eager <rd...@spamcop.net>
> wibbled on Monday 23 November 2009 23:54
>
>> On Mon, 23 Nov 2009 23:19:07 +0000, Tim W wrote:
>>
>>> That's no use here - IP's beginning with 10.x.x.x, 192.168.x.x and
>>> (losely but not strictly accurate) 172.16.x.x are private ranges that
>>> can never legitimately appear on the public internet, so I'm guessing
>>> it's an internal IP in TeleWest or ebay.
>>
>> Purely as a matter of interest...why the rider on the 172.16.x.x range?
>
> Only because it's a /12 so it should be 172.16-31.x.x. That's one range
> I can never remember, other than I use 172.16.0.x as a local route
> between my ADSL router and the firewall box. I had to Wikipedia it just
> to answer you(!)
Ah, OK...I never use that range either.
> I like 10/8 - simple, short, large, easy to remember, so I tend to use
> that for my internal net. I don't like 192.168.x.x because that tends to
> be the default for all manner of widgets when they have their
> firmware/config reset (despite DHCP).
I use real IPs everywhere here at home so I don't go near the
192.168.xx.xx range anyway except on small test networks.
> I'm hopeless with memorising numbers - I'm going to have brainfailure
> when I eventually configure my IPv6 block into everything... Due to
> Andrews and Arnold being very helpful with my house move WRT to DSL, I
> seem to have a merged collection of 3 IPv4 blocks, misc single addresses
> and two IPv6 blocks all routed to my line here.
I just have two IP blocks from them...plus the IPv6 one, which I really
must get on with.
Something along those lines. TMH is posting from
94.168.74.108 which is cpc2-gill16-2-0-cust619.basl.cable.virginmedia.com
and the password email is from:
77.96.243.253 which is 77-96-243-253.cable.ubr13.gill.blueyonder.co.uk
The former looks like an ex-NTL address in Gillingham, while the latter is
ex-Telewest in Gillingham. Or have Virgin Media renumbered ex-BY customers
into the namespace formerly occupied by NTL? Or is
basl.cable.virginmedia.com Basildon? Is there a big cable under the Thames
at that point?
Another thought for TMH... did you log in to your eBay account from anyone
else's computer? Or perhaps take your computer to someone else's network
connection?
Theo
Not a clue. Its not something you could guess either. Now changed to
something so obscure its ridiculous.
No to both.
But a keylogger would already have them. And that may have been how
it all happened in the first place. :-(
>> I get so many e mails from E Bay & Pay Pal I simply don't know which to
>> trust. As a result I rarely use either.
>
>Any idea how 'they' got your password?
I'm suspicious of ebay "security".
My ebay account was compromised (loads of UGG boots advertised... didn't know
wtf they were until then :-))
I had a strong password (12chars, alphanumeric, mixed case and with specials)
and I never respond to phishing attacks (I've worked running email systems
for soooo long I long since gave in trusting any email).
Only use Macs to access the account, and they all scanned clean so I don't
think it was a keylogger/virus.
They told me they had had several cases of this and that I ought to change
my password. When questioned they got more and more defensive until they
stopped talking to me. 30 minutes or so after I reported it to them
ebay.co.uk was down for maintenaince for a while. Possibly a coincidence...
All the auctions were cancelled and all charges removed. Not had a problem
since (this was a couple of years ago)
I've been involved in enough computer security investigations to smell
something odd. Could all be a coincidence but...
Darren
>I'm suspicious of ebay "security".
>
>My ebay account was compromised (loads of UGG boots advertised... didn't know
>wtf they were until then :-))
>
>I had a strong password (12chars, alphanumeric, mixed case and with specials)
>and I never respond to phishing attacks (I've worked running email systems
>for soooo long I long since gave in trusting any email).
>
>Only use Macs to access the account, and they all scanned clean so I don't
>think it was a keylogger/virus.
>
>They told me they had had several cases of this and that I ought to change
>my password. When questioned they got more and more defensive until they
>stopped talking to me. 30 minutes or so after I reported it to them
>ebay.co.uk was down for maintenaince for a while. Possibly a coincidence...
>
>All the auctions were cancelled and all charges removed. Not had a problem
>since (this was a couple of years ago)
>
>I've been involved in enough computer security investigations to smell
>something odd. Could all be a coincidence but...
There is an assumption that eBay fraud is always carried out by people
outside the eBay organisation.
That may or may not be a valid assumption. ;-)
As someone who receives abuse complaints from the internet, I fully
agree.
Short and to the point. Don't bother explaining the full story - just that
ebay report that this address was invovled in fraudulantly listing
items (or whatever).
Include *all* emails you have had from ebay about this - just because the
10.x.x.x addresses are meaningless on the internet doesn't mean they are
not handy to the abuse dept.
>Report the IP address and report the date and time of the attempt as the
>time of the notification of the change email.
Forward the email if possible - people rekeying or picking the important
bits from emails like this are generally a pain (let the abuse team work
out which bits are relevant).
Also, don't go on about how you have the worlds best antivirus program
or how you are fantastic at running large networks and understand security
as you've got 4 machines and once used linux - abuse depts don't care,
trust me :-)
Darren
Errr....
gill.blueyonder?
Gillingham?
Medway handyman - in Gillingham?....
Are your PCs completely clean Dave (full scan with decent upto date virus
scanner etc etc)?
Darren
> Not a clue. Its not something you could guess either. Now changed to
> something so obscure its ridiculous.
Probably makes no difference if they managed to find out your first one -
they could do the same with the new one.
--
*Who is this General Failure chap anyway - and why is he reading my HD? *
Thats the easiest one. Someone parks a van outside with a laptop, and
watches the keystrokes..then logs in as you, and off he goes.
Similar to the banks in that respect then. I'm sure internal fraud is
the main problem, though it suits them to pedal the idea that the
customer has been careless or the victim of a cunning hacker in Belarus
or somewhere.
My partner and I have a joint card, but she only uses hers in
supermarkets and shops. I do all the online stuff, but it was her card
that was cloned. Go figure as they say
> Thats the easiest one. Someone parks a van outside with a laptop, and
> watches the keystrokes..then logs in as you, and off he goes.
Any site taking a password is https these days, especially the likes of
ebay, so that's not going to work.
My money's on phishing.
I have no idea how prevalent internal fraud is in banks, but in the
retail sector, it is reckoned that losses through staff pilferage are
on average several times higher than losses through shoplifting by
"customers".
unless they're snooping on the signal between the keyboard and the
computer...
http://arstechnica.com/security/news/2008/10/beware-your-keyboard-may-be-tattling-on-your-typing.ars
</paranoia>
:-)
> My money's on phishing.
Yeah, mine too. There are folk out there who are very good at crafting the
emails so that they look genuine. I make sure I have my client set to show
HTML emails as plain text, which weeds out nearly all of the shit - and I
just ignore anything completely that looks like it's from a bank, ebay or
paypal.
cheers
Jules
> Mark <Ma...@127.0.0.1> wrote:
>> The Medway Handyman wrote:
>>
>> > "The password change request was made from:
>> >
>> > a.. IP address: 77.96.243.253
>> > b.. ISP host: 10.11.64.246 "
>> >
>>
>> which resolves to a Virginmedia Gillingham UBR
>> so as a guess your Windows are compromised.?
>
> Something along those lines. TMH is posting from
> 94.168.74.108 which is cpc2-gill16-2-0-cust619.basl.cable.virginmedia.com
> and the password email is from:
> 77.96.243.253 which is 77-96-243-253.cable.ubr13.gill.blueyonder.co.uk
>
> The former looks like an ex-NTL address in Gillingham, while the latter is
> ex-Telewest in Gillingham. Or have Virgin Media renumbered ex-BY
> customers
in fact they are both the same, that VM ip range came with the Gill upgrade
earlier this year.
% Information related to '94.168.64.0 - 94.168.79.255'
inetnum: 94.168.64.0 - 94.168.79.255
netname: BBIGROWTH2009
descr: BROADBAND Gillingham
country: GB
Host : cpc2-gill16-2-0-cust619.basl.cable.virginmedia.com
inetnum: 77.96.242.0 - 77.96.243.255
netname: BROADBANDAUDIT
descr: BROADBAND BASI GILL-CMTS-13
country: GB
Host :77-96-243-253.cable.ubr13.gill.blueyonder.co.uk
in fact if you go back to 18 Jan 2009
news:069cl.21280$Sp5....@text.news.virginmedia.com
TMH was actually posting from the IP in question 77.96.243.253
make of that what you will!
-
> If it wasn't for the fact that it's all a great big lie.
>
> For your information sunshine, people in the real world such as employers
> don't
> take a blind bit of notice of letters, or emails, or phone calls from what
> are
> quite obviously, internet loonies trying to get even. They all go straight
> in the
> bin.
Most employers would not bin letters of complaint and ignore phone calls
complaining about a member of staff using a work computer to make death
threats.
Many firms also have a code of conduct that a member off staff has to follow
when not at work.
When I had a bunny boiler problem last year the Ward Sister was most
interested when I went to see her with all the relevant details. The bunny
boiler backed off after a warning by her boss.
Adam
That's easy. You click on the link in the phishing email, which takes
you to a look-a-like ebay or paypal (or etc.) web site and of course
you then have to log in. The site isn't the genuine one, but a copy -
even the URL's are spoofed to appear like the genuine one. So you type
your login details in, which it stores and they then have full access
to your account.
Best thing is to change your passwords for both quickly, if they have
not already locked you out by changing the passwords, then try and let
both ebay and paypal know your accounts have been compromised.
--
Regards,
Harry (M1BYT) (L)
http://www.ukradioamateur.co.uk
> That's easy. You click on the link in the phishing email, which takes
> you to a look-a-like ebay or paypal (or etc.) web site and of course
> you then have to log in. The site isn't the genuine one, but a copy -
> even the URL's are spoofed to appear like the genuine one. So you type
> your login details in, which it stores and they then have full access
> to your account.
Only easy if you're foolish enough to respond to those sort of emails.
Even if you think them genuine, make your own way to the site - you'll be
contacted there if they need to.
> Best thing is to change your passwords for both quickly, if they have
> not already locked you out by changing the passwords, then try and let
> both ebay and paypal know your accounts have been compromised.
--
*I love cats...they taste just like chicken.
Well yes but TMH did say in an earlier message:
The Medway Handyman wrote:
> Harry Bloomfield wrote:
>>
>> Can I ask have you at anytime clicked on a link in an email seeing to
>> have come from ebay or paypal and the page it has loaded has seemed
>> to look like the ebay login page?
>>
>> In other words what is known as a phishing email?
>
> Hard to tell Harry, I might well have done even though I'm of a
> suspicious nature.
>
> I get so many e mails from E Bay & Pay Pal I simply don't know which
> to trust. As a result I rarely use either.
Tim
>For your information sunshine
Fuck off, Todger.
I've rarely used ebay, but ISTR that they provide an application that
will warn you if the site you are visiting is not a genuine ebay site.
Colin Bignell
Wot a keylogger?
Gillingham is part of the Medway Towns, but I believe this to be Gillingham
Dorset.
>
> Are your PCs completely clean Dave (full scan with decent upto date
> virus scanner etc etc)?
AFAIK.
No wireless at all.
"The Medway Handyman" <davi...@nospamblueyonder.co.uk> wrote in message news:TBWOm.8327$Ym4....@text.news.virginmedia.com...
> Bruce wrote:
>> On Mon, 23 Nov 2009 23:24:55 GMT, "The Medway Handyman"
>> <davi...@nospamblueyonder.co.uk> wrote:
>>>
>>> Thanks Tim. No dosh lost, all re set with passwords & questions
>>> Derren Brown couldn't crack.
>>
>>
>> But a keylogger would already have them. And that may have been how
>> it all happened in the first place. :-(
>
> Wot a keylogger?
Seriously??
It's a piece of spyware that literally logs all the key-strokes you make
and sends them to the attacker.passwords would be sent in clear
text even if the website you were typing them into returned ****
--
Graham.
%Profound_observation%
Do people download it following a link they've received in an
email? ;-)
Owain
>Bruce wrote:
>> On Mon, 23 Nov 2009 23:24:55 GMT, "The Medway Handyman"
>> <davi...@nospamblueyonder.co.uk> wrote:
>>>
>>> Thanks Tim. No dosh lost, all re set with passwords & questions
>>> Derren Brown couldn't crack.
>>
>>
>> But a keylogger would already have them. And that may have been how
>> it all happened in the first place. :-(
>
>Wot a keylogger?
It's a nasty bit of malware which, when placed on your PC, logs every
keystroke you make and transmits them to whoever installed it.
Basic anti-virus software doesn't pick it up. You need a good
anti-spyware program too.
I am not an IT expert so I'm not the best person to recommend which
package is best for you, but I haven't been at all impressed with AVG
which failed to deal with quite a few items of malware, some serious.
I've had better results with Spyware Detector, but there will probably
be other, better packages.
All my work and other important files are stored on a Mac computer
which is only very rarely connected to the Internet. The Mac's
UNIX-based operating system is much less prone to virus and malware
attacks than Windows.
> All my work and other important files are stored on a Mac computer which
> is only very rarely connected to the Internet. The Mac's UNIX-based
> operating system is much less prone to virus and malware attacks than
> Windows.
But it still happens...remember Robert Morris...!
--
Use the BIG mirror service in the UK:
http://www.mirrorservice.org
You're right, of course. I use Linux on my main (ex-Windows) laptop
for that very reason. ;-)
But getting back to the subject, I think the majority of Windows users
have not the slightest conception of how much at risk they are from
spyware and malware. They just use standard anti-virus packages that
don't even attempt to tackle the real nasties.
I agree. I use BSD mostly (and have done ever since it appeared on the
VAX), as at least it is well tried and tested. And the weak point
exploited most by Morris was sendmail - I never use it on any of my
systems.
> Seriously??
> It's a piece of spyware that literally logs all the key-strokes you make
> and sends them to the attacker.passwords would be sent in clear
> text even if the website you were typing them into returned ****
Which is why many use a drop down menu to select, say, a couple of letters
from a second secure word?
--
*Drugs may lead to nowhere, but at least it's the scenic route *
and that bug was fixed 15 years ago..and it ONLY worked on a VAX running
a specific operating system with a specific build of it too.
>
and on a Sun, too.
Unless the processors were identical
It relied on a precise text string overwriting a stack based buffer, and
corrupting it in a precise way.
To the ISP in question. Note you also need the exact time of the
incident since with some ISPs the IP addresses are dynamically allocated
and reused - so the same address can be used by a number of unrelated
users over a period of time.
--
Cheers,
John.
/=================================================================\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\=================================================================/
That's what I always thought (I read the original papers when it
happened). But apparently it used two different binaries, and sent both
to the system under attack...
And the mechanism was a bit more compliacted than that:
http://spaf.cerias.purdue.edu/tech-reps/823.pdf
"Bruce" <docne...@gmail.com> wrote in message
news:13oog5duu5jclfs7m...@4ax.com...
I am amazed at how many linux/unix users do nothing at all even though stuff
like root kits have been around for years.
I suppose its to be expected, they keep telling each other that they are
immune so often that they actually start to believe it. The reality is
different of course.
There is a lot of evidence that botnets are controlled by hacked unix
machines, windows machines generally can't handle many connections without
the user noticing a problem and then reinstalling/running AV software, this
losses the rather valuable botnet.
The users of these hacked unix machines will be telling everyone that unix
is safe.
>
"The Natural Philosopher" <t...@invalid.invalid> wrote in message
news:hehs7g$5mp$1...@news.albasani.net...
The sendmail running on many linux systems had exploits three years ago that
I know of.
Postfix has replaced it on most systems AFAIK, some of the sendmail exploits
were never fixed AFAIK so anyone still running sendmail is probably
exploitable.
There have been a number of security updates to postfix to remove
exploitable holes.
Just running linux/unix does *not* make you safe whatever linux/unix users
say.
Cue the usual windows is worse answer from linux users who still don't get
it.
> The Medway Handyman wrote:
>> Some scumbag has tried to change my E Bay account details.
>>
>> I have the IP address and the ISP host numbers, how do I find who it is,
>> and to whom do I report them?
>
> To the ISP in question. Note you also need the exact time of the
> incident since with some ISPs the IP addresses are dynamically allocated
> and reused - so the same address can be used by a number of unrelated
> users over a period of time.
>
yes but in this case the reported IP was in fact in use by TMH earlier in
the year.
An Ebay upcock i suspect.��
Remember the key loggers run on *your* computer and hence have full
access to the raw keypress data long before it gets into a SSL stream.
You can apparently make a pretty good stab at recovering keystroke
information from just an audio stream of someone typing. Each key/typist
combination has a unique sound that will yield to a basic frequency
distribution analysis.
TNP wasn't suggesting a keylogger - "and are you using unencrypted wireless
in your house?"
"Clive George" <cl...@xxxx-x.fsnet.co.uk> wrote in message
news:gM6dnWV1DN6a55PW...@brightview.co.uk...
> TNP wasn't suggesting a keylogger - "and are you using unencrypted
> wireless in your house?"
It is pretty safe using open wireless to do your banking, provided you use a
trusted DNS.
The actual banking site will be https so all the data is encrypted before
being put on the wireless even if the actual wireless is not encrypted.
It is the same when hand generated Morse code is sent, you can recognise
the 'hand'.
Dave
.. | -.- -. --- .-- | . -..- .- -.-. - .-.. -.-- | .-- .... .- - |
-.-- --- ..- | -- . .- -. | ..--.. |
;-)
- .... .- - .----. ... . .- ... -.-- ..-. --- .-. -.-- --- ..- - ---
... .- -.--
STOP THAT NOW !
--
geoff
.. -.. --- -. --- - ..- -. -.. . .-. ... - .- -. -.. .-- .... .- -
.. ... --. --- .. -. --. --- -.
Adam
--
geoff
Don't you call me a .----. ... . .- ... -.-- !
--
Dave - The Medway Handyman
www.medwayhandyman.co.uk
-. . .. - .... . .-. -.. --- . ... --. . --- ..-. ..-. -... -.-- -
.... . .-.. --- --- -.- ... --- ..-. .. - .-.-.-
.-- --- ..- .-.. -.. -. --- - -.. .-. . .- -- --- ..-. .. - ---
.-.. -.. -.-. .... .- .--. .-.-.-
>>>> - .... .- - .----. ... . .- ... -.-- ..-. --- .-. -.-- --- ..- - ---
>>>> ... .- -.--
>>>
>>> STOP THAT NOW !
>>
>> .. -.. --- -. --- - ..- -. -.. . .-. ... - .- -. -.. .-- .... .- - ..
>> ... --. --- .. -. --. --- -.
>
> You - COAT
-.-- --- ..- ...- . .--. ..- .-.. .-.. . -..
.-- .... .- - | .... .- ...- . | .. | ... - .- .-. - . -.. | ..--.. |?
Care to point to some of it?
> machines, windows machines generally can't handle many connections without
> the user noticing a problem and then reinstalling/running AV software, this
> losses the rather valuable botnet.
> The users of these hacked unix machines will be telling everyone that unix
> is safe.
>>
--
Andrew Gabriel
[email address is not usable -- followup in the newsgroup]
"Andrew Gabriel" <and...@cucumber.demon.co.uk> wrote in message
news:hf6fuk$a1s$1...@news.eternal-september.org...
> In article <heit62$luv$1...@news.datemas.de>,
> "dennis@home" <den...@killspam.kicks-ass.net> writes:
>>
>> I am amazed at how many linux/unix users do nothing at all even though
>> stuff
>> like root kits have been around for years.
>> I suppose its to be expected, they keep telling each other that they are
>> immune so often that they actually start to believe it. The reality is
>> different of course.
>> There is a lot of evidence that botnets are controlled by hacked unix
>
> Care to point to some of it?
Well something simple like http://en.wikipedia.org/wiki/Srizbi_botnet
reveals that the controllers are using python which isn't likely to be
running on windows.
Nor are they likely to be using their own machines as that would get them
caught.
The following, which you quoted, but apparently failed to grasp.
Thes serervs are r=unning linux. The clients are to a man windozePC's
Its a shame u dont understand what you read.
But then, you never did.
> Nor are they likely to be using their own machines as that would get
> them caught.
>
> The following, which you quoted, but apparently failed to grasp.
>
>>
>>> machines, windows machines generally can't handle many connections
>>> without
>>> the user noticing a problem and then reinstalling/running AV
>>> software, this
>>> losses the rather valuable botnet.
>>> The users of these hacked unix machines will be telling everyone that
>>> unix
>>> is safe.
>>>>
>>
>> --
>> Andrew Gabriel
>> [email address is not usable -- followup in the newsgroup]
>
Vulnerable unix machines are public hosting servers. Not joe bloggs at
home with his desktop. Of necessity these machines have actual customer
upload facilities, and very open access. And are not maintained by the
owners of the software upon them. Any sysadmin can open a door for cash.
Or by mistake.
Running behind a NAT router at home, is a vastly different proposition.
But then, that means nothing to you, because not much does.
Yep - none of the Linux systems were infected with viruses;
they were installed for the purpose of controlling the virus.
Interesting that the virus writers knew better than to use Windows
themselves ;-) The virus infects and lives in the NTFS filesystem
drivers on Windows.
Ebay and PayPal send very few e-mails, even to registered users, IME.
What you are probably receiving are e-mails purporting to be from them
(phishing). Genuine PayPal e-mails will always address you by your
registered name, not "dear paypal user" or similar.
The simple answer is NEVER click on a link in any such e-mails, nor
cut and paste links into your browser. ALWAYS access them via you
browser by typing in the URL or using a known good favourite link.
No problems with either.
MBQ
Not so. Ebay regularly send out details of special offers. But this may be
an option. Just be wary of any that require you to click on a link and log
in.
--
*I couldn't repair your brakes, so I made your horn louder *
Dave Plowman da...@davenoise.co.uk London SW
To e-mail, change noise into sound.
Really? Not just an FS filter or such? Never heard of such a thing.
Do you have a link?
Andy
http://en.wikipedia.org/wiki/Srizbi_botnet#Srizbi_trojan
Actually, it's not just the NTFS drivers, it's also the network
drivers, so its behaviour (and existance) is invisible to virus
scanners, network snoopers, and firewalls running in the same
system looking at the filesystem or at network activity. It also
hooks into the kernel's registry support, to hide its registry
settings.
Basically, it runs entirely in the kernel, and the kernel components
seem to do a good job of hiding its existance, in addition to actually
deploying the payload. After all, once you're in the kernel, you can
make sure any virus scanner is only seeing a sanitised version of the
system with any evidence of the virus removed from anything outside
of itself. Of course, virus scanners catch up once the scanning
companies have worked out what its doing and how it works.
"The Natural Philosopher" <t...@invalid.invalid> wrote in message
news:hf6sco$vog$1...@news.albasani.net...
> dennis@home wrote:
>>
>>
>> "Andrew Gabriel" <and...@cucumber.demon.co.uk> wrote in message
>> news:hf6fuk$a1s$1...@news.eternal-september.org...
>>> In article <heit62$luv$1...@news.datemas.de>,
>>> "dennis@home" <den...@killspam.kicks-ass.net> writes:
>>>>
>>>> I am amazed at how many linux/unix users do nothing at all even though
>>>> stuff
>>>> like root kits have been around for years.
>>>> I suppose its to be expected, they keep telling each other that they
>>>> are
>>>> immune so often that they actually start to believe it. The reality is
>>>> different of course.
>>>> There is a lot of evidence that botnets are controlled by hacked unix
>>>
>>> Care to point to some of it?
>>
>> Well something simple like http://en.wikipedia.org/wiki/Srizbi_botnet
>> reveals that the controllers are using python which isn't likely to be
>> running on windows.
>
> Thes serervs are r=unning linux. The clients are to a man windozePC's
>
> Its a shame u dont understand what you read.
>
> But then, you never did.
