• PATRONS: Did you know we've a chat function for you now? Look to the bottom of the screen, you can chat, set up rooms, talk to each other individually or in groups! Click 'Chat' at the right side of the chat window to open the chat up.
  • Love Gotmead and want to see it grow? Then consider supporting the site and becoming a Patron! If you're logged in, click on your username to the right of the menu to see how as little as $30/year can get you access to the patron areas and the patron Facebook group and to support Gotmead!
  • We now have a Patron-exclusive Facebook group! Patrons my join at The Gotmead Patron Group. You MUST answer the questions, providing your Patron membership, when you request to join so I can verify your Patron membership. If the questions aren't answered, the request will be turned down.

Need geek help on tracking domain

Barrel Char Wood Products

pain

GotMead Owner
Staff member
Administrator
Moderator
Apr 5, 1996
1,698
18
38
North Carolina
gotmead.com
Folks,

We've been getting hit hard in bandwidth by the following people: prazak.kkcable.cz, who resolve to 213.29.14.4 on a ping. I'm seeing this location for the last couple months, and they're transferring more bandwidth by themselves than all the rest of the connections together.

Anyone who can help me figure out if this is legit, and if not, who the hell they are, *please* get with me, ok? I'm getting bandwidth warnings on my host, and this hit is pushing the limits of what I can use for *all* my sites, personal and business. which is Not Good.

Vicky
 

jab

NewBee
Registered Member
Mar 15, 2004
557
0
0
50
radiofreeomaha.net
prazak.kkcable.cz = [ 213.29.14.4 ]

domain: kkcable.cz
admin-c: KKCABLECZ
tech-c: PROFIHELP-CZ
nserver: ns1.profihelp.cz ns2.profihelp.cz
role: KK cable v.o.s
address: Masarykova 159
address: Milevsko
address: 399 01
address: The Czech Republic
admin-c: KOSTALMI
tech-c: KOSTALMI
bill-c: KOSTALMI
nic-hdl: KKCABLECZ
e-mail: serviskk@taborak.cz

role: PROFI HELP s.r.o.
address: Palackeho 350
address: Tabor
address: 390 01
address: The Czech Republic
admin-c: KARVAN
tech-c: KARVAN
bill-c: KARVAN
nic-hdl: PROFIHELP-CZ
e-mail: info@profihelp.cz

person: Ji=F8=ED Ko=B9=BB=E1l
address: Sokolovsk=E1 1425
address: Milevko
address: 399 01
address: The Czech Republic
phone: 420 368251593
nic-hdl: KOSTALMI
e-mail: kkcable@kkcable.cz

person: Petr Karvan
address: Pod Trznim nam. 829
address: Tabor
address: 390 01
address: The Czech Republic
phone: 420 604101187
nic-hdl: KARVAN
e-mail: karvan@tabor.cz

Though I would caution against emailing any of those addresses. More often than not they are not read or the even don't exist. Many times (if this is a illegitimate company) they will collect your address and sell it to spammers.

I am still investigating.
 

jab

NewBee
Registered Member
Mar 15, 2004
557
0
0
50
radiofreeomaha.net
They seem to be associated with sbone.cz

Non-authoritative answer:
4.14.29.213.in-addr.arpa name = prazak.kkcable.cz.

Authoritative answers can be found from:
14.29.213.in-addr.arpa nameserver = ns2.sbone.cz.
14.29.213.in-addr.arpa nameserver = ns.sbone.cz.
ns.sbone.cz internet address = 62.84.128.6
ns2.sbone.cz internet address = 62.84.132.6

sbone.cz seems to be related to (the same as most likely) aliatel.cz which is a hosting company from the looks of it.

% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

inetnum: 62.84.128.0 - 62.84.130.255
netname: ALIANET
descr: Network of Aliatel
country: CZ
admin-c: PG596-RIPE
tech-c: AHST1-RIPE
status: ASSIGNED PA
mnt-by: ALIATEL-MNT
changed: petr.gomola@aliatel.cz 20021128
source: RIPE

route: 62.84.128.0/19
descr: CZ-ALIATEL-20000623
origin: AS15485
mnt-by: ALIATEL-MNT
mnt-lower: ALIATEL-MNT
mnt-routes: ALIATEL-MNT
changed: petr.safarik@aliatel.cz 20000714
changed: petr.gomola@aliatel.cz 20010808
source: RIPE

role: Aliatel Hostmasters
address: Aliatel a.s.
address: Sokolovska 86
address: Praha 8 - Karlin
address: 186 00
address: Czech Republic
phone: +420 2 25251111
fax-no: +420 2 25251122
trouble: 24/7 NCC +420 2 25251777
e-mail: hostmaster@sbone.cz
admin-c: PG596-RIPE
tech-c: PG596-RIPE
tech-c: ZN3-RIPE
tech-c: MK241-RIPE
nic-hdl: AHST1-RIPE
mnt-by: ALIATEL-MNT
changed: Petr.Gomola@aliatel.cz 20040326
source: RIPE

person: Petr Gomola
address: Aliatel a.s.
address: Sokolovska 86
address: Praha 8 - Karlin
address: 186 00
address: Czech Republic
phone: +420 2 25253814
fax-no: +420 2 25252751
e-mail: Petr.Gomola@aliatel.cz
nic-hdl: PG596-RIPE
notify: Petr.Gomola@aliatel.cz
mnt-by: PG-MNT
changed: Petr.Gomola@aliatel.cz 20041101
source: RIPE

Aliatel's upstream seems to be telia.net.
 

jab

NewBee
Registered Member
Mar 15, 2004
557
0
0
50
radiofreeomaha.net
In the interim you can put this in your .htaccess at the site root to slow them down.

order allow,deny
deny from 213.29.14.4
allow from all

This will deny access to the GotMead web from that IP. While it won't stop them from trying it will reduce the amount of bandwidth they consume to almost nothing.

Have you spoken with your hosting provider? They may have other/better ways to deal with the issue.
 

jab

NewBee
Registered Member
Mar 15, 2004
557
0
0
50
radiofreeomaha.net
Hey Vicky. Just a thought. Do you have access to the webserver logs? Can you tell what they are doing? Are they spidering the site? How many connections/gets in a single visit? How fast are the connections? If you are comfortable with it PM me a section of the logs from when they are active.
 

jab

NewBee
Registered Member
Mar 15, 2004
557
0
0
50
radiofreeomaha.net
Alright it's definately some sort of brute force hack attempt. None of the pages they try to access even exist. I am guessing they are trying to capitalize on some sort of vulnerability but I can't find one for SMF that would match this type of attack.

1246 attempts in three and a half hours is pretty ridiculus!

My suggestion would be to contact your hosting provider and see if there is anything they can do to block them. If not see if they would be willing to help you bring the issue up with the upstream provider for 213.29.14.4.

Personally I would go to telia.net first. My guess is that even though Aliatel seems to be their hosting provider generally if these buys have gotten away with it for a few months their hosting provider does't really care.

For the short term (or if none of the above pan out) I would go with the .htaccess I suggested above.
 

Oskaar

Got Mead Partner
Administrator
Dec 26, 2004
7,874
8
0
34
The OC
I think that Jab's approach makes sense. From a DOS kind of attack standpoint, it doesn't sound like they're trying to datastorm your ports, rather, they seem to be looking for a jump off point so they can hammer the site once they're in.

I'd also copy the log and reverse tracert to telia.net, and if you don't get response you may consider sending one to one of our "International" police agencies. I'll PM you with some thoughts on that.

If they were spidering they should have been done with that a while back, so it looks like they're trying for something more than casual page information. The .htaccess sounds like a great way to slow them down for the short haul and kind of wait and see what they do from there.

Cheers,

Oskaar
 

JamesP

Senior Member
Lifetime GotMead Patron
Dec 3, 2003
654
1
18
Brisbane Australia
Also (not directly related, but another security enhancement)

add index.php to your list of default web pages
(DirectoryIndex parameter somewhere in the httpd.conf config file if your using apache),
so that people can't get a directory listing of files.
 
Barrel Char Wood Products

Viking Brew Vessels - Authentic Drinking Horns