PDA

View Full Version : Need geek help on tracking domain



webmaster
02-02-2005, 10:11 PM
Folks,

We've been getting hit hard in bandwidth by the following people: prazak.kkcable.cz, who resolve to 213.29.14.4 on a ping. I'm seeing this location for the last couple months, and they're transferring more bandwidth by themselves than all the rest of the connections together.

Anyone who can help me figure out if this is legit, and if not, who the hell they are, *please* get with me, ok? I'm getting bandwidth warnings on my host, and this hit is pushing the limits of what I can use for *all* my sites, personal and business. which is Not Good.

Vicky

jab
02-02-2005, 10:27 PM
I'm on it. I will report back here in just a bit.

Norskersword
02-02-2005, 10:30 PM
Hey Vicky,

I've looked this up for you. This info includes some email info.

http://www.ripe.net/whois?form_type=simple&full_query_string=&searchtext=213.29.14.4&do_search=Search

This one has an address so you can march up to their house and pound on their door! ;)

http://www.networksolutions.com/en_US/whois/results.jhtml;jsessionid=YYFZPKVMJD3PMCWMEAPSFFA?w hoistoken=0&_requestid=158579

jab
02-02-2005, 10:32 PM
prazak.kkcable.cz = [ 213.29.14.4 ]

domain: kkcable.cz
admin-c: KKCABLECZ
tech-c: PROFIHELP-CZ
nserver: ns1.profihelp.cz ns2.profihelp.cz
role: KK cable v.o.s
address: Masarykova 159
address: Milevsko
address: 399 01
address: The Czech Republic
admin-c: KOSTALMI
tech-c: KOSTALMI
bill-c: KOSTALMI
nic-hdl: KKCABLECZ
e-mail: serviskk@taborak.cz

role: PROFI HELP s.r.o.
address: Palackeho 350
address: Tabor
address: 390 01
address: The Czech Republic
admin-c: KARVAN
tech-c: KARVAN
bill-c: KARVAN
nic-hdl: PROFIHELP-CZ
e-mail: info@profihelp.cz

person: Ji=F8=ED Ko=B9=BB=E1l
address: Sokolovsk=E1 1425
address: Milevko
address: 399 01
address: The Czech Republic
phone: 420 368251593
nic-hdl: KOSTALMI
e-mail: kkcable@kkcable.cz

person: Petr Karvan
address: Pod Trznim nam. 829
address: Tabor
address: 390 01
address: The Czech Republic
phone: 420 604101187
nic-hdl: KARVAN
e-mail: karvan@tabor.cz

Though I would caution against emailing any of those addresses. More often than not they are not read or the even don't exist. Many times (if this is a illegitimate company) they will collect your address and sell it to spammers.

I am still investigating.

jab
02-02-2005, 10:41 PM
They seem to be associated with sbone.cz

Non-authoritative answer:
4.14.29.213.in-addr.arpa name = prazak.kkcable.cz.

Authoritative answers can be found from:
14.29.213.in-addr.arpa nameserver = ns2.sbone.cz.
14.29.213.in-addr.arpa nameserver = ns.sbone.cz.
ns.sbone.cz internet address = 62.84.128.6
ns2.sbone.cz internet address = 62.84.132.6

sbone.cz seems to be related to (the same as most likely) aliatel.cz which is a hosting company from the looks of it.

% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

inetnum: 62.84.128.0 - 62.84.130.255
netname: ALIANET
descr: Network of Aliatel
country: CZ
admin-c: PG596-RIPE
tech-c: AHST1-RIPE
status: ASSIGNED PA
mnt-by: ALIATEL-MNT
changed: petr.gomola@aliatel.cz 20021128
source: RIPE

route: 62.84.128.0/19
descr: CZ-ALIATEL-20000623
origin: AS15485
mnt-by: ALIATEL-MNT
mnt-lower: ALIATEL-MNT
mnt-routes: ALIATEL-MNT
changed: petr.safarik@aliatel.cz 20000714
changed: petr.gomola@aliatel.cz 20010808
source: RIPE

role: Aliatel Hostmasters
address: Aliatel a.s.
address: Sokolovska 86
address: Praha 8 - Karlin
address: 186 00
address: Czech Republic
phone: +420 2 25251111
fax-no: +420 2 25251122
trouble: 24/7 NCC +420 2 25251777
e-mail: hostmaster@sbone.cz
admin-c: PG596-RIPE
tech-c: PG596-RIPE
tech-c: ZN3-RIPE
tech-c: MK241-RIPE
nic-hdl: AHST1-RIPE
mnt-by: ALIATEL-MNT
changed: Petr.Gomola@aliatel.cz 20040326
source: RIPE

person: Petr Gomola
address: Aliatel a.s.
address: Sokolovska 86
address: Praha 8 - Karlin
address: 186 00
address: Czech Republic
phone: +420 2 25253814
fax-no: +420 2 25252751
e-mail: Petr.Gomola@aliatel.cz
nic-hdl: PG596-RIPE
notify: Petr.Gomola@aliatel.cz
mnt-by: PG-MNT
changed: Petr.Gomola@aliatel.cz 20041101
source: RIPE

Aliatel's upstream seems to be telia.net.

jab
02-02-2005, 10:44 PM
In the interim you can put this in your .htaccess at the site root to slow them down.

order allow,deny
deny from 213.29.14.4
allow from all

This will deny access to the GotMead web from that IP. While it won't stop them from trying it will reduce the amount of bandwidth they consume to almost nothing.

Have you spoken with your hosting provider? They may have other/better ways to deal with the issue.

jab
02-02-2005, 10:49 PM
Hey Vicky. Just a thought. Do you have access to the webserver logs? Can you tell what they are doing? Are they spidering the site? How many connections/gets in a single visit? How fast are the connections? If you are comfortable with it PM me a section of the logs from when they are active.

webmaster
02-02-2005, 11:41 PM
Log on the way......

jab
02-03-2005, 12:09 AM
Alright it's definately some sort of brute force hack attempt. None of the pages they try to access even exist. I am guessing they are trying to capitalize on some sort of vulnerability but I can't find one for SMF that would match this type of attack.

1246 attempts in three and a half hours is pretty ridiculus!

My suggestion would be to contact your hosting provider and see if there is anything they can do to block them. If not see if they would be willing to help you bring the issue up with the upstream provider for 213.29.14.4.

Personally I would go to telia.net first. My guess is that even though Aliatel seems to be their hosting provider generally if these buys have gotten away with it for a few months their hosting provider does't really care.

For the short term (or if none of the above pan out) I would go with the .htaccess I suggested above.

Oskaar
02-03-2005, 03:15 AM
I think that Jab's approach makes sense. From a DOS kind of attack standpoint, it doesn't sound like they're trying to datastorm your ports, rather, they seem to be looking for a jump off point so they can hammer the site once they're in.

I'd also copy the log and reverse tracert to telia.net, and if you don't get response you may consider sending one to one of our "International" police agencies. I'll PM you with some thoughts on that.

If they were spidering they should have been done with that a while back, so it looks like they're trying for something more than casual page information. The .htaccess sounds like a great way to slow them down for the short haul and kind of wait and see what they do from there.

Cheers,

Oskaar

JamesP
02-03-2005, 07:00 PM
Also (not directly related, but another security enhancement)

add index.php to your list of default web pages
(DirectoryIndex parameter somewhere in the httpd.conf config file if your using apache),
so that people can't get a directory listing of files.