[lir-wg] Re: NCC#2003021144 Network Abuse Issues
RIPE NCC ncc at ripe.net
Mon Feb 10 13:14:17 CET 2003
Dear Tim, Thank you for your e-mail. Have you tried to contact the administrator of this network? His contact details are: person: Jean-Francois Stenuit address: Belgacom Skynet NV/SA address: Rue Carli 2 address: B-1140 Bruxelles address: Belgium phone: +32 2 706-1311 fax-no: +32 2 706-1150 e-mail: jfs at skynet.be nic-hdl: JFS1-RIPE remarks: ---------------------------------------- remarks: Network problems to: noc at skynet.be remarks: Peering requests to: peering at skynet.be remarks: Abuse notifications to: abuse at skynet.be remarks: ---------------------------------------- mnt-by: SKYNETBE-MNT changed: jfs at skynet.be 19970707 changed: ripe at skynet.be 20021125 source: RIPE Please note that the RIPE NCC allocates IP address space to operators. They assign those addresses to their networks and customers. The allocation is registered in the RIPE Database by the RIPE NCC and the assignments by the operators themselves. The contact information referenced is placed in the RIPE Database by the network operators and can be changed by them at any time using the automatic interface made available (to everyone) by the RIPE NCC. The RIPE NCC operates according to the requirements set by the RIPE Community. Those requirements are set in the various RIPE Working Groups. Participation in RIPE and its Working Groups is open to anyone with an interest in IP networking in the RIPE NCC Service Region. There is currently no standard defined by the RIPE Community for contact information referenced by inetnum objects in the RIPE Database. There is only the technical need to complete all the mandatory attributes in a "person:" or "role:" object. If you feel a need for a change in composition of the contact data used in the RIPE Database then you should raise the issue in the RIPE Community. If a consensus for change is reached the RIPE NCC will implement the technical changes required. Network operators would then need to implement any changes required of them. The following URLs may be useful: IPv4 Address Allocation and Assignment Policies in the RIPE NCC Service Region http://www.ripe.net/ripe/docs/ipv4-policies.html#5.1.2 Updates in the RIPE Database (from the Database Reference Manual) http://www.ripe.net/ripe/docs/databaseref-manual.html#3.0 "person:" object http://www.ripe.net/perl/whois?-vperson "role:" http://www.ripe.net/perl/whois?-vrole The LIR Working Group (where policy is set) http://www.ripe.net/ripe/wg/lir/index.html The Database Working Group (where Database requirements are set) http://www.ripe.net/ripe/wg/db/index.html The Anti-Spam Working Group (fighting the problem of spam) http://www.ripe.net/ripe/wg/anti-spam/index.html The RIPE NCC Service Region http://www.ripe.net/ripencc/mem-services/general/europe.html kind regards, Yvette Vermeer RIPE NCC On Sat, 8 Feb 2003 17:48:41 -0700, <Tim at ppronline.net> wrote: * Dear Sir or Ma'am, * * We have attempted to communicate with clients who subscribe with your * network. * inetnum: 80.201.0.0 - 80.201.255.255 * netname: BE-SKYNET-ADSL1 * * Reporting abuse using their Abuse Email address resulted in an auto-reply * directing you to an internet site where the Abuse Notifications page was not * functional. We are reporting this to Internet authorities here in the * United States and registering complaints with local providers (Arin.net). * If we are not able to address Hacking activity from clients within your * networks, steps need to be taken on this end to filter out access until * measures can be put into place to prevent such activity! * * Below is a copy of the Message: * * * Sincerely, * Tim Crawford * IT, CTES * * * * * To whom it may concern, * * Clients on your system have been observed in the conduct of Port Sniffing, * then using Password guessing software