Well as you are agreeing with what I said I suppose you don't actually have
a clue what you are saying.
But then, you never did and, probably, never will.
"Andrew Gabriel" <and...@cucumber.demon.co.uk> wrote in message
news:hf6vhn$8nv$1...@news.eternal-september.org...
Yet again we have viruses singled out as being the problem and not the users
failing to understand security.
I expect you are a linux user and think you are safe just because you use
linux.
"Huge" <Hu...@nowhere.much.invalid> wrote in message
news:7ns4lpF...@mid.individual.net...
Hi huge, feeling well enough to put in an appearance I see.
Keep taking the pills as you are still posting cr@p.
Well, we're just responding to your suggestion that a Linux
system was somehow being subverted into spreading this virus,
which wasn't the case. The Linux systems were setup for this
sole purpose, and were not in any way compromised.
> I expect you are a linux user and think you are safe just because you use
> linux.
Not a single Linux system installed here (although it does
happen occasionally when I need to work on one).
"Andrew Gabriel" <and...@cucumber.demon.co.uk> wrote in message
news:hfdf8m$96j$4...@news.eternal-september.org...
> In article <hfbvvu$6pq$1...@news.datemas.de>,
> "dennis@home" <den...@killspam.kicks-ass.net> writes:
>>
>>
>> "Andrew Gabriel" <and...@cucumber.demon.co.uk> wrote in message
>> news:hf6vhn$8nv$1...@news.eternal-september.org...
>>>
>>> Yep - none of the Linux systems were infected with viruses;
>>> they were installed for the purpose of controlling the virus.
>>> Interesting that the virus writers knew better than to use Windows
>>> themselves ;-) The virus infects and lives in the NTFS filesystem
>>> drivers on Windows.
>>
>> Yet again we have viruses singled out as being the problem and not the
>> users
>> failing to understand security.
>
> Well, we're just responding to your suggestion that a Linux
> system was somehow being subverted into spreading this virus,
> which wasn't the case.
I didn't say it was compromised by a virus.
I said it was compromised and that linux is not secure as many linux user
like to claim, some may even believe it too.
Which is why linux users that understand vulnerabilities always appear to
like bringing virii into the argument, just to try and deflect the
uninformed from actually understanding that linux is vulnerable to various
attacks.
> The Linux systems were setup for this
> sole purpose, and were not in any way compromised.
No they are frequently compromised systems that user doesn't know is being
used for the purpose.
It would be easy to stop the attacks if they were using their own machines
as well as being easy to identify and arrest them.
>
>> I expect you are a linux user and think you are safe just because you use
>> linux.
>
> Not a single Linux system installed here (although it does
> happen occasionally when I need to work on one).
So which system are you running knews on then?
Well it wasn't.
> and that linux is not secure as many linux user
> like to claim, some may even believe it too.
That may be true (I don't know what security linux users
like to claim), but in the example you provided, no linux
systems were hacked, compromised, infected, etc.
> Which is why linux users that understand vulnerabilities always appear to
> like bringing virii into the argument, just to try and deflect the
> uninformed from actually understanding that linux is vulnerable to various
> attacks.
>
>> The Linux systems were setup for this
>> sole purpose, and were not in any way compromised.
>
> No they are frequently compromised systems that user doesn't know is being
> used for the purpose.
No, they were a set of 25 Itanium Linux systems in McColo's
hosting centre in San Jose, hired for the purpose.
> It would be easy to stop the attacks if they were using their own machines
> as well as being easy to identify and arrest them.
McColo allegedly specialised in hosting services which would
be difficult to take down. I would expect you can just buy the
service from anywhere around the world (as with any hosting
centre), so identity and arrest is easily avoided.
>>> I expect you are a linux user and think you are safe just because you use
>>> linux.
>>
>> Not a single Linux system installed here (although it does
>> happen occasionally when I need to work on one).
>
> So which system are you running knews on then?
a20$ uname -a
SunOS a20 5.11 snv_125 i86pc i386 i86pc
a20$
(i.e. Solaris)
Knews should build and run on any unix with Motif libraries
(or Motif-compatible libraries in the case of Linux).