to gain access to remote systems. * * We have been observing - Host Name from Peer: umberto-89z8gkv * * for a period of Time attempting to access our networks. We established * several mock systems to observe what activity they intended. * * This person was able to determine and administrative User ID and Password. * After accessing the system the individual loaded a program called: * Protocol Version - DWRCC.EXE: 3.670000-0.000000 * * Protocol Version - DWRCS.EXE: 3.670000-0.000000 * * Product Version - DWRCS.EXE: 3.69.0.7 * and began a sharing operation between 9 additional users. (See below and * attachment from event logs) * * Unfortunately this person does not reside within the United States, in which * case we could openly pursue legal action against him. However, it there are * legal avenues in your country governing such abuse, please forward the * information so that we may proceed with legal action against your client. * This action will be sent to and logged with the IFCC and shared with all * U.S. networks which may result in Filtering preventing users of your network * access. * * Sincerely, * Tim Crawford * IT, CTES * * * * Date: 02/08/03 11:25:55 * * Computer Name: UMBERTO-89Z8GKV * * User ID: Umberto * * Logon As ID: DianeS * * Domain: * * OS Product ID: 55679-641-7737495-23856 * * OS Registered Owner: Umberto * * OS Registered Organization: * * Host Name from Peer: umberto-89z8gkv * * IP Addresse(s) from Peer: 192.168.0.1,169.254.145.179,80.201.61.247 * * Host: * * IP Address: 80.201.61.247 * * Protocol Version - DWRCC.EXE: 3.670000-0.000000 * * Protocol Version - DWRCS.EXE: 3.670000-0.000000 * * Product Version - DWRCS.EXE: 3.69.0.7 * * Authentication Type: NT Challenge/Response * * Last Error Code: 0 * * Last Error Code (WSA): 0 * * Absolute timeout setting: 0 minutes * * Connect/Logon timeout setting: 90000 miliseconds * * AccessCheck: * * . * * The description for Event ID ( 0 ) in Source ( DWMRCS ) could not be found. * It contains the following insertion string(s): * * DameWare Mini Remote Control * * , The following user has connected via remote control. * * * * * * Date: 02/08/03 11:26:03 * * Computer Name: UMBERTO-89Z8GKV * * User ID: Umberto * * Logon As ID: DianeS * * Domain: * * OS Product ID: 55679-641-7737495-23856 * * OS Registered Owner: Umberto * * OS Registered Organization: * * Host Name from Peer: umberto-89z8gkv * * IP Addresse(s) from Peer: 192.168.0.1,169.254.145.179,80.201.61.247 * * Host: * * IP Address: 80.201.61.247 * * Protocol Version - DWRCC.EXE: 3.670000-0.000000 * * Protocol Version - DWRCS.EXE: 3.670000-0.000000 * * Product Version - DWRCS.EXE: 3.69.0.7 * * Authentication Type: NT Challenge/Response * * Last Error Code: 0 * * Last Error Code (WSA): 0 * * Absolute timeout setting: 0 minutes * * Connect/Logon timeout setting: 90000 miliseconds * * Access Check: Administrators * * . * * The description for Event ID ( 0 ) in Source ( DWMRCS ) could not be found. * It contains the following insertion string(s): * * DameWare Mini Remote Control * * , The following user has or has been disconnected from remote control. * * * * * * Date: 02/08/03 12:17:51 * * Computer Name: UMBERTO-89Z8GKV * * User ID: Umberto * * Logon As ID: DianeS * * Domain: * * OS Product ID: 55679-641-7737495-23856 * * OS Registered Owner: Umberto * * OS Registered Organization: * * Host Name from Peer: umberto-89z8gkv * * IP Addresse(s) from Peer: 192.168.0.1,169.254.145.179,80.201.61.247 * * Host: * * IP Address: 80.201.61.247 * * Protocol Version - DWRCC.EXE: 3.670000-0.000000 * * Protocol Version - DWRCS.EXE: 3.670000-0.000000 * * Product Version - DWRCS.EXE: 3.69.0.7 * * Authentication Type: NT Challenge/Response * * Last Error Code: 0 * * Last Error Code (WSA): 0 * * Absolute timeout setting: 0 minutes * * Connect/Logon timeout setting: 90000 miliseconds * * Access Check: Admi
[ lir-wg Archives